Feeds

back to article Hotel blames burglaries on hacked Onity card locks

A Texas hotel is claiming to have suffered multiple burglaries stemming from flaws in a common type of electronic lock, exploits for which were demonstrated at this year's Black Hat hacking conference. In July, security researcher Cody Brocious showed how a device cobbled together from $50 worth of parts could be used to break …

COMMENTS

This topic is closed for new posts.
Bronze badge
Flame

Low tech fix?

Superglue or hot-glue the data port shut?

0
7
Silver badge

Re: Low tech fix?

epoxy, which cyanoacrylate (or "super glue") is, was specifically mentioned in the article.

3
8
Bronze badge
Stop

Re: Low tech fix?

Sorry, I fell asleep reading your reply.

Superglue is a cyanoacrylate you say? I think you're mistaking me for someone who gives a crap.

0
26
Boffin

Cyanoacrylate /= epoxy

Cyanoacrylates do not contain epoxide groups, and are therefore most definitely NOT epoxies.

7
0
Silver badge

Re: Low tech fix?

@Oninoshiko: I think you''re confusing your Super Glue with your Araldite

0
0
Anonymous Coward

"Blames"?

It's *clear* that the burlaries were accomplished via hacked Onity card locks. The *blame* for the insecurity and refusal to admit such needs to be laid squarely at Onity's doorstep.

1
0
Silver badge

Re: "Blames"?

In my experience of this system at Marriott, the operators and their systems were so poor that hackers were the least of your worries. One time we were allocated a room, given a key, and walked in to find the room already occupied. Moreover, the rather unhappy occupants' cards no longer worked their door. Reception issued a new room, new key cards, and we found that the system correctly showed guest and room, but that they'd changed the cards for the people we'd walked in on so that they opened our new room. Lord knows what room our cards would then have opened.

As a system, it shouldn't be possible to issue new guest cards when a room is already booked, occupied and key cards issued (other than in emergency or lost card situations), it shouldn't be possible to re-assign the card (other than to cancel it) when the card is not in reception's hands, and it shouldn't be possible to double book a room in the first place - have they never heard of locking a record?

I have zero confidence in these key card systems, and I suspect that the risk will remain as dodgy staff with master keys, or stolen master key cards, rather than hackers.

1
0
Silver badge

just put tigers behind 50% of the doors

13
0
Silver badge
Happy

And

cougars behind the rest...

3
0
Bronze badge

Lions and tigers and bears, oh my!

0
0
Bronze badge

All eggs in one basket

It's a good description of an electronic lock system like this. Real keys are perhaps the better solution...

0
5

Re: All eggs in one basket

Real keys put you right into a different basket of problems: that there will exist only a small number of keys for each room, that keys become expensive to replace instead of cheap, and it becomes impractical to change the locks every time a guest leaves. The early part of the Arthur Hailey novel "Hotel" (and his character Julius "Keycase" Milne) is recommended as an example of how hotel burglaries were ROUTINELY a problem in the "real key" era.

3
0

Re: All eggs in one basket

Aside from the problem handing every customer an easily duplicated way to open the door in the future, most mechanical locks can be easily circumvented with a bump key.

2
0
Bronze badge
FAIL

Re: All eggs in one basket

On top of that, either the cleaners will have to lug around a serious amount of iron, one key for every door, or there will exist a master key (or a small number of, say one for every floor). Physical keys can even be duplicated using only the keyway shape (easily taken from the actual lock with a lump of wax, or similar) and a photo, or else key impressioning. And once you have a duplicate of the master key, the hotel's security is done for.

0
0
Anonymous Coward

Forgive my ignorance

Presumably these locks are linked to a building management system of some kind and are thus addressable by that system?

If both of the above are true why does the lock need a data port?

0
0
IT Angle

Re: why does the lock need a data port?

"Presumably these locks are linked to a building management system of some kind and are thus addressable by that system?"

That would require wiring up the building, the cheaper solution is to use the mobile unlocking device. They also need to visit each lock to enable a new master key. That's why the lock needs a data port. Master keys are generated on a password protected desktop device at reception, which uses the same password as the managers Windows passwords.

0
0
Silver badge

Full disclosure

And this is why you need it. Even if all the code and workings are shown and explained, if the lock is any good it will hold once it is engaged. SSH (to pick one) is full disclosure. It's also absolute nails once it is set-up (correctly) and engaged.

I'm reminded of the "high security" locks that were breached by the young girl at DefCon.

Obscurity is not security.

3
0
FAIL

Re: Full disclosure

What is frustrating is that they only did something after the information was demoed at Black Hat. If they had really cared they would have listened to the researcher when he told them initially, advised all their clients that there was a problem and those data ports could have been glued up or something before black hat. Find it bonkers that the data port is on the outside portion of the lock though. Its like fitting a door handle with all the screws facing outward.

1
0
Facepalm

Re: Door handle

Um, all the screws for a door handle do face outward. Removing the handle doesn't give a would-be intruder any advantage though.

0
0
Bronze badge

Old news reported many months ago and to be honest the thefts fall squarely on the heads of the hotels who didn't upgrade their security systems.Electronic locks are no more secure and no different to the older mechanical type devices they replaced in that they are liable to be compromised at some point in time they are not future proof and only act as a deterrent.

1
6
Silver badge
Happy

The simplest solution to this risk for 'guests' is to ...

carry their own tube of fast-drying epoxy so you can seal up your own locks after checking in.

When I use hotel rooms I only unpack what I need and keep my baggage bundled up behind Pac Safe which is secure enough to beat the TSA thieves employed by US Homeland Security.

Pac-Safe now has a range of sizes including ones that secure lap-tops and even smartphones, which can be tethered to a large immovable object in the room.

0
0
Silver badge
Stop

Rubbish

A simple rubber band strapped exactly opposite the bottom edge of the mag strip will open any electronic hotel lock (at least in the U.S.).

The feature is there for firefighters to be able to enter rooms in case of an emergency. I (and 39 others) were shown how to do this when we volunteered to chaperone inner city kids on learning voyages. I can't imagine the info hasn't gotten out & douchebags are exploiting it. It is a wonder it has taken this long.

Sometimes it doesn't take fancy technology to break something. It may be as simple as a rubber band.

0
0
Bronze badge

Re: Rubbish

Well, not in Europe, as far as I know. The cards slide into a slot that would not allow a rubber band around the card, and I can't remember seeing a magstripe on the cards I've been issued; the readers on the doors looked identical in the hotels I've stayed in, so those appear to be from a single vendor. I can't readily find the technology used in the cards here, but I presume it's RFID, and in that case probably Mifare

0
0
FAIL

Broken design

THe security of these locks is fundamentally broken, and if the hacker's paper is to be believed, the design is at best negligent, with all the hallmarks 'we know best' security practice - in particular the DIY crypto algorithm.

Onity's statement disingenuous: the hack is hardly complex - it involves little more than a lost cost micro-controller, a battery and a few passives - probably about $5 of parts. Schematics and full source-code are readily available. The report elsewhere that a pen-size lock-pick has been made is not at all surprising.

What surprises me is that this isn't already heading towards a class-action law-suit state-side - especially if the reports here that Onity is charging hotels for new lock components.

2
0
Silver badge
FAIL

Onity called the hack "unreliable, and complex to implement,"

If I remember correctly, their "complex to implement" required the attacker to acquire a torx screwdriver, something clearly so much harder to come by than the few electronic components required.

1
0
Silver badge

Onity called the hack "unreliable, and complex to implement,"

They were probably referring to their own systems, not the hack.

1
0
This topic is closed for new posts.