This is my first experience at a hotel using a mobile phone app as a keycard. It seems to transmit using BLE (Bluetooth Low-Energy).
Great for convenience, but I'm not sure how trustworthy it is, even though the permissions aren't egregious. I'll be disabling or uninstalling it until the next time I stay at one of these properties just to be safe.
@voltronic I have one for my work. There are some advantages to it, but yeah, I can see where this can also be dangerous.
@voltronic
I somewhat am ok with the concept but only because I always seem to demagnetize my card multiple times during my hotel stays
@voltronic I always uninstall travel apps after travel is done. Hotels, airlines, etc.
@Dashdrum
This is the first time I've ever installed any travel / hotel app.
@voltronic isn’t Bluetooth wildly insecure anyway? Like, “arbitrary code execution” insecure?
@voltronic I’ve been wondering about that option as the resort I’m staying in on Maui uses it. As well, the Safe Hawaii app is required to travel to the islands. Before embarking on the trip, I’ll be required 2 upload my flight info to the island, my vaccination card and ID for verification. Upon approval a QR code is given & req’d 2 show upon landing & forgo current testing procedures & quarantine. All of that makes me a bit nervous. There are currently no exceptions unless restrictions lifted.
@CherNohio
Well it doesn't sound as though you have a choice. It's not like they are storing all those docs in the app. You just have to hope their database is well protected.
None of these things are probably as invasive as what the big social media companies do.
@voltronic @CherNohio
Can't a third party detect the transmitted code and reproduce it later to get into your room?
@EileenKCarpenter @voltronic @CherNohio its possible that the code changes so that the same signal is not repeated. Similar to other 2FA rolling codes.
@JGNWYRK @EileenKCarpenter @voltronic @CherNohio
It's not going to be a static code, it's going to be time-stamped, at a minimum.
On top of that, the encryption key is almost certainly negotiated on the fly.
@mcfate
Well the thing is, the same locks and elevator readers work with the phone app or a key card from the main desk. You have an option to use either one. I went with the phone option because the app let me check in beforehand.
So everything you said makes sense, but I'm not sure the codes rotate if you can have your phone and a keycard, and can access your room with either one.
@mcfate
I wasn't super concerned with the Bluetooth part anyway. It only works within about a cm, which is why I assume BLE is being used.
@voltronic @JGNWYRK @EileenKCarpenter @CherNohio
That would seem to eliminate anyone stealing credentials over-the-air.
I mean, you'd NOTICE a person standing between you and the door.
@voltronic @JGNWYRK @EileenKCarpenter @CherNohio
You're assuming a single code path behind whatever's communicating with the card on the one hand (via a mechanical interface) or the app (via BLE, or NFC, or something), and I'm definitely not assuming that.
I mean, it COULD be a really crappily-thought-out system, but I wouldn't want to take that as a given.
@mcfate
The key card isn't mechanical. It operates the same way, with BLE or NFC as you say. Maybe an RFID tag. The app only requires BT.
@voltronic @JGNWYRK @EileenKCarpenter @CherNohio
Is it thicker than a standard credit card?
@voltronic @JGNWYRK @EileenKCarpenter @CherNohio
Also, when you install the app, how do you "pair" it with your room?
@mcfate
It asks you to verify some personal info, and then it pulls the info from your reservation. The app has a few different sections, one of which is to bring up your "digital key".
I just found the system this uses:
https://www.assaabloyglobalsolutions.com/en/products/mobile-access/secure-seos-technology/
@voltronic @JGNWYRK @EileenKCarpenter @CherNohio
Look at this: it keep the actual digital key on a centralized server.
@mcfate
That's not what this page says. The key is on your phone, in an 'encrypted vault'.
In any case, the key isn't decrypted until after the lock receives it. So, this system seems much more resilient than your typical HID cards. You can clone those from a few feet away, yet companies still use them.
@mcfate
Nope. Identical.
@mcfate
But yeah, I would like to think a company of this magnitude thoroughly vetted such a system.
@voltronic
I use it almost all the time via the hotel chain's app, which I also use to manage bookings and check in / check out. So far, China knows about as much about me as they already did so I feel okay with it.