Slashdot Mirror
Open Millions of Hotel Rooms With Arduino
MrSeb writes with an excerpt from Extreme Tech about a presentation at Black Hat: "Bad news: With an Arduino microcontroller and a little bit of programming, it's possible for a hacker to gain instant, untraceable access to millions of key card-protected hotel rooms. This hack was demonstrated by Cody Brocious, a Mozilla software developer, at the Black Hat security conference in Las Vegas. At risk are four million hotel rooms secured by Onity programmable key card locks. According to Brocious, who didn't disclose the hack to Onity before going public, there is no easy fix: There isn't a firmware upgrade — if hotels want to secure their guests, every single lock will have to be changed. I wish I could say that Brocious spent months on this hack, painstakingly reverse-engineering the Onity lock protocol, but the truth — as always, it seems — is far more depressing. 'With how stupidly simple this is, it wouldn't surprise me if a thousand other people have found this same vulnerability and sold it to other governments,' says Brocious. 'An intern at the NSA could find this in five minutes.'"
Bad news: With an Arduino microcontroller and a little bit of programming, it's possible for a hacker to gain instant, untraceable access to millions of key card-protected hotel rooms.
Well, that's it! There's only one thing we can do... outlaw Arduinos
When our name is on the back of your car, we're behind you all the way!
I always lock the door when I'm sleeping. Hopefully your hotel at least has a safe in the room to reduce your chances of property theft when you're away.
When the guys share these hacks with the companies ahead of time, they tend to get sued or get their presentations cancelled by the vengeful corporations. They're better off not disclosing these things ahead of time.
Great news for the budget-minded vacationer looking for a hotel bargain.
What political party do you join when you don't like Bible-thumpers *or* hippies?
Someone stole my first post. It was locked in a hotel room.
No problem. When an arduino wielding intruder bursts in just take shelter in the programmable-code safe bolted to the closet floor. No way anyone could ever figure out how to reverse engineer the lock on that puppy.
From TFA: He tested this hack on three randomly choosen hotel room doors, failed to open any. Had to stop to reprogram the device, and then managed to open one of the doors. I'll stick to being worried about corrupt security guards.
When demonstrated for the reporter, the hack only worked on *one* out of *four* of the doors tested in a REAL hotel, and then only on the second attempt after Brocious fine tuned and tweaked his software. Also, this can be defeated by simply using any one of the mechanical locks on the door.
The bottom line is that if you aren't using the mechanical bolt or slide lock when staying at *any* hotel, you were vulnerable way before this hack. Keep in mind that there are plenty of AUTHORIZED users of master card keys on the hotel staff.
Geeks now have the ability to get into your hotel room while changing into your bikini...
But why would a geek be changing into your bikini?
If telephones are outlawed, then only outlaws will have telephones.
It's easily and effectively argued that security through obscurity does no one any good, but responsible disclosure is still widely considered to be a good practice. Supposing a vendor is willing to fix their serious bugs, it really helps in preventing large scale attacks between the time of disclosure and reaction (by the vendor). If Onity had been willing to replace all it's locks over a short period of time (say, 6 months) at massive cost to itself - but nevertheless done it to protect it's long term reputation, it makes a lot of sense to give Onity that opportunity without outing the flaw. It's unlikely that such a large-scale replacement of locks would have been pursued, but giving Onity an opportunity to consider that option would have been responsible. It helps Onity, but it also helps customers of Onity (like Hotels who might have chosen to replace their locks, or individuals who might ask questions before going to a particular hotel). Now everybody knows it can be done, and many will try. Sure, an NSA intern could have figured it out, but the fact remains that it was not being massively exploited for large-scale robberies, for e.g.. Targeted exploits are bad - no doubt - and I'm sure some of this was already going on, but there isn't much doubt that the sum total of targeted exploits does less bad than what might happen now - namely large scale exploits. I suppose I'm arguing that security-through-obscurity does work - but in a targeted and limited fashion - as to provide cover for short durations when real security is pursued. It may not work, but it's worth a try - and by going public before giving Onity a chance to pursue a 'fix', this researcher has, in my books, acted against public good.
-- obligatory (but true) caveat: my comments my own, and don't reflect my employer or colleagues' positions.
Just like paranoid IT departments physically blocking USB ports, you can fill that DC port with glue if you're a concerned guest. Not a popular move with the hotel though, I'm sure.
If true it's a pretty poor show by Onity, but I'm sure governments have had plenty of success simply forcing, tricking or bribing the hotel desk or cleaning staff into opening the rooms for them. I'm pretty sure that all the US government would have to do is turn up with a warrant and be given access to any room they like regardless of the type of lock used.
All locks can be defeated with enough effort. The goal often is make it obvious that a lock was defeated - by leaving an electronic trail or physical one (broken door for e.g.). Akin silent data-loss, silent compromise of a lock is much much worse.
-- obligatory (but true) caveat: my comments my own, and don't reflect my employer or colleagues' positions.
