back to article Hotel blames burglaries on hacked Onity card locks

A Texas hotel is claiming to have suffered multiple burglaries stemming from flaws in a common type of electronic lock, exploits for which were demonstrated at this year's Black Hat hacking conference. In July, security researcher Cody Brocious showed how a device cobbled together from $50 worth of parts could be used to break …

COMMENTS

This topic is closed for new posts.
  1. Ross K Silver badge
    Flame

    Low tech fix?

    Superglue or hot-glue the data port shut?

    1. Oninoshiko

      Re: Low tech fix?

      epoxy, which cyanoacrylate (or "super glue") is, was specifically mentioned in the article.

      1. Ross K Silver badge
        Stop

        Re: Low tech fix?

        Sorry, I fell asleep reading your reply.

        Superglue is a cyanoacrylate you say? I think you're mistaking me for someone who gives a crap.

      2. Chris 244
        Boffin

        Cyanoacrylate /= epoxy

        Cyanoacrylates do not contain epoxide groups, and are therefore most definitely NOT epoxies.

      3. Mark 65

        Re: Low tech fix?

        @Oninoshiko: I think you''re confusing your Super Glue with your Araldite

  2. Anonymous Coward
    Anonymous Coward

    "Blames"?

    It's *clear* that the burlaries were accomplished via hacked Onity card locks. The *blame* for the insecurity and refusal to admit such needs to be laid squarely at Onity's doorstep.

    1. Anonymous Coward
      Anonymous Coward

      Re: "Blames"?

      In my experience of this system at Marriott, the operators and their systems were so poor that hackers were the least of your worries. One time we were allocated a room, given a key, and walked in to find the room already occupied. Moreover, the rather unhappy occupants' cards no longer worked their door. Reception issued a new room, new key cards, and we found that the system correctly showed guest and room, but that they'd changed the cards for the people we'd walked in on so that they opened our new room. Lord knows what room our cards would then have opened.

      As a system, it shouldn't be possible to issue new guest cards when a room is already booked, occupied and key cards issued (other than in emergency or lost card situations), it shouldn't be possible to re-assign the card (other than to cancel it) when the card is not in reception's hands, and it shouldn't be possible to double book a room in the first place - have they never heard of locking a record?

      I have zero confidence in these key card systems, and I suspect that the risk will remain as dodgy staff with master keys, or stolen master key cards, rather than hackers.

  3. NomNomNom

    just put tigers behind 50% of the doors

    1. hplasm
      Happy

      And

      cougars behind the rest...

    2. Anonymous Coward 15

      Lions and tigers and bears, oh my!

  4. bazza Silver badge

    All eggs in one basket

    It's a good description of an electronic lock system like this. Real keys are perhaps the better solution...

    1. Peter H. Coffin

      Re: All eggs in one basket

      Real keys put you right into a different basket of problems: that there will exist only a small number of keys for each room, that keys become expensive to replace instead of cheap, and it becomes impractical to change the locks every time a guest leaves. The early part of the Arthur Hailey novel "Hotel" (and his character Julius "Keycase" Milne) is recommended as an example of how hotel burglaries were ROUTINELY a problem in the "real key" era.

    2. Gerhard Mack

      Re: All eggs in one basket

      Aside from the problem handing every customer an easily duplicated way to open the door in the future, most mechanical locks can be easily circumvented with a bump key.

      1. Stoneshop
        FAIL

        Re: All eggs in one basket

        On top of that, either the cleaners will have to lug around a serious amount of iron, one key for every door, or there will exist a master key (or a small number of, say one for every floor). Physical keys can even be duplicated using only the keyway shape (easily taken from the actual lock with a lump of wax, or similar) and a photo, or else key impressioning. And once you have a duplicate of the master key, the hotel's security is done for.

  5. Anonymous Coward
    Anonymous Coward

    Forgive my ignorance

    Presumably these locks are linked to a building management system of some kind and are thus addressable by that system?

    If both of the above are true why does the lock need a data port?

    1. Anonymous Coward
      IT Angle

      Re: why does the lock need a data port?

