The hospitality sector is powered by mobile apps and websites. It could not function today without them. Convenient anytime/anywhere customer experiences and backend operational efficiencies are just a few of the reasons why hotels, food & beverage companies, travel & tourism, events & entertainment, recreation & leisure, and transportation firms have embraced digital technology with open arms.

Unfortunately, being digital also exposes the sector to cyber threats, particularly those targeting payment card industry (PCI) data. 

Some hotels are even exploring application-based keyless entry systems, crucial for ensuring guests feel secure about themselves and their belongings, but which also introduce another attack surface. Additionally, loyalty programs are valuable assets, akin to currency, that demand stringent security measures. 

The importance of securing these digital assets cannot be overstated, especially in light of recent cyberattacks targeting popular hospitality brands. Let’s examine specific vulnerabilities in this industry.

Cyber weaknesses in the hospitality sector

Case study: MGM Resorts cyberattack

MGM Resorts faced a significant cyberattack, leading to the shutdown of its entire system. While the attack primarily targeted the company’s servers, its ripple effects extended to app-based services and PCI data integrity. This incident underscores the importance of closing attack vectors on servers. And since mobile applications are used in hospitality more than ever, this growing attack surface needs to be shielded as well.

Phishing and malware attacks

The hospitality sector, including hotels operating mobile booking apps, is a prime target for phishing and malware campaigns aiming to steal personally identifiable information (PII) and compromise PCI compliance. Staff members with administrative rights and general access are particularly vulnerable.

Travel booking app vulnerabilities

Insecure data storage, insufficient data encryption, and vulnerabilities to dynamic runtime attacks are just a few vulnerabilities in travel & tourism apps. These vulnerabilities can expose sensitive PII such as credit card details, home addresses, and travel plans to cybercriminals.

Bluetooth-based door system attacks

The adoption of app-controlled and Bluetooth-based keyless entry systems for hotel doors necessitates robust defenses against known attack vectors, and implementations need to be hardened against the known set of attacks. These attacks encompass relay attacks, akin to those witnessed in mobile car services, replay attacks, and potential vulnerabilities in hotel guests’ devices. Bluetooth stack exploitations have been among the most severe remote exploitable zero-day vulnerabilities in recent years.

RFID door system vulnerabilities

Many hotels utilize RFID-based door systems, which have been found to be flawed, with incidents of master key leaks enabling unauthorized access without detection. This issue, though not directly app-related, underscores the broader cybersecurity challenges in the hospitality sector.

Persistent threats and exploits

Among the specific threats identified were the exploitation of the MOVEit RCE vulnerability (CVE-2023-34362) and phishing tactics utilizing HTML attachments for credential theft and malware delivery. The report also noted the significant role of obtaining credential access through brute force attacks, a tactic accounting for a notable percentage of reported incidents. These tactics underline the multifaceted approaches cybercriminals take to target the hospitality industry, from individual hotels to extensive restaurant chains and cruise ships​​.

Report: Trustwave’s hospitality industry threat report

Trustwave’s report on cybersecurity threats within the hospitality sector revealed that nearly one-third of hospitality organizations have experienced a data breach. The research documented specific attack methods, including brute force attacks, exploiting known vulnerabilities, and attacking exposed open ports, emphasizing the hospitality industry’s vast and complex cybersecurity threat landscape. 

Verimatrix's approach to Mobile Application Security and PCI Compliance

Cybersecurity vendors can play a crucial role in defending against these threats and ensuring PCI compliance. Verimatrix is a notable player in this field, offering comprehensive solutions designed to protect mobile apps and websites from a variety of attacks while aiding in achieving and maintaining PCI compliance.

  • App hardening: To counter the risk of apps being used as a channel for cyber attacks on backend services (as seen in the MGM Resorts case study), Verimatrix specializes in app hardening. This involves implementing security measures that make it significantly more challenging for attackers to exploit vulnerabilities within the app.
  • Attack monitoring: Verimatrix XTD, our extended threat defense platform, monitors attempted and successful attacks on applications, enabling early countermeasures and providing real-time risk assessment. Device attestation is a significant part of achieving PCI compliance as it continuously monitors the integrity of the application and sends notifications if the app has been compromised.
  • Man-in-the-Middle (MitM) defense: The Verimatrix suite includes defenses against MitM attacks, protecting data in transit between an app on a user’s device and hotel servers. This is critical for safeguarding payment information and other personal user data.
  • Best practices and consultation: Verimatrix goes beyond offering out-of-the-box solutions by consulting with clients on best practices tailored to their specific technologies and protocols. This approach is particularly valuable for hotels developing in-app room key solutions, ensuring they are secure from inception.
  •  Focus on small attack surfaces: For hospitality entities, which may have a relatively small attack surface (e.g., an app for hotel bookings without a loyalty program), Verimatrix emphasizes the value it can provide in protecting against PII data exposure and ensuring compliance, despite the perceived lower risk of direct financial theft.

Wrap Up

The hospitality sector’s heavy reliance on digital platforms underscores the need for a robust cybersecurity posture, particularly concerning PCI compliance. Recent cyberattacks serve as stark reminders of hotels’ vulnerability to a range of cyber threats, from server-based attacks impacting entire systems to vulnerabilities in website and app-based services like room entry or payment processing. 

Cybersecurity vendors like Verimatrix provide critical tools and expertise to counter these threats, focusing on device attestation, defense against specific attack vectors, and compliance support. As hotels continue to digitally innovate, partnering with experienced cybersecurity providers will be paramount in safeguarding digital assets and maintaining guests’ trust.