Total $0.00


By Florian Kriechbaumer, Product Development Director, iRiS Software Systems 

In recent months, various reports of security related issues associated to a recent trend in hospitality have emerged, causing concerns among IT professionals and the wider audience in the industry. 

This trend is the provision of guest facing applications for the hospitality market, which allow users to access a variety of hotel information, services, in room dining and also control of their room environment, such as the lights, AC controls or the TV.

By now there is little doubt about the fact this concept will become a de facto standard in the industry. Indeed by 2020, 95% of guests believe hotels 'will increasingly look to new technologies to drastically increase efficiency, reduce costs, and improve service.'* 

However a recent incident in a hotel in China has sparked concerns about the implementation of such applications from an IT security perspective. 

During the incident, a hacker was able to control lights, curtains and AC in other rooms from his computer by intercepting the traffic from the tablet to the room control server and being able to read, modify and repeat the commands to his liking. 

There are number of considerations from an infrastructure perspective that need to be taken into account to prevent such scenarios. 

As a starting point, IT Managers should consider the two common deployment scenarios of such applications: a tablet in the room, owned and managed by the hotel, or a downloadable application accessible on the guests' own devices. Both options have shown merit: For instance, engagement on room-paired devices is typically higher, whereas BYOD lowers cost and allows guests to use the application outside the hotel or prior and after their stay. 

The problems IT managers face in both scenarios are the connection of the applications to the hotel's internal systems, such as the Property Management System, Point of Sale or Room Control devices. 

Initially, it's critical to consider how the device connects to its backend server where content and other functionality of the application is managed and processed, and whether this server sits in the cloud or on property. Secondly, how does the communication to other systems in the hotel work and how it can be secured?

For a tablet that is paired to the room, best practice includes using a dedicated, hidden, and password-protected SSID to connect to the network via WiFi, contained to a trusted VLAN zone and separate from the guest network. This will ensure traffic, and hence an intruder cannot intercept data and commands. Secondly, IT Managers should ensure that their application vendors encrypt any traffic from the tablet to the back end server using SSL, which, should an intrusion occur, will not allow anyone with malicious intent to understand the commands being sent and repeat them for other rooms, for instance. 

While these rules apply for both cloud and locally deployed back end servers for your hotel applications, IT Managers should keep in mind that typically the cloud based deployments come with a number of benefits in terms of maintenance and support. Nevertheless there are scenarios where local servers might be preferable, such as in geographic locations with poor Internet.

It is also good practice for any connection from the application on the device to a third party system in your hotel to run via the aforementioned central back end server, rather than allowing each device to directly connect to your business critical systems independently. This will ensure that a connection to the PMS for example can be easily secured, as it will be limited to one single line of communication between the PMS interface machine and the server running the backend services, to which the application connects to in order to receive data. Such a connection can be protected via VPN, IP-based restrictions and by using vendors who inherently secure their interface APIs via appropriate authentication methods. 

BYOD brings additional complexity here as the devices connect to the backend server using the public WiFi or 3G, rather than a network that can be controlled by the hotel. Here, additional measures to authenticate devices should be put in place, for example a guest can only control the lights if they have entered a PIN number that is shown on the TV and reset for every guest on check out.

In summary, practitioners looking after the implementation of an application for their hotel need to ensure that the chosen provider can supply appropriate data flow documentation that covers the above points. In addition, they should be able to illustrate their approach to security of the communication between tablet, application server and third party systems. Given the issues that have surfaced, this due diligence is essential when considering a vendor. Putting this into practice, a detailed RFI process involving all appropriate stakeholders of the property is essential and can ease the process of acquiring the information from vendors and subsequently drawing comparisons between shortlisted application providers.


About iRiS Software Systems

* London-based iRiS Software Systems Ltd is an award-winning interactive guest services application creator, providing apps designed for hotels, cruise lines and restaurants. The iRiS applications are designed to improve the guest experience, increase revenues and reduce costs, improve communications between guests and staff and provide a smart marketing tool. Both tablet and mobile phone applications are available

* iRiS Valet is the award-winning, interactive, multi-lingual guest services app.  The iRiS F&B Suite is a world-leading multi-lingual, digital menu, sommelier and bar application 

* More than 300 hotels and restaurants worldwide work with iRiS Software Systems.

* Luxury hotel group, Kempinski Hotels has selected iRiS Software as a key guest services technology provider and is installing iRiS applications across its worldwide network. iRiS works with other major hotel brands including: Mandarin Oriental, Orient Express, Starwood, Hilton, Accor, Swire, as well as with a number of independents

* iRiS has representation across every continent with major offices in UK, USA and Asia . Countries with iRiS installations include: USA, Canada, UK, France, Germany, Austria, Hungary, Mauritius, Switzerland, China, Hong Kong, Thailand, Singapore, Malaysia, Russia, the UAE, India, Kenya, Malta, Turkey, Qatar and Australia.

* iRiS won the 2012 Travolution Technological Innovation Award for its market-leading iRiS Valet application. iRiS has won 'Most Innovative Hospitality Technology of 2013' Runner-Up at the HTNG Awards 2014.

For further information visit:

Contact: Laura Barnes, Marketing and PR Manager

Please login or register to post a comment.