Every single lock will not have to be changed. There are several ways to fix this without replacing the entire lock. Fill the hole. Cover the whole with an exterior lock. Put a more secure circuit between the exterior plug and the lock's main board. That more secure circuit only need to handle NOT letting you read the memory. Given that the article is completely wrong about having to change the locks, I would question whether there really isn't a way to fix it via firmware. Either way though, the fix does not require a new lock, and it is a task that the hotel's regular handyman can perform.
The hacker has (in his picture for the Forbes article) unkempt hair and a T-shirt that says "It's Fun To Use Learning For Evil!". I realize Black Hat has this whole counterculture thing going guys, but would it kill you to put on the veneer of respectability? Geez... this guy looks like a cliche movie hacker lackey.
You know that your intentions are honorable, that you wouldn't (for instance) rob a hotel room, and that maybe you are part of the process by which society gets stronger over the long run, but the audience of Forbes is predisposed to see you as a shady menace (or cost multiplier). And the audience of Forbes has more real influence to pass laws that restrict or limit access to your favorite toys (prior examples being some telephony tools, radio electronics, lockpicks, encryption software, etc.).
It sounds silly, but a clean shave and a button-down is how you say "I'm one of the good guys" to this crowd (or the general public, actually).
-1, Too Many Layers Of Abstraction
At my university, they use Onity door locks for the dorm rooms. While the unreliability may make this inefficient for hotel burgling, targeted thefts in the dorm may be an issue...
pwnity now...
http://www.acetonestudio.com
I read about this on BBC News this morning, and two things struck me:
1. "In tests Mr Brocious conducted with Forbes news site, the system did not prove entirely successful - only one of the three doors, at three hotels in New York, opened." So it doesn't work everywhere, but it's a good proof of concept. From the above ExtremeTech article: "Brocious found that he could simply read this 32-bit key out of the lock’s memory. No authentication is required ... By playing this 32-bit code back to the lock ... it opens." While Brocious seems to have taken this only to the demonstration stage, I'm sure others (CIA? MI5?) have made this method more reliable. It just seemed to me that Brocious is assuming this method applies everywhere, and possibly oversold it.
2. He didn't share this with the hotel lock vendor, Onity. While he's certainly not required to share that info with Onity, it seems a bit shady to only release the information publicly at a blackhat conference, and force the vendor to respond to it after the hack is "in the wild." I wonder if he was worried that if he shared the vulnerability with Onity beforehand that it would take away some of the "thunder" from his presentation. Or maybe it's simply less cool to say to a blackhat convention "I shared this with the vendor, and they're working on it."
Like the old saying goes, locks only keep honest people out. If someone wants to get into something, given enough time and resources there is nothing that will keep them out.
When you look at something like the Mosad Assassination of Mahmoud Al-Mabhouh in Dubai it seems clear that gov't agencies around the world are already well versed in hacking these locks. The hacks seem no more sophisticated than ATM skimming and hacking. I'm surprised there isn't more of these devices available for sale already.
who didn't disclose the hack to Onity before going public
Excellent. I am sick and tired of the bad guys trying to use legal muscle to prevent talks from occurring. How many Black Hat talks have been cancelled this way already? This is what you get. People will not tell you and just do their talk.
If he is always itching to disclose, who would ever hire him?
Answer: the wrong people. Not that it sounds like his skills are so great.
I'd be worried about his safety, next time.
There may be quite a number of people who have had items stolen from rooms "secured" by these locks now wondering what really happened. I also wonder whether there are any fired hotel staff who have been wronged in this. As Brocious points out, the hack is rather trivial and he's unlikely to have been the first/only person to have figured it out. Brocious > Onity : Oops I accidentally your whole business.
"Dance like nobody's watching"
“One percent of people will always be honest and never steal. Another 1% will always be dishonest and always try to pick your lock and steal your television; locks won't do much to protect you from the hardened thieves, who can get into your house if they really want to. The purpose of locksis to protect you from the 98% of mostly honest people who might be tempted to try your door if it had no lock.”
You have until the end of the day to gather your things and turn in your geek card.
Brocious was hired to reverse engineer hotel locks, and Onity was his first target. The discovery of Onityâ(TM)s security vulnerabilities was entirely unintentional, he says.
How can he be trying to reverse engineer the lock and unintentionally break it?
Well done, sir.
My feeling is that Onity should have undertaken a security audit on their product. Hire a bureau/hacker/lab to evaluate the product and the security issues. It turns out that many hotel guests over the world risk compromise of their rooms/belongings. That has been going on for a long time already. If Onity would go bust due to this, they get what they deserve. The saying goes on: It is not difficult to develop something that always gives the right answer, it is _very_ difficult to develop something that _never_ gives the wrong answer. For security applications the latter is valid.
You don't need his geek card. It was hacked in 5^H 2 minutes using a raspberry pi!
The hotels only bought a License to the security product.
If that security is bypassed the hotels owe damages to the License holder, or Eric Holder, I forget which.
