In the last few years, the hospitality industry has become increasingly digitized as it embraces new technologies. Key to this shift has been the widespread adoption of Internet-of-Things (IoT) systems; networks of physical devices that can connect and share information with one another.

IoT systems are already in use across a wide variety of industries. In 2020 there were about 10 billion IoT devices in use worldwide. By 2030, that number is expected to nearly triple, to29 billion devices. For the hospitality industry, IoT will be crucial to providing a more personalized guest experience and to reducing operating costs through cost savings on utilities, improved inventory management, and improved safety protocols.

However, beyond all these enticing benefits, there lies a lurking threat from having hundreds, possibly thousands, of interconnected devices on a shared network. And that threat is cyberattacks. Recognizing this danger and devising ways to protect hotel IoT systems against attacks will be a crucial part of the integration process, as more hotels adopt and expand their IoT systems.

Common attacks

For IoT systems, cyberattacks most often take the form of malware or botnet attacks. You don’t need to be an IT wizard to understand the dangers of malware and botnet attacks. Simply put, malware – short for malicious software – is any kind of program that acts without a user's knowledge and deliberately alters how a computer operates.

Any device with an internet connection can be vulnerable to malware infection and they most often happen when a user has been tricked into downloading a suspicious file, usually through a phishing scam. Once a device is infected, any sensitive data such as passwords, banking, or personal information can become compromised.

The danger level increases when a malware infection is converted into a botnet attack, which is a large-scale attack carried out by a network of malware-infected devices, or bots, that can spread viruses, steal critically sensitive information, or launch a Distributed Denial of Service (DDoS) attack that can take the target’s website offline.

Recovering from such an attack can be both long and financially painful, which is why prevention is always the best cure. Unfortunately, the nature of how IoT systems operate can make it a real challenge to prevent malicious attacks.

Why are IoT systems so vulnerable?

The list of IoT-compatible devices is pretty extensive, ranging from smartphones and tablets to thermostats, lighting systems, and door locks. Since these devices are all connected across a shared network, a successful attack on any one device can quickly lead to a wider network infiltration.

The problem is that, ever since 2015, the year that IoT saw itsproof of concept, the market has become flooded with new entrants. These companies may know how to design a highly functional device, but they are not necessarily well versed in how to write secure code for a highly connected environment. In some cases, security is completely neglected for the sake of meeting release deadlines and cost requirements.

What this means is that there are an awful lot of IoT devices out there that have little to no protection against malware attacks, creating very attractive attack points for bad actors.

Even when an IoT device is designed with security in mind, that won’t count for much if users are careless in how they use it. Since many IoT devices are everyday items like thermostats or refrigerators, it’s hard for people to see them as endangered and in need of securing, as they more likely would a personal smartphone or laptop. Many IoT security breaches happen because the user didn’t change the factory-installed password, making it very easy for a hacker to gain administrative access and install malware.

How can hoteliers protect their IoT systems?

When you’re choosing a vendor for a new technological upgrade, cost, functionality, and user-friendliness should be high on your list of requirements. But security is another thing that you should account for, especially when it comes to IoT devices. As such, hoteliers should focus on sourcing IoT devices from reputable developers that place a priority on designing highly secure devices, ideally with security firmware that has been baked in at the chip or hardware level.

Once installed, all IoT devices should be secured at the network level by deploying effective cybersecurity protocols, such as AI-powered monitoring tools that can identify, predict, and mitigate risks before they occur.

In addition, the hotel’s IT team should follow best practices by regularly changing the passwords on all IoT devices and carrying out regular security reviews to pinpoint new vulnerabilities and attack vectors. It’s a constant process that needs to be ongoing to ensure adequate protection.

Final thoughts

While the security issues with IoT systems can be challenging, they shouldn’t be considered an argument against any hotel adopting IoT. The modern consumer is highly in-tune with the digital landscape and expects the businesses they frequent to keep up with the latest technologies. By embracing IoT, hoteliers can ensure they remain competitive and in greater control of how their business operates.

At the same time, hoteliers can also protect their IoT network against malicious attacks by recognizing the associated risks, and taking adequate steps to secure their network.

Dr. Danny Rittman, technology expert and CTO at GBT Technologies