      "Presumably these locks are linked to a building management system of some kind and are thus addressable by that system?"

      That would require wiring up the building, the cheaper solution is to use the mobile unlocking device. They also need to visit each lock to enable a new master key. That's why the lock needs a data port. Master keys are generated on a password protected desktop device at reception, which uses the same password as the managers Windows passwords.

  6. The BigYin

    Full disclosure

    And this is why you need it. Even if all the code and workings are shown and explained, if the lock is any good it will hold once it is engaged. SSH (to pick one) is full disclosure. It's also absolute nails once it is set-up (correctly) and engaged.

    I'm reminded of the "high security" locks that were breached by the young girl at DefCon.

    Obscurity is not security.

    1. Andrew Barratt
      FAIL

      Re: Full disclosure

      What is frustrating is that they only did something after the information was demoed at Black Hat. If they had really cared they would have listened to the researcher when he told them initially, advised all their clients that there was a problem and those data ports could have been glued up or something before black hat. Find it bonkers that the data port is on the outside portion of the lock though. Its like fitting a door handle with all the screws facing outward.

      1. SYNTAX__ERROR
        Facepalm

        Re: Door handle

        Um, all the screws for a door handle do face outward. Removing the handle doesn't give a would-be intruder any advantage though.

  7. Arachnoid

    Old news reported many months ago and to be honest the thefts fall squarely on the heads of the hotels who didn't upgrade their security systems.Electronic locks are no more secure and no different to the older mechanical type devices they replaced in that they are liable to be compromised at some point in time they are not future proof and only act as a deterrent.

  8. JaitcH
    Happy

    The simplest solution to this risk for 'guests' is to ...

    carry their own tube of fast-drying epoxy so you can seal up your own locks after checking in.

    When I use hotel rooms I only unpack what I need and keep my baggage bundled up behind Pac Safe which is secure enough to beat the TSA thieves employed by US Homeland Security.

    Pac-Safe now has a range of sizes including ones that secure lap-tops and even smartphones, which can be tethered to a large immovable object in the room.

  9. Don Jefe
    Stop

    Rubbish

    A simple rubber band strapped exactly opposite the bottom edge of the mag strip will open any electronic hotel lock (at least in the U.S.).

    The feature is there for firefighters to be able to enter rooms in case of an emergency. I (and 39 others) were shown how to do this when we volunteered to chaperone inner city kids on learning voyages. I can't imagine the info hasn't gotten out & douchebags are exploiting it. It is a wonder it has taken this long.

    Sometimes it doesn't take fancy technology to break something. It may be as simple as a rubber band.

    1. Stoneshop

      Re: Rubbish

      Well, not in Europe, as far as I know. The cards slide into a slot that would not allow a rubber band around the card, and I can't remember seeing a magstripe on the cards I've been issued; the readers on the doors looked identical in the hotels I've stayed in, so those appear to be from a single vendor. I can't readily find the technology used in the cards here, but I presume it's RFID, and in that case probably Mifare

  10. Ommerson
    FAIL

    Broken design

    THe security of these locks is fundamentally broken, and if the hacker's paper is to be believed, the design is at best negligent, with all the hallmarks 'we know best' security practice - in particular the DIY crypto algorithm.

    Onity's statement disingenuous: the hack is hardly complex - it involves little more than a lost cost micro-controller, a battery and a few passives - probably about $5 of parts. Schematics and full source-code are readily available. The report elsewhere that a pen-size lock-pick has been made is not at all surprising.

    What surprises me is that this isn't already heading towards a class-action law-suit state-side - especially if the reports here that Onity is charging hotels for new lock components.

  11. Velv
    FAIL

    Onity called the hack "unreliable, and complex to implement,"

    If I remember correctly, their "complex to implement" required the attacker to acquire a torx screwdriver, something clearly so much harder to come by than the few electronic components required.

    1. Anonymous Coward
      Anonymous Coward

      Onity called the hack "unreliable, and complex to implement,"

      They were probably referring to their own systems, not the hack.

This topic is closed for new posts.

Other stories you might like