No brain, no pain.
My ex was dyslexic, she loved to cook sox.
Electronic security (and also IT security) is mostly pathetic in the real world and relies on the fact that most criminals are stupid. With system-breaks possible with electronics and IT this is still true, but does not protect the target systems anymore, because criminals can get the attack-solutions pre-packaged from the web.
Most ACs are not even worth the keystrokes to insult them. Be generically insulted by this and ignored otherwise.
Do people really expect security on their hotel locks? Do most places even have metal door frames? We all know regular locks can be picked with some skill. Why are we surprised that digital locks can be "picked" with some skill. Besides, for a intelligent criminal, it is probably fairly easier to steal a master key. They can then leave the key in the hallway so the maid simply thinks they dropped it. Also, what is to say the maid is even trustworthy. There are so many factors that can come in to play that one should assume that they door lock is insecure and then decide what is an acceptable risk. Your room isn't a vault after all.
A locksmith that I worked for once upon a time said (I installed and fixed security systems for him): "locks are to keep honest people honest". If someone wants to steal something bad enough, they will find a way.
Insanity: doing the same thing over and over again and expecting different results. Albert Einstein
Here's a way to defeat the hack, right out of Abbie Hoffmann's steal this book. Bring some two tube 5 minute epoxy with you. If the lock to your room has one of those DC jacks in it mix up some epoxy and fill the jack with it. Problem solved!
Um, nope. Wire goes into bottom of lock, top of lock has black rectangle where card goes. Or do you go to hotels where you use the card key to open the door from the inside?
#naabhaprzrag, #sverubfr-000, #agi-fcbafberq, negvpyr[pynff*=' negvpyr-ary-'] { qvfcynl: abar !vzcbegnag; }
You sir.. Are a moron.... The picture in the article CLEARLY shows the OUTSIDE of the door.
When you can just steal the master key card from a maid. This is stupid. Think simple people. Everything does not have to involve complicated gadgets and hacking.
I like how this vulablity's been there for years and someone only mentions it now, maybe they were done having fun with is and felt they should do the right thing and tell the public about it. The other way of breaking in to them is to use a hacked keycard, the securty on those door isn't hard to break. You stay there a few times asking for the same room and you'll be able to gain access, some people stay at hotels all the time, so it would only be a matter of time before they had access to all of them. Let's face it the Site ID's only 32bits it wouldn't take long for someone to crack it and make their own key cards that would work with any brand.
This is a Mac, what you have there is an embarrassment to your fellow computer users.
Congratulations. The system put in to replace the old system isn't infinitely the best system possible. Dude, it's still better than the old system. I think most forget that this replaced a normal key and lock.
The normal key and lock can be picked with far cheaper components and far less experience than this one. Lockpicks aren't expensive. They never were.
So quite complaining, and quit leaving your passport in your hotel room.
I'm pretty sure I saw a video of someone unlocking chain locks with a rubber band.
required, ADA stuff.. the door handle on all modern locks in multi-unit dwellings will disengage the deadbolt...
every day http://en.wikipedia.org/wiki/Special:Random
What the hell happened to whistleblower protections?
Some call it a flaw, but others know it as the backdoor.
They never learn from JB iProducts, even they do that themselves.
SmartCards, SmartPassport,
I'd like to thank you for making many seemingly stupid movies now completely plausible. PS, I have included a gift basket full of internets.
So basically we are saying that someone with highly specialized skills and the right hardware is able to open an electronic lock? Back in the present, people with a lockpick set and the skills to use one are able to open millions of regular locks, and nobody was freaking out about that. Locks aren't meant to keep out resourceful intelligent people, they are meant to keep out stupid opportunistic criminals. Nothing has changed.
with a wire hanger.
http://www.youtube.com/watch?feature=player_embedded&v=WAkJRpKeyYg
But why don't the government just drop a nuke on this "conference"?
I'm actually staying right now in a hotel room with an Onity lock on the room door. Any advice?
He doesn't have a geek card, he's a special-ed student trolling the smart kids. Ignore him and maybe he'll go back to playing basketball and leave us alone.
Free Martian Whores!
But, if you're US'ian and feel the need to be terrorized you should do so at an Orange Terror alert level. Feel free to up it to Red if you see any ethnic groups you aren't comfortable with or people playing with small digital devices you can't identify.
Don't complain about syntax, grammar, or spelling. There is no.hell like input on android.
Order some Arduino modules?
But the solution is simply easy idiotic! (KISS keep it simple, stupid!). Redundancy, just add a second traditional lock. Use the hotel vault and three lock doors if you fear theft, do not care if all you would lose is a pair of shirts. Cameriers enter hotel rooms on a minute basis if they want EVEN if you lock it and have a do not disturb message outside. Even if you barricade the door with chairs... I know that. So?
There is also the drumstick trick as seen in New York Minute.
Actually the trick shown in the movie is dive to hold the door open with your drum stick just as the occupant leaves.