back to article Cyberattack hits Omni Hotels systems, taking out bookings, payments, door locks

Omni Hotels & Resorts' computer systems have been offline since Friday due to what the American luxury hospitality chain called a "disruption." Latest: We now know that a cyberattack forced the Texas-based corporation to take parts of its IT environment down, as we've reported in an update below. What follows is our article as …

  1. Headley_Grange Silver badge

    I came here to write that I can't believe that anyone would think that it's a good idea to have hotel door locks controlled centrally, via the web, with no option for handover to local control, but as I wrote it I realized that that's just the world we live in now. It's going to get worse, as the people responsible for conceiving and speccing things come more and more from the young internet-enabled generation whose doorbells, lights, heating, vacuum cleaners, evening meals and god-knows-what-else have always relied on the internet to work properly. A world where the convenience of not having to stand up to see who's at the door and being able to leave your car keys in your bag to start the car is more important than Amazon and criminals snooping on you and your neighbours and thieves being able to drive away with your £90k car just by waving a sheet of tinfoil around.

    1. Kevin Johnston
      Pint

      It distresses me that I must agree with your gloomy predictions, there is not enough beer to drown those sorrows (and they are putting the breweries at risk too!!!)

      1. Headley_Grange Silver badge

        My local takes cash, the beer comes straight out of the barrels on racks behind the bar and I'd be happy to take the landlord's IOUs for change if power to the tills went down and I can drink and find my way to the bog in the dark. I've just checked my wallet and there's at least a week's beer money in there. That's about the extent of my resilience planning, but it'll do to be going on with.

    2. Doctor Syntax Silver badge

      " I can't believe that anyone would think that it's a good idea to have hotel door locks controlled centrally, via the web, with no option for handover to local control"

      I think there's an hotel chain that's just discovered that. But when your business process development consists of believing what the salesman said...

      1. hedgie Bronze badge

        Because people with business degrees, who generally make all of the decisions might be able to, at best, have and articulate some sort of vision. Mostly, they have confidence, the ability to sell something and order people around to achieve goals, the IQ of a herring and a magpie-like attraction to anything shiny. In their attempt to dominate their industry, if not the world, they have failed to read the Evil Overlord List and take it to heart:

        "One of my advisors will be an average five-year-old child. Any flaws in my plan that he is able to spot will be corrected before implementation."

    3. FILE_ID.DIZ
      FAIL

      In some hotels that I've stayed, they've integrated the door key system with the reservation system. Seems like a smart play.

      The problem it seems is that there was no redundancy, no "what if the internet or reservation system or insert some other system fails considerations/conversations. What's our backup plan? How do we go manual?

      1. Anonymous Coward
        Anonymous Coward

        Door lock systems via programmable Mag Swipe or Smart card device attached to a PC have been standard at hotel receptions for nearly 2 decades.

        There is nothing the article to correlate it being ‘on the web’.

        Card machines not working sounds like a networking issue….

        …though the continued prevalence of MagSwipe/Sign at the Point of Sales in the US continues to dumbfound me.

        Europe and the Rest of the World threw that out about 20 years ago and modern contactless/ApplePay enabled PED’a are defacto.

        Hell you don’t even need a PED anymore to accept payment if you have a reasonably modern NFC enabled phone.

    4. Prst. V.Jeltz Silver badge

      £90k car just by waving a sheet of tinfoil around.

      I find it unbelievable cars are not 100% secure with the encryption techniques available,

      Instead they seem to be working in the other direction by producing keys that you have to physically restrain from giving your car away to a scumbag in the middle of the night by putting it in a tin box!

  2. Tron Silver badge

    Don't people do risk assessments any more?

    A business needs a plan B. A manual fallback that kicks in and works. Core data should be on intranets that should never connect to the public internet. And just use proper door keys. Tech is not resilient enough to be used for everything like this.

    1. Neil Barnes Silver badge

      Re: Don't people do risk assessments any more?

      Tech is entirely resilient enough for something like this. The problem is that the tech used lacked the resilience required... i.e. it was the wrong solution for the problem.

      As Tom states, core data should never be visible from the public internet. Yet company after company insist on doing just that - and in many cases, insisting on using the public internet to get their data to and from the remotely provided data storage and processing centres.

      I have to admit that I look at electronic door locks in hotels with something of a jaundiced eye every time I check in at one; I've spent too long in the game. Though in many ways the ability to change the key for each guest is an improvement in security both for the hotel and the guest over a mechanical key, I do wonder how much of the system will continue to work if the controller falls over or the batteries go flat/power goes down. At least the inside of every latch I've seen is still mechanical, but I wonder for how long?

    2. Anonymous Coward
      Anonymous Coward

      Re: Don't people do risk assessments any more?

      They should have an annual SOC audit.

      https://en.m.wikipedia.org/wiki/System_and_Organization_Controls

      It’s mandatory in most jurisdictions for grown up companies.

    3. Herring`

      Re: Don't people do risk assessments any more?

      In "real" engineering, there's FMEA (Failure Mode and Effect Analysis). Thinking through what break, how and what the consequences will be. Even in a spreadsheet form, it can be a useful way to think about things.

    4. abend0c4 Silver badge

      Re: Don't people do risk assessments any more?

      A business needs a plan B

      BYOD - bring your own door.

  3. Winkypop Silver badge
    Alert

    Sorry, your hotel door lock is not working

    Please go to the roof and one of our team will rappel down to your balcony with you.

  4. Hotel I.T.

    Lots of issues here

    After reading all the information on the Omni problem, I believe this is a ransomware attack. The biggest issue I see here is the lack of logical segmentation between various systems on their network. Good network security requires strong segmentation. The fact that this appears to have crossed various systems implies that there was not segmentation. The key systems and hotels run on local servers for the most part and tie to the cloud for mobile key usage. Point of sale should have been fully isolated in a protected network to be compliant with PCI. This was not caused by any sort of upgrade in my opinion. The type of upgrade that would have caused this would have been the core network, which would’ve been easily reversible. In day and age all companies should practice strong segmentation. This is exactly what the target breach years ago to cross from a vendor accessible network to their corporate network and then over to their point of sale networks. The larger issues is that none of these companies fund IT to the level it needs to be. They roll the dice and hope for the best. In all organizations, the head of IT should be a C level position. They should never report or be under the CFO. My two. Cents.

    1. Anonymous Coward
      Anonymous Coward

      Re: Lots of issues here

      That would cost money- LOL

      Oh and you don’t need segmentation for Point of Sale payment if your solution is P2P certified. That descopes it.

      Encrypted from PED to Payment Provider endpoints and the card details do not get exposed to the POS and its software.

      … meanwhile my local pizza joint continues to mag swipe credit/debit cards into a PC and still does not have a PED .. never mind Apple Pay.

      20 years behind the rest of the world.

  5. Anonymous Coward
    Anonymous Coward

    Cashless at war time

    What happens to cashless countries if e-payments fail? Apart from having too few ATMs, do they even have enough cash reserves?

    Cash being the ultimate information system to rule them all.

    Also the USA may want to reconsider its anemic involvement in Europe, because the World may crash much harder than everybody thinks. Too many things are interconnected already.

  6. Anonymous Coward

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like