Slashdot Mirror
Open Millions of Hotel Rooms With Arduino
MrSeb writes with an excerpt from Extreme Tech about a presentation at Black Hat: "Bad news: With an Arduino microcontroller and a little bit of programming, it's possible for a hacker to gain instant, untraceable access to millions of key card-protected hotel rooms. This hack was demonstrated by Cody Brocious, a Mozilla software developer, at the Black Hat security conference in Las Vegas. At risk are four million hotel rooms secured by Onity programmable key card locks. According to Brocious, who didn't disclose the hack to Onity before going public, there is no easy fix: There isn't a firmware upgrade — if hotels want to secure their guests, every single lock will have to be changed. I wish I could say that Brocious spent months on this hack, painstakingly reverse-engineering the Onity lock protocol, but the truth — as always, it seems — is far more depressing. 'With how stupidly simple this is, it wouldn't surprise me if a thousand other people have found this same vulnerability and sold it to other governments,' says Brocious. 'An intern at the NSA could find this in five minutes.'"
Bad news: With an Arduino microcontroller and a little bit of programming, it's possible for a hacker to gain instant, untraceable access to millions of key card-protected hotel rooms.
Well, that's it! There's only one thing we can do... outlaw Arduinos
When our name is on the back of your car, we're behind you all the way!
When the guys share these hacks with the companies ahead of time, they tend to get sued or get their presentations cancelled by the vengeful corporations. They're better off not disclosing these things ahead of time.
Great news for the budget-minded vacationer looking for a hotel bargain.
What political party do you join when you don't like Bible-thumpers *or* hippies?
Don't fret, most hotel rooms have safes secured by Onity programmable key card locks.
Many of those safes have backup passwords, hotels generally do not change the default one.
From TFA: He tested this hack on three randomly choosen hotel room doors, failed to open any. Had to stop to reprogram the device, and then managed to open one of the doors. I'll stick to being worried about corrupt security guards.
When demonstrated for the reporter, the hack only worked on *one* out of *four* of the doors tested in a REAL hotel, and then only on the second attempt after Brocious fine tuned and tweaked his software. Also, this can be defeated by simply using any one of the mechanical locks on the door.
The bottom line is that if you aren't using the mechanical bolt or slide lock when staying at *any* hotel, you were vulnerable way before this hack. Keep in mind that there are plenty of AUTHORIZED users of master card keys on the hotel staff.
Geeks now have the ability to get into your hotel room while changing into your bikini...
But why would a geek be changing into your bikini?
If telephones are outlawed, then only outlaws will have telephones.
It's easily and effectively argued that security through obscurity does no one any good, but responsible disclosure is still widely considered to be a good practice. Supposing a vendor is willing to fix their serious bugs, it really helps in preventing large scale attacks between the time of disclosure and reaction (by the vendor). If Onity had been willing to replace all it's locks over a short period of time (say, 6 months) at massive cost to itself - but nevertheless done it to protect it's long term reputation, it makes a lot of sense to give Onity that opportunity without outing the flaw. It's unlikely that such a large-scale replacement of locks would have been pursued, but giving Onity an opportunity to consider that option would have been responsible. It helps Onity, but it also helps customers of Onity (like Hotels who might have chosen to replace their locks, or individuals who might ask questions before going to a particular hotel). Now everybody knows it can be done, and many will try. Sure, an NSA intern could have figured it out, but the fact remains that it was not being massively exploited for large-scale robberies, for e.g.. Targeted exploits are bad - no doubt - and I'm sure some of this was already going on, but there isn't much doubt that the sum total of targeted exploits does less bad than what might happen now - namely large scale exploits. I suppose I'm arguing that security-through-obscurity does work - but in a targeted and limited fashion - as to provide cover for short durations when real security is pursued. It may not work, but it's worth a try - and by going public before giving Onity a chance to pursue a 'fix', this researcher has, in my books, acted against public good.
-- obligatory (but true) caveat: my comments my own, and don't reflect my employer or colleagues' positions.
