Guess Who’s Coming To Room 305: Hacking Hotel Doors With Just A Name And a Date

Checking into a hotel should mean a good night’s sleep, not handing your room key to a stranger. But what if we told you that unlocking some hotel doors only takes a bit of social engineering, a laptop, and the kind of information your luggage tag practically advertises? During a pentest engagement in Switzerland, we stayed at a cutting-edge “smart” hotel featuring mobile check-in and digital room keys. With few vulnerabilities found in the API’s environment, we turned our attention to the hotel’s own systems. What we uncovered was surprising: some simple metadata were enough to bypass access controls and unlock rooms not through brute force, but via social engineering, a laptop, and a basic script. We’ll walk through the technical flow behind these systems, show how flawed assumptions about guest privacy can be weaponized, and demonstrate how prioritizing simplicity in the user experience can lead to critical security oversights. While we’ll provide mitigation tips for hoteliers, this talk is ultimately aimed at travelers: those who trust digital keys without questioning the infrastructure behind them. Because sometimes, convenience comes at the cost of control and that’s a trade-off guests deserve to understand.