How Secure Is Your Hotel’s Mobile Room Key?

Mobile keys are convenient time-savers, but as a new technology, they may not be without vulnerabilities. Here's how they work and what to expect.
Melissa Lambarena
By Melissa Lambarena 
Published
Edited by Kenley Young
How Secure is Hotel Mobile Key

Many or all of the products featured here are from our partners who compensate us. This influences which products we write about and where and how the product appears on a page. However, this does not influence our evaluations. Our opinions are our own. Here is a list of our partners and here's how we make money.

By the time you get to your hotel, you’ve waited at the airport, on the plane and in transit. Checking into your room may also mean a wait — but not if your hotel offers mobile check-in and a digital room key.

Some hotels offer these features through their mobile apps, allowing guests to bypass the front desk and head straight to their room without the wait. The room door opens with the mobile key when the phone touches the lock on the door.

Mobile keys are convenient time-savers, but as a new technology, they may not be without vulnerabilities. The security of the mobile key feature depends on the measures that hotels or mobile key providers have in place to protect their electronic key system.

How and where mobile keys work

The functionality of the mobile key feature varies by provider and hotel. Generally, your phone's Bluetooth setting needs to be on for keys to work. These electronic keys may also provide access to other areas on the property, such as the fitness center, lounge, elevator or parking garage. You may also be able to perform other tasks like taking a call while using the key.

The mobile key feature has become available on more mobile devices at a growing list of hotel properties:

  • Marriott and SPG hotels offer it at over 400 properties

  • Hilton offers its digital key at over 1,000 properties

  • Intercontinental Hotels and Resorts is piloting the feature

  • Radisson RED, a lifestyle hotel brand, offers the mobile key option at three properties

Other hotels have the option of offering the feature through providers like OpenKey that offer mobile app software for hotels.

How safe are mobile keys?

The FBI says it has not seen any cases of compromised hotel mobile key systems in the U.S., but hotel hacks are not unheard of. Last year, the Romantik Seehotel Jagerwirt hotel in Austria made headlines when hackers targeted its electronic key system, locking the hotel out of its computer system and preventing management from accessing the reservation system. The hotel was using swipeable key cards at the time. New guests couldn’t use their cards, and receptionists couldn’t create new keys for them.

Hackers reportedly emailed a ransom request to the hotel demanding two bitcoins in order to return management’s access to the electronic key system. Hotel manager Christoph Brandstatter says the ransom was paid and the hotel has since returned to traditional keys.

This "ransomware" tactic has been moving toward system-connected devices like locks in recent years, according to Michel Chamberland, North America practice lead of SpiderLabs at Trustwave, a security company that protects businesses from cybercrimes. Chamberland is a so-called “ethical hacker"; with his team, he hacks hotel clients’ mobile keys and locks to locate vulnerabilities before hackers do.

“On one of the locks we looked at, we were able to reset the administrative password without being authorized to do so,” Chamberland says. “We were able to manage the whole environment." And new vulnerabilities are introduced with updates to mobile apps, he adds.

Nearly all digital locks in the hotel space have encryption that mirrors financial institutional security, according to TJ Person, founder and CEO of mobile key provider OpenKey. The company has a cloud security company monitoring its servers around the clock to help find and correct vulnerabilities.

Ted Harrington, executive partner at Maryland-based security firm Independent Security Evaluators, recommends that manufacturers of these solutions perform security assessments of their systems at the same level that an attacker would.

"There is a misperception that encryption alone delivers security, and that is fundamentally untrue,” Harrington says. He suggests thinking of encryption as the lock on your house. If the front window of your house is open, an attacker won’t bother breaking the lock on the door; he’ll get in through the window.

Are mobile keys safer than plastic key cards?

A traditional key card generally remains an option for guests who prefer it — but it’s not necessarily a safer option than a mobile key. Some magnetic key cards can be cloned wirelessly and read using antennas, according to Chamberland. And, of course, physical theft is a risk, particularly if hotel guests keep their key card and room number together for convenience (all the information thieves need to get access to a room).

Sure, smartphones can be stolen, too, but setting a phone lock and requiring a separate login for the mobile key app can provide some additional protection that doesn’t come with key cards.

“I think people should be excited about using mobile key, but they should be cognizant that there are security implications," Harrington says. “Be an informed consumer. Read the news where you can, understand what’s going on in the security world and proceed cautiously.”

Travel Cards from Our Partners
Chase Sapphire Preferred Credit Card

on Chase's website

Chase Sapphire Preferred® Card
5.0
NerdWallet Rating
Rewards rate

1x-5x

5x on travel purchased through Chase Ultimate Rewards®, 3x on dining, select streaming services and online groceries, 2x on all other travel purchases, 1x on all other purchases.

Points

Intro offer

60,000

Earn 60,000 bonus points after you spend $4,000 on purchases in the first 3 months from account opening. That's $750 toward travel when you redeem through Chase Ultimate Rewards®.

Points
Chase Freedom Unlimited Credit Card

on Chase's website

Chase Freedom Unlimited®
5.0
NerdWallet Rating
Rewards rate

1.5%-6.5%

Enjoy 6.5% cash back on travel purchased through Chase Ultimate Rewards®; 4.5% cash back on drugstore purchases and dining at restaurants, including takeout and eligible delivery service, and 3% on all other purchases (on up to $20,000 spent in the first year). After your first year or $20,000 spent, enjoy 5% cash back on Chase travel purchased through Ultimate Rewards®, 3% cash back on drugstore purchases and dining at restaurants, including takeout and eligible delivery service, and unlimited 1.5% cash back on all other purchases.

Cashback

Intro offer

$300

Earn an additional 1.5% cash back on everything you buy (on up to $20,000 spent in the first year) - worth up to $300 cash back!

Capital One Venture Rewards Credit Card

on Capital One's website

Capital One Venture Rewards Credit Card
4.7
NerdWallet Rating
Rewards rate

2x-5x

Earn unlimited 2X miles on every purchase, every day. Earn 5X miles on hotels and rental cars booked through Capital One Travel, where you'll get Capital One's best prices on thousands of trip options.

Miles

Intro offer

75,000

Enjoy a one-time bonus of 75,000 miles once you spend $4,000 on purchases within 3 months from account opening, equal to $750 in travel.

Miles
See more travel cards

Find the right credit card for you.

Whether you want to pay less interest or earn more rewards, the right card's out there. Just answer a few questions and we'll narrow the search for you.

Get Started
Get more smart money moves – straight to your inbox
Sign up and we’ll send you Nerdy articles about the money topics that matter most to you along with other ways to help you get more from your money.