Feeds

Hotel keycard firm issues fixes after Black Hat hacker breaks locks

But want customers to pay for them...

Top 5 reasons to deploy VMware with Tegile

Hotel lockmaker Onity has developed fixes to safeguard millions of hotel keycard locks against an attack demonstrated at the Black Hat conference last month. But the most comprehensive of the two approaches involves a partial hardware replacement that will cost hotels a substantial amount of cash to apply.

Mozilla software developer turned security researcher Cody Brocious used a Arduino micro-controller costing around $50 to come up with an effective hack against hotel keycard locks, which he demonstrated at last month's Blackhat security conference in Las Vegas.

The hack involved plugging in the homemade device into a data port on the underside of Onity’s locks, reading memory to extract a decryption key, before using this decryption key to fake an "open door" command. Brocious created a cheap rig that spoofed portable programmers, gadgets designed to allow hotels to change the settings on locks supplied by Onity.

The hack is only possible because of two interlinked problems: the ability to read memory locations on vulnerable electro-mechanical locks and flawed cryptography in the key cards system itself.

Onity (which initially dismissed the door springing hack as “unreliable, and complex to implement”) has come up with two mitigations against the attack, the most effective of which will necessitate its hotelier customers shelling out some more cash.

The entry-level (free) fix involves supplying a physical plug that blocks access to the portable programmer port of potentially vulnerable HT series locks, coupled with the use of more-obscure Torx screws to make it more difficulties for would-be intruders to open the lock's case and access its internal systems.

The second more rigorous fix involves upgrading the firmware of potentially vulnerable HT and ADVANCE series locks together with manually changing the locks' circuit boards. This more comprehensive fix comes with a fee including parts, shipping and labour costs. Older locks will be more expensive to upgrade – although there will be a special pricing programme, as a statement by Onity explains.

Both fixes will be available from the end of August.

It's unclear how much Onity's upgrade of its widely used hotel keycard locks will end up costing either hotel chains or Onity itself. Criticism has been voiced over the fact that hotel chains will have to pay out to get comprehensive remediation against a problem that's not of their making. "Given that it won’t be a low-cost endeavour, it’s not hard to imagine that many hotels will choose not to properly fix the issues, leaving customers in danger,” Brocious said.

"If such a significant issue were to exist in a car, customers would likely expect a complete recall at the expense of the manufacturer. I can’t help but feel that Onity has the same responsibility to their customers, and to customers staying in hotels protected by Onity locks."

Brocius also express doubts about the possible efficacy of the mitigations proposed by Onity, as explained in some depth in a blog post on the subject here.

Onity's keycard locks secure access to an estimated four million hotel rooms worldwide. Brocious decided not to give Onity pre-warning about the Black Hat hack prior to his demonstration. His former employer is also alleged to have sold a licence to use his hotel keycard-hacking trick to a locksmith training firm for $20,000 long before his presentation, according to Forbes reported.

Brocious said that the nature of the vulnerability was so fundamental that it had probably been an open secret for years. “With how stupidly simple this is, it wouldn’t surprise me if a thousand other people have found this same vulnerability and sold it to other governments,” Brocious told Forbes. “An intern at the NSA could find this in five minutes.” ®

Secure remote control for conventional and virtual desktops

More from The Register

next story
'Regin': The 'New Stuxnet' spook-grade SOFTWARE WEAPON described
'A degree of technical competence rarely seen'
You really need to do some tech support for Aunty Agnes
Free anti-virus software, expires, stops updating and p0wns the world
You stupid BRICK! PCs running Avast AV can't handle Windows fixes
Fix issued, fingers pointed, forums in flames
Privacy bods offer GOV SPY VICTIMS a FREE SPYWARE SNIFFER
Looks for gov malware that evades most antivirus
Patch NOW! Microsoft slings emergency bug fix at Windows admins
Vulnerability promotes lusers to domain overlords ... oops
HACKERS can DELETE SURVEILLANCE DVRS remotely – report
Hikvision devices wide open to hacking, claim securobods
prev story

Whitepapers

Why cloud backup?
Combining the latest advancements in disk-based backup with secure, integrated, cloud technologies offer organizations fast and assured recovery of their critical enterprise data.
A strategic approach to identity relationship management
ForgeRock commissioned Forrester to evaluate companies’ IAM practices and requirements when it comes to customer-facing scenarios versus employee-facing ones.
5 critical considerations for enterprise cloud backup
Key considerations when evaluating cloud backup solutions to ensure adequate protection security and availability of enterprise data.
Reg Reader Research: SaaS based Email and Office Productivity Tools
Read this Reg reader report which provides advice and guidance for SMBs towards the use of SaaS based email and Office productivity tools.
Getting ahead of the compliance curve
Learn about new services that make it easy to discover and manage certificates across the enterprise and how to get ahead of the compliance curve.