Discuss as:

Keycard hacker picks locks, exposes gap in hotel security

You probably don’t give those ubiquitous hotel-room keycards much thought but Cody Brocious obviously has. Last week, the self-described hacker/music aficionado demonstrated a homemade gadget that could conceivably unlock millions of hotel-room doors around the world.

The good news is that Brocious’ $50 gadget has so far proven inconsistent in its effectiveness, according to Forbes. Even better, Onity, the company whose locks were hacked, has already announced an upgrade to address the vulnerability.


The bad news? Brocious followed up his demonstration by publishing a how-to paper that may inspire other hackers to try their hand at entering guests’ rooms without their knowledge or consent.

Should travelers be worried? Not really, say security experts, who suggest travelers are more likely to deal with misplaced or demagnetized cards than rogue hackers intent on stealing personal items or inflicting bodily harm.

“Keycards are a time-tested application,” said Tom McElroy, a principal at The Hospitality Security Consulting Group, LLC. “They’ve got their quirks but for a little bit of inconvenience, the fundamental technology is solid.”

Instead, say the experts, most hotel crimes are crimes of opportunity where crooks take advantage of guests’ inattention. To avoid most problems, they say the standard precautions should suffice:

  • When in your room, always use secondary security systems, such as the deadbolt, chain or latch.
  • When leaving your room, wait to make sure it closes completely. Hotel-room doors can get out of adjustment, closing so slowly that they stop before engaging the lock.
  • Use the peephole before opening the door for unknown guests. If someone claims to be from the hotel, call the front desk to confirm.
  • Never write your room number on your keycard or leave it lying around. Instead, memorize your room number and throw the sleeve your keycard came in away.
  • If you lose your keycard, report it immediately so hotel staff can recode your lock and issue you a new keycard. However, they shouldn’t do so without asking for identification or otherwise confirming your identity.

The trickiest situation, perhaps, is also among the most common, a scenario that security experts refer to as “tailgating” or “piggybacking” at a secured door to a public area.

“Somebody says, ‘Hey, can you hold the door for me?’ What are you going to do, say no?” said Ron Lander, chief technology officer for Security Management Services International, Inc. “In the normal flow of things you probably don’t want to, but for the sake of security, you should probably at least ask them where their access card is.”

Ultimately, most hotel crimes can be avoided by paying attention to your surroundings, keeping tabs on your keycards and securing your valuables in your in-room safe or at the front desk. Honing your “situational awareness” is a better use of your energy than worrying about hackers surreptitiously spoofing your keycard code.

“Just because you’re in a hotel and your hotelier has made your room feel like your bedroom at home, doesn’t mean you shouldn’t let your guard down,” McElroy told NBC News. “You lock your door at home; you use the peephole before you let someone in — those are the same principles you should apply when you’re staying at a hotel.”

Rob Lovitt is a longtime travel writer who still believes the journey is as important as the destination. Follow him on Twitter.

More stories you might like: