Hospitality Establishments With Visitor Management Systems Are Vulnerable To Cyber Frauds

Hotels and other industries using Visitor Management Systems are at risk of possible cyber attacks

The world without internet has seen hotels and hospitality establishments with human assistants, security guards, and receptionists. Now, these human employees are gradually being replaced with computers and visitor management systems.

However, researchers from IBM have discovered that there are a plethora of vulnerabilities found in these visitor management systems that have replaced humans and raised concerns of possible data breach and infiltration of cybercriminals.

In the age of the internet, automation, artificial intelligence (AI), machine learning (ML), and the internet of things (IoT) started to become part of every aspect of our daily lives. The advent of visitor management systems, which allows automating and virtually process visitor management tasks like reception or guest bookings, has permitted the hospitality industry to improve the security of their establishments for the benefit of their guests and visitors while saving money from the human workforce that these tasked used to require.

Unlike simple pen and paper, they can authenticate visitors and provision badges for them in an automated way without allowing anyone to see who else has visited. If a visitor management system is working correctly, it should be easier to identify which visitors are legitimate and if they should be allowed to move throughout the campus unescorted. If the systems are not working as intended, they can provide a false sense of security to the companies deploying them.

This is why there is no doubt that hospitality management system industry is poised to grow as their markets expand. The industry is even expected to become a $1.3 billion industry by the end of 2025.

However, the introduction of the internet to any system invites possible attacks and opens security vulnerabilities found in badges and digital control systems. The internet primarily provides opportunities to cybercriminals to exploit these systems and bypass all its security mechanism to carry out their illegal activists, most of the time, to the expense of the guests and their visitors.

Infiltrating hospitality establishments like hotels and resorts is not a common thing at all. In fact, social engineering, where criminals are dressing up as maintenance crews or disguising as other people, has since been a strategy for offline criminals. For cyberattackers, the ability to tamper with access controls may give them unauthorized access to buildings and areas for criminal schemes.

“If a visitor management system is working properly, it should be easier to identify which visitors are legitimate and if they should be allowed to move throughout the campus unescorted,” IBM says. “If the systems are not working as intended, they can provide a false sense of security to the companies deploying them.”

The company’s cybersecurity team, IBM X-Force Red revealed in a study that visitor management systems that are widely used in different hospitality establishment across the globe are indeed swathed with vulnerabilities that cybercriminals can easily exploit. The team tested security protocols of five popular visitor management systems offered by Jolly Technologies, HID Global, Threshold Security, Envoy, and The Receptionist.


IBM X-Force Red’s findings included information disclosure vulnerabilities, the use of default administrator credentials, privilege escalation bugs which could permit information breakouts of kiosk environments, and data leakage including visitor records, social security numbers, and driving license numbers.

“Even if the visitor management system is not connected to any network and does not issue badges, it still holds data about visitors, which can be a boon to competitors and inside traders,” the researchers say. “Knowing, for instance, that the CEO of a related company has been visiting every day for the last few weeks could be valuable intelligence to collect. Depending on what data the visitor management system stores, there may be an opportunity for identity theft as well.”

The researchers notified the vendors of the said tested visitor management systems before they disclosed the results to the public. Most of the determined vulnerabilities were fixed while some are being analyzed and bug fixes will be rolled out in the near futures. Some other issues are now being mitigated using different isolation techniques and improved security protocol at the end of the hospitality establishment that is using the said visitor management systems.


Please enter your comment!
Please enter your name here