Austrian Hotel Hack: Cyber Attacks Can Affect Anyone, Anywhere
Guests at an Austrian four-star luxury hotel recently got more than the lakeside views and plush accommodations they hoped for when a group of hackers took over the hotel’s IT systems and locked guests out of their rooms.
While the story has not yet been confirmed and security researchers are still debating the veracity of the attack, reports indicate that the attackers accessed the IT system at the Romantik Seehotel Jaegerwirt and shut nearly everything down.
Unfortunately, this included the electronic key system, locking many of the 111-year-old hotel’s 180 guests out of their rooms and preventing new keys from being programmed.
The attack coincided with the opening weekend of the winter season, the hotel’s managing director Christoph Brandstaetter told The Local, and was allegedly large enough that it shut down all hotel computers, including the reservation and payment processing systems.
The hackers restored the system after the hotel paid the 1,500 EUR Bitcoin ransom.
But that wasn’t the end of it. According to reports, the hackers left a back door open and tried again to take the system down, but were thwarted by the hotel’s since-updated security architecture.
A New Twist on Extortion
Anyone who’s been to Black Hat will tell you that attacks on hotels aren’t necessarily uncommon, nor is hacking into systems and holding them for ransom--ransomware was one of the fastest growing online threats in 2016. But the attackers in this instance added a new wrinkle: instead of just holding the hotel’s data and systems hostage, hotel guests were impacted, further forcing the hotel’s hand to pay the attackers.
Can You? Should You?
Romantik Seehotel Jaegerwirt learned a hard lesson about security: attackers will take advantage of out-of-date systems and exploit them. The hotel also learned that not everything should be connected to the Internet just because it can be.
“I’ve been saying this for years: when it comes to security, whether it’s cyber or physical, just because you can do something doesn’t mean you should,” said A10 Networks Director of Cyber Operations Dr. Chase Cunningham. “Don’t enable things that aren’t necessary, like key systems, and if you do, lock it down — pun intended.
“Implementing something as simple as two-factor or biometric authentication, or ensuring security systems were up to date and patched, likely could’ve prevented this attack and saved the hotel aggravation and money.”
The incident raises important questions every organization should ask about connected devices and incoming traffic, such as:
- Does this device or system require connection to the Internet?
- If so, can you implement a positive security model allowing only well-known systems that require access?
- If a negative security model is required, do you need to accept traffic from different geo-locations, such as the Ukraine?
- Do your servers really need an IP TTL that allows them to respond to clients anywhere in the world or do they only need to service local requests?
If your answer to these questions is “no,” then you should avoid doing those things.
A10 Networks offers products that empower you to implement comprehensive policy for any traffic that is unsolicited, sourced from different geo locations or sourced from embargoed countries so you can avoid falling victims to such attacks.
For the hotel’s part, they’re reverting back to a simpler time to ensure a hotel-wide lockout can’t happen again.
Brandstaetter told The Local: "We are planning at the next room refurbishment for old-fashioned door locks with real keys. Just like 111 years ago at the time of our great-grandfathers."
It’s a tactic that works for the historic Romantik Seehotel Jaegerwirt, but for many of today’s modern hotels reverting back to old methods is not an option. Instead, they must use better due diligence and ensure their cyber security systems are up to date to avoid becoming a target.