Feeds

Hotel keycard firm issues fixes after Black Hat hacker breaks locks

But want customers to pay for them...

The essential guide to IT transformation

Hotel lockmaker Onity has developed fixes to safeguard millions of hotel keycard locks against an attack demonstrated at the Black Hat conference last month. But the most comprehensive of the two approaches involves a partial hardware replacement that will cost hotels a substantial amount of cash to apply.

Mozilla software developer turned security researcher Cody Brocious used a Arduino micro-controller costing around $50 to come up with an effective hack against hotel keycard locks, which he demonstrated at last month's Blackhat security conference in Las Vegas.

The hack involved plugging in the homemade device into a data port on the underside of Onity’s locks, reading memory to extract a decryption key, before using this decryption key to fake an "open door" command. Brocious created a cheap rig that spoofed portable programmers, gadgets designed to allow hotels to change the settings on locks supplied by Onity.

The hack is only possible because of two interlinked problems: the ability to read memory locations on vulnerable electro-mechanical locks and flawed cryptography in the key cards system itself.

Onity (which initially dismissed the door springing hack as “unreliable, and complex to implement”) has come up with two mitigations against the attack, the most effective of which will necessitate its hotelier customers shelling out some more cash.

The entry-level (free) fix involves supplying a physical plug that blocks access to the portable programmer port of potentially vulnerable HT series locks, coupled with the use of more-obscure Torx screws to make it more difficulties for would-be intruders to open the lock's case and access its internal systems.

The second more rigorous fix involves upgrading the firmware of potentially vulnerable HT and ADVANCE series locks together with manually changing the locks' circuit boards. This more comprehensive fix comes with a fee including parts, shipping and labour costs. Older locks will be more expensive to upgrade – although there will be a special pricing programme, as a statement by Onity explains.

Both fixes will be available from the end of August.

It's unclear how much Onity's upgrade of its widely used hotel keycard locks will end up costing either hotel chains or Onity itself. Criticism has been voiced over the fact that hotel chains will have to pay out to get comprehensive remediation against a problem that's not of their making. "Given that it won’t be a low-cost endeavour, it’s not hard to imagine that many hotels will choose not to properly fix the issues, leaving customers in danger,” Brocious said.

"If such a significant issue were to exist in a car, customers would likely expect a complete recall at the expense of the manufacturer. I can’t help but feel that Onity has the same responsibility to their customers, and to customers staying in hotels protected by Onity locks."

Brocius also express doubts about the possible efficacy of the mitigations proposed by Onity, as explained in some depth in a blog post on the subject here.

Onity's keycard locks secure access to an estimated four million hotel rooms worldwide. Brocious decided not to give Onity pre-warning about the Black Hat hack prior to his demonstration. His former employer is also alleged to have sold a licence to use his hotel keycard-hacking trick to a locksmith training firm for $20,000 long before his presentation, according to Forbes reported.

Brocious said that the nature of the vulnerability was so fundamental that it had probably been an open secret for years. “With how stupidly simple this is, it wouldn’t surprise me if a thousand other people have found this same vulnerability and sold it to other governments,” Brocious told Forbes. “An intern at the NSA could find this in five minutes.” ®

Next gen security for virtualised datacentres

More from The Register

next story
e-Borders fiasco: Brits stung for £224m after US IT giant sues UK govt
Defeat to Raytheon branded 'catastrophic result'
Germany 'accidentally' snooped on John Kerry and Hillary Clinton
Dragnet surveillance picks up EVERYTHING, USA, m'kay?
Snowden on NSA's MonsterMind TERROR: It may trigger cyberwar
Plus: Syria's internet going down? That was a US cock-up
Who needs hackers? 'Password1' opens a third of all biz doors
GPU-powered pen test yields more bad news about defences and passwords
Think crypto hides you from spooks on Facebook? THINK AGAIN
Traffic fingerprints reveal all, say boffins
Rupert Murdoch says Google is worse than the NSA
Mr Burns vs. The Chocolate Factory, round three!
Microsoft cries UNINSTALL in the wake of Blue Screens of Death™
Cache crash causes contained choloric calamity
prev story

Whitepapers

5 things you didn’t know about cloud backup
IT departments are embracing cloud backup, but there’s a lot you need to know before choosing a service provider. Learn all the critical things you need to know.
Implementing global e-invoicing with guaranteed legal certainty
Explaining the role local tax compliance plays in successful supply chain management and e-business and how leading global brands are addressing this.
Build a business case: developing custom apps
Learn how to maximize the value of custom applications by accelerating and simplifying their development.
Rethinking backup and recovery in the modern data center
Combining intelligence, operational analytics, and automation to enable efficient, data-driven IT organizations using the HP ABR approach.
Next gen security for virtualised datacentres
Legacy security solutions are inefficient due to the architectural differences between physical and virtual environments.