Tim here. So, with consulting work comes travel. Over the years, I have traveled extensively and stayed in a variety of hotels and suites. Through this experience, I have noticed several issues with hotel (specifically room) security. In this blog, I am going to walk you through some of the consistent issues that I notice in hotel room security, due diligence and awareness.
As many of you probably know, you never want to leave your valuables laying around your hotel room when you aren’t in it. This is one of the reasons hotels provide a safe, a lock on the door and hotel staff. At least one of these should stop a criminal, as well as keep me, my valuables and my room safe, right?
Replacement Room Keys
I cannot tell you how many times I have observed people casually walk up to the front desk and ask for a replacement room key. Depending on how you deliver this request will probably land you a room key without having to say anything but the room number. Just last week, I watched a kid, no older than 10, walk up to the receptionist and say, “Um…excuse me, I need a new key for 305” and that was it. He was given a key and he took off running up the stairs. So, if a child can do it (granted being a kid or using a kid has advantages for thieves), a professional criminal can too.
But hotels ask for an ID, right? No. Not all of them. In fact, most of the time the only “two-factor” authentication that is required is the last name and the room number. Some hotels will ask for your ID, but if you are sharing a room with friends or family, everyone may not be listed on the hotel room registration.
Consider this: You walk up to the desk in a swim suit, water dripping off of you and onto the floor, “Sorry to bother you, but I locked myself out. Can I get a new key for room 123?” This is what a premeditated attack could look like. This also gives an attacker the ability to push for urgency, add some distraction and avoid having to present an ID.
But what if they don’t know the room number? It doesn’t matter. Saying something along the lines of, “Sorry to bother you, I am with the XYZ Corporate event, I got in late last night and forgot my wallet. It has my room key in it. To top it off, I can’t recall my room number.” With this approach all the attacker needs is a last name, which could be easily gleaned off of a corporate event, overheard in the bar area or while checking in. I know this works, because I’ve successfully performed this attack.
Lever Handled Hotel Doors
Due to handicap accessibility requirements and emergencies, hotels are often required to have lever-handles installed on their doors. If you have read any of my previous #WarStoryWednesday blogs, you know why this isn’t the best idea.
For those who aren’t familiar with the fault in this type of handle, there is a tool that is easy to make and can also be purchased online called the Under-the-Door (UtD) tool. This tool has only one use: to bypass electronic locks by utilizing the “open from the inside” function. It goes underneath a door and pulls down the lever from the inside. The ability to unlock the door this way is built into the door in case of emergencies and for convenience, even when the outside handle is locked or has an electronic control (like a badge reader).
This can often be thwarted by avoiding gaps between the floor and door, having a beveled handle without the lip at the end of the handle, or by shoving some rolled up towels into the handle when you leave your room.
But My Room Has a Safe
Hotel room safes are pretty poor in terms of actually being secure. Many times, if the safe is physically exposed, you can hit the top of it to cause the locking mechanism pin to shift and open, and then you’re in. During season 1 of Mr. Robot on the USA Network, you can see the character Darlene use this method on an office safe. You can also access certain safes with simple tools, like wafer picks. Other methods of bypassing a safe may also include resetting the electronic lock via the “reset” hole in the back with something like a wire coat hanger, if accessible.
Hotels often don’t spend a pretty penny on guest room safes, so they can be easily accessed if you have the rights tools. With all the methods available to break into cheaper safes, be careful with what you put into a hotel safe.
Balconies or Backdoors
Fresh air can be amazing, especially when you are staying at a nice hotel overlooking the beach somewhere. It is wonderful to walk into a room with a balcony and a sliding glass door. Unfortunately, people often leave these doors open or forget to lock them back before leaving.
Just because you may be several floors up, doesn’t deter a very determined criminal, especially if they are your neighbors. You don’t always have to be a parkour genius to climb outside from one room to the next. I may or may not have done this in my younger days.
Room Charges for Days
Snack shops, bars, restaurants; they all have the ability to charge to a room. What do you need to charge a meal, beer or pack of M&Ms to a room? You need a room number and possibly a last name. For the snack bar, I have seen people just throw out a room number as they are walking away, and that is it. For a bar or restaurant, you often are required to fill in the room number, the name and a signature. I have seen some of this be nothing but scribble and the waiter or bar tender still takes it.
As I mentioned in the replacement keys section, this is another method to exploit the lax efforts of hotel staff to validate identity before doing anything with the room. Always check your room charges. There are a lot of dishonest folks out there and free food and drinks is often a good motivator to let that dishonesty out.
What You Can Do and What Hotels Can Do
Below are some security tips for your next stay at a hotel, as well as ways for the hotel itself to increase their security:
What You Can Do
- Whenever you are traveling, especially when on vacation, always consider where you leave your personal belongings. Do you need a safe? Is the safe seemingly secure (no easy ways to break in like I explain above). If not, consider taking your belongings with you when you leave the room. Or request for a different room with a more secure safe. If you have a car, consider leaving some items in the trunk. Never leave items in the back of a car where someone is able to physically see your valuables. The less a criminal is able the see, the less likely they will try to break into your car.
- Under-the-door tool exploitability holds a big risk with hotels, especially those that do not have cameras in the hallways. Until hotels learn to go beyond lever handles and/or use door brushes that help fill the gap at the bottom, you can roll up a towel and shove it into the lever handle on the inside.
- Do you really need your room cleaned? If not, consider placing the “Do Not Disturb” sign on your door as soon as you get there. This could also be a deterrent for a would-be criminal, to consider that you may be inside taking a nap. If you’re really paranoid, you may also consider leaving the radio or the television on to give the appearance that you are still in your room.
- Always ask the receptionist if they check for IDs when providing replacement keys. Perhaps this is an odd question, but they need to be held accountable, especially when you’re able to fall back on their answer if something were to happen. You may also want to inform them that you are the only guest in the room during your stay, or let them know who else is staying in the room with you.
- As I said above, always check your room charges! Do not be afraid to dispute a charge, especially when you can point to the cameras overlooking the desk and ask them to check for themselves.
- Keep your doors locked – no matter how nice the ocean breeze may be.
What Hotels Can Do
- Staff must be made aware of security threats and learn that politeness doesn’t mean not validating identification. This not only includes guest and room security, but also looking for suspicious activities.
- Ensure that you have cameras overlooking the service desk and hallways. This will not only help in investigations of theft or a break-in, but also assists in keeping employees and unwelcome guests in check as a potential deterrent.
- As I mentioned above, under-the-door exploitability hold a big risk with hotels, especially those that do not have cameras in the hallways. Invest beyond cheap lever handles and/or use door brushes that help fill the gap at the bottom. If your hotel has to slide the bill beneath the door, consider some compensating controls (like camera coverage and handle replacements).
- Another recommendation would be to temporarily photography guests and have a reference before re-keying.
These simple tips can help secure your valuables when staying in hotel room and give you some piece of mind. As always, be smart and stay alert. Don’t be an easy victim.