November 27, 2012

Well that didn't take long - hotel lock security

From Slashdot — July 25th:

“Bad news: With an Arduino microcontroller and a little bit of programming, it's possible for a hacker to gain instant, untraceable access to millions of key card-protected hotel rooms. This hack was demonstrated by Cody Brocious, a Mozilla software developer, at the Black Hat security conference in Las Vegas. At risk are four million hotel rooms secured by Onity programmable key card locks. According to Brocious, who didn't disclose the hack to Onity before going public, there is no easy fix: There isn't a firmware upgrade — if hotels want to secure their guests, every single lock will have to be changed. I wish I could say that Brocious spent months on this hack, painstakingly reverse-engineering the Onity lock protocol, but the truth — as always, it seems — is far more depressing. 'With how stupidly simple this is, it wouldn't surprise me if a thousand other people have found this same vulnerability and sold it to other governments,' says Brocious. 'An intern at the NSA could find this in five minutes.'”

From Forbes — yesterday:

Security Flaw In Common Keycard Locks Exploited In String Of Hotel Room Break-Ins
Whoever robbed Janet Wolf’s hotel room did his work discreetly.

When Wolf returned to the Hyatt in Houston’s Galleria district last September and found her Toshiba laptop stolen, there was no sign of a forced door or a picked lock. Suspicions about the housekeeping staff were soon ruled out, too—-Wolf says the hotel management used a device to read the memory of the keycard lock and told her that none of the maids’ keys had been used while she was away.

More:

Two days after the break-in, a letter from hotel management confirmed the answer: The room’s lock hadn’t been picked, and hadn’t been opened with any key. Instead, it had been hacked with a digital tool that effortlessly triggered its opening mechanism in seconds. The burglary, one of a string of similar thefts that hit the Hyatt in September, was a real-world case of a theoretical intrusion technique researchers had warned about months earlier—one that may still be effective on hundreds of thousands or millions of locks protecting hotel rooms around the world.

They caught the perp. Some more:

That security flaw was first publicly demonstrated by Cody Brocious, a 24-year-old software developer for Mozilla, at the Black Hat hacker conference in July. Brocious reverse-engineered Onity’s locks and discovered he could spoof the “portable programmer” device meant to be used for designating master keys and opening locks whose batteries had died.

On stage at Black Hat, Brocious showed it was possible to insert the plug of a small device he built with less than $50 in parts into the port at the bottom of any Onity keycard lock, read the digital key that provides access to the opening mechanism of the lock, and open it instantaneously.

Onity fixed the flaw but:

But even Onity’s official response, late as it may be, has left something to be desired. Rather than pay for the full fix itself, which requires a new circuit board for every affected lock, Onity has asked its hotel customers to cover the cost of those hardware replacements. Its free alternative involves merely blocking the port on the bottom of the lock instead with a plastic plug and changing the screws on the locks to a more obscure model to make it harder to open the locks’ cases and remove the plugs.

Good Lord —- they should go overboard, take the hit and send out free replacement cards to all their customers. That would be the honorable thing to do. The article goes on to mention that some of the smaller hotels will not be able to afford the cost of this fax and will opt for not doing it — incredible security breach. Onity is being an asshat for not stepping up to the plate. Their “free” fix using modified TORX screws can be defeated by this Harbour Freight security bit set — now on sale for $9.99.

Posted by DaveH at November 27, 2012 12:56 PM
Comments
Post a comment









Remember personal info?