How do those hotel door locks work? When I had an apartment with a tap keyfob, it was battery-operated and the fob seemed to be programmed for that specific lock, so I thought they could work offline.
These days the locks are online so that you can block a lost keycard from the front desk. Previously you had to open the lock with a never keycard than the lost one to make the lost one inoperable. That works kinda fine in a small hotel but not when you 48000 rooms with millionaires in them.
Fwiw you could probably build this in a way that it continues to operate without internet. This creates a new attack vector (disable the internet and you can't revoke access) but that's probably acceptable given the physical attacks possible.
Each key gets a revision number. When the first set of keys are created, they get revision number 0. The lock records a high water mark of the revision numbers it has seen. Only keys matching the water mark get to unlock the door.
When you want to revoke a key, you re-issue a new set with a higher revision number. When the guest checks out, you issue the next revision number to the next guest, effectively disabling the previous set.
You do all this as a fallback when the network fails. This way, you can still disable keys in real-time when people checkout of their room.
Does this use something like asymmetric keys so door can verify a key came from the issuing system or is there still some online/network portion?
Assuming it does use asymmetric keys to prevent someone from creating counterfeit access cards, there would still be a window (if the network is unavailable) where the old key would continue to work until a new key is scanned the first time on the door lock?
Currently at a reasonably-priced hotel in the boonies. Extended my stay the other day and they had to re-issue the keys. The keys must be aware of the reservation period, and the locks must be aware of the current wall-clock time. Finding a way to tamper with the RTC in the lock could blow up the whole system. Or, you know, a crowbar.
MGM hotel rooms can be unlocked with smartphone NFC tap. You don't even need to visit the front desk to check in, just log in to the app. But if you can't open the app you can't get in your room. I'm guessing the front desk can issue keys to a guest in the event they lost their phone or something, but if the network is down for the front desk too then they might not be able to issue keys.
The problem is it works badly. You have to open the app which has to load and then you can get access to your key. But if you’re on an elevator then you might not have service and the app won’t load and then you can’t get to your key to use the elevator. Or worse if you don’t have great service in the corridor.
It needs to work in a way where the key is saved to your phone so it can be accessed quickly and offline.
Afaik the HID Global app saves a key in the OS key store (at least on Android) and uses the locally stored key with NFC so you just need network access to enroll a key. Not sure what vendor/app these things use (maybe it's all in house)
Some hotel chains like Hyatt support nfc keys in Apple Wallet. Because whatever microcontroller runs that is low-power, it can continue working after your phone battery is (nearly) dead too.
I know other locks use Bluetooth from an app which isn’t supported by Apple Wallet.
I did a project several years ago for mgm that involved BT, player cards, key systems, wifi, etc and I can confirm they hotel locks are controlled centrally for various reasons.
Such a system seems like it would be incredibly fragile to local attack - and this is one case where you can't just assume "physical access means you've already lost".
I agree, thats why I figured if you can get away with fooling around with a lock, some wires and a laptop in the hallway, you can probably pick the backup key more discreetly.
I was wondering the same. It would be an extreme fire hazard if a power or computer outage made the doors unopenable - especially because a fire could and likely would cause an outage.
I once was stuck in my hotel room due to a malfunction in the inside door handle, which was an annoying way to discover that the latch wasn't even mechanical on that side.
Apartment? I assume your home? The upkeep of locks in a hotel is a bit more involved, as customers lose keys and they need to be reset for the next room guest (for larger hotels, at least)