To be clear, the lock models targeted by this security hack are RFID-based. As far as we know, no other electronic security technologies (e.g., NFC, magnetic stripe, biometrics) have been compromised by this attack. Unfortunately for non-RFID electronic lock vendors, that fact might be of little consequence—especially in the context of end users’ perception.
The market for electronic hotel locks is somewhat unique in the sense that there are really two categories of end users: the hotels and their customers. Barring a PR disaster such as this, an e-lock vendor must only convince the former of the security and reliability of its locks to be successful—hotel guests will assume the lock on their door will do what it is supposed to—until a story like Onity’s goes viral.
Now, not only will hotel operators be avoiding Onity products due to this new security threat, so too will nervous hotel guests. While this presents an immense problem for Onity, we also see it as a challenge for all electronic security/access control vendors. While a hotel IT or security director may be savvy enough to distinguish between different lock vendors and enabling technologies—including RFID, NFC, magnetic stripe and biometrics—the average hotel guest most likely is not. Therein lays the problem for e-lock companies.
From a hotel operators’ perspective, guests’ perceptions carry significant weight—because if a guest is not confident in the hotel’s security, they are probably going to stay elsewhere. Thus, if the public becomes highly weary of electronic locks in general—to the point that their presence negatively impacts a hotel’s bookings—we bet operators would be swift to revert to old-fashioned lock-and-key or other more secure alternatives.
While fallout from this incident is not likely to be that severe, we expect it will cause many hotel operators to evaluate more carefully the reliability and security their future e-lock investments truly deliver. Moreover, this incident underscores the need for increased vigilance when it comes to securing electronically-enabled devices, particularly those that are customer-facing and likely to be targets of criminal attacks. Consumer trust is highly difficult to earn but can be lost instantly.