Feeds

Hotel keycard firm issues fixes after Black Hat hacker breaks locks

But want customers to pay for them...

The essential guide to IT transformation

Hotel lockmaker Onity has developed fixes to safeguard millions of hotel keycard locks against an attack demonstrated at the Black Hat conference last month. But the most comprehensive of the two approaches involves a partial hardware replacement that will cost hotels a substantial amount of cash to apply.

Mozilla software developer turned security researcher Cody Brocious used a Arduino micro-controller costing around $50 to come up with an effective hack against hotel keycard locks, which he demonstrated at last month's Blackhat security conference in Las Vegas.

The hack involved plugging in the homemade device into a data port on the underside of Onity’s locks, reading memory to extract a decryption key, before using this decryption key to fake an "open door" command. Brocious created a cheap rig that spoofed portable programmers, gadgets designed to allow hotels to change the settings on locks supplied by Onity.

The hack is only possible because of two interlinked problems: the ability to read memory locations on vulnerable electro-mechanical locks and flawed cryptography in the key cards system itself.

Onity (which initially dismissed the door springing hack as “unreliable, and complex to implement”) has come up with two mitigations against the attack, the most effective of which will necessitate its hotelier customers shelling out some more cash.

The entry-level (free) fix involves supplying a physical plug that blocks access to the portable programmer port of potentially vulnerable HT series locks, coupled with the use of more-obscure Torx screws to make it more difficulties for would-be intruders to open the lock's case and access its internal systems.

The second more rigorous fix involves upgrading the firmware of potentially vulnerable HT and ADVANCE series locks together with manually changing the locks' circuit boards. This more comprehensive fix comes with a fee including parts, shipping and labour costs. Older locks will be more expensive to upgrade – although there will be a special pricing programme, as a statement by Onity explains.

Both fixes will be available from the end of August.

It's unclear how much Onity's upgrade of its widely used hotel keycard locks will end up costing either hotel chains or Onity itself. Criticism has been voiced over the fact that hotel chains will have to pay out to get comprehensive remediation against a problem that's not of their making. "Given that it won’t be a low-cost endeavour, it’s not hard to imagine that many hotels will choose not to properly fix the issues, leaving customers in danger,” Brocious said.

"If such a significant issue were to exist in a car, customers would likely expect a complete recall at the expense of the manufacturer. I can’t help but feel that Onity has the same responsibility to their customers, and to customers staying in hotels protected by Onity locks."

Brocius also express doubts about the possible efficacy of the mitigations proposed by Onity, as explained in some depth in a blog post on the subject here.

Onity's keycard locks secure access to an estimated four million hotel rooms worldwide. Brocious decided not to give Onity pre-warning about the Black Hat hack prior to his demonstration. His former employer is also alleged to have sold a licence to use his hotel keycard-hacking trick to a locksmith training firm for $20,000 long before his presentation, according to Forbes reported.

Brocious said that the nature of the vulnerability was so fundamental that it had probably been an open secret for years. “With how stupidly simple this is, it wouldn’t surprise me if a thousand other people have found this same vulnerability and sold it to other governments,” Brocious told Forbes. “An intern at the NSA could find this in five minutes.” ®

Next gen security for virtualised datacentres

More from The Register

next story
Ice cream headache as black hat hacks sack Dairy Queen
I scream, you scream, we all scream 'DATA BREACH'!
Goog says patch⁵⁰ your Chrome
64-bit browser loads cat vids FIFTEEN PERCENT faster!
NIST to sysadmins: clean up your SSH mess
Too many keys, too badly managed
Scratched PC-dispatch patch patched, hatched in batch rematch
Windows security update fixed after triggering blue screens (and screams) of death
Researchers camouflage haxxor traps with fake application traffic
Honeypots sweetened to resemble actual workloads, complete with 'secure' logins
Attack flogged through shiny-clicky social media buttons
66,000 users popped by malicious Flash fudging add-on
New Snowden leak: How NSA shared 850-billion-plus metadata records
'Federated search' spaffed info all over Five Eyes chums
Three quarters of South Korea popped in online gaming raids
Records used to plunder game items, sold off to low lifes
Oz fed police in PDF redaction SNAFU
Give us your metadata, we'll publish your data
prev story

Whitepapers

5 things you didn’t know about cloud backup
IT departments are embracing cloud backup, but there’s a lot you need to know before choosing a service provider. Learn all the critical things you need to know.
Implementing global e-invoicing with guaranteed legal certainty
Explaining the role local tax compliance plays in successful supply chain management and e-business and how leading global brands are addressing this.
Backing up Big Data
Solving backup challenges and “protect everything from everywhere,” as we move into the era of big data management and the adoption of BYOD.
Consolidation: The Foundation for IT Business Transformation
In this whitepaper learn how effective consolidation of IT and business resources can enable multiple, meaningful business benefits.
High Performance for All
While HPC is not new, it has traditionally been seen as a specialist area – is it now geared up to meet more mainstream requirements?