All locks can be defeated with enough effort. The goal often is make it obvious that a lock was defeated - by leaving an electronic trail or physical one (broken door for e.g.). Akin silent data-loss, silent compromise of a lock is much much worse.
-- obligatory (but true) caveat: my comments my own, and don't reflect my employer or colleagues' positions.
Silly Reader, warrants are so 20th century. These days, they just show a letter, that you can't discuss with anyone, citing a "secret" law. Yes, it's unconstitutional, but if you're a $12/hour clerk, and the guy with the gun is asking, are you going to make a fuss?
All ideas^H^H^H^H^Hprocesses in this post are Patent Pending. (as well as the process of patenting all postings)
The hacker has (in his picture for the Forbes article) unkempt hair and a T-shirt that says "It's Fun To Use Learning For Evil!". I realize Black Hat has this whole counterculture thing going guys, but would it kill you to put on the veneer of respectability? Geez... this guy looks like a cliche movie hacker lackey.
You know that your intentions are honorable, that you wouldn't (for instance) rob a hotel room, and that maybe you are part of the process by which society gets stronger over the long run, but the audience of Forbes is predisposed to see you as a shady menace (or cost multiplier). And the audience of Forbes has more real influence to pass laws that restrict or limit access to your favorite toys (prior examples being some telephony tools, radio electronics, lockpicks, encryption software, etc.).
It sounds silly, but a clean shave and a button-down is how you say "I'm one of the good guys" to this crowd (or the general public, actually).
-1, Too Many Layers Of Abstraction
pwnity now...
http://www.acetonestudio.com
With a warrant, you can do practically anything, because a judge has signed off on it.
It's what they can do without warrants that scares me.
Lost at C:>. Found at C.
I've never hacked an Onity programmable key-card lock, but I did stay in a Holiday Inn Express last night.
If you lend someone $20 and never see that person again, it was probably worth it.
You mean those safes where hotel staff have a master code that unlocks them in case the guest forgets the code they set? Those safes?
the chain lock that's separate from the key card lock
Or according to Jon Stewart - "I have a chain lock on my door that says to criminals 'you're not getting in here......unless you push....kind of hard....with your hand'."
You have until the end of the day to gather your things and turn in your geek card.
Every single lock will not have to be changed. There are several ways to fix this without replacing the entire lock. Fill the hole. Cover the whole with an exterior lock. Put a more secure circuit between the exterior plug and the lock's main board. That more secure circuit only need to handle NOT letting you read the memory. Given that the article is completely wrong about having to change the locks, I would question whether there really isn't a way to fix it via firmware. Either way though, the fix does not require a new lock, and it is a task that the hotel's regular handyman can perform.
Fill the hole: No. Read the article. The hole is needed and used routinely to charge the battery and reprogram.
Cover the hole with an exterior lock: So this is your plan to avoid changing out the lock? Add yet another lock on top? And how secure is that lock?
Add a circuit ahead of the main board: Where? There is no room for that. You would have to replace the entire main board.
Firmware fix: Perhaps possible, but these are very old designs using very limited microcontrollers. And you would still have to replace every reprogramming device in the field to get around this because your solution would also prevent reprogramming the lock.
So, NO, the article is not completely wrong. Your post is pretty close to completely wrong.
By the time you do any of the modifications you suggest, it would be cheaper to change the lock.
And none of those changes could be accomplished by the handyman. At best, they might be able to change out the lock. Most of those guys know how to swing a wrench and a toilet plunger. They are not very good at board level soldering. Even worse at changing microprocessors inside a lock chassis designed specifically to be tamper resistant.
Best case is that they can replace the entire circuit board using cheaper more modern ICs in the same amount of space. But even that is likely to more expensive to than just replacing every single lock.
In actuality, This will never be done, until the next hotel remodel. Additional theft insurance, maybe purchased by the manufacturer, will be by far the cheapest alternative.
Sig Battery depleted. Reverting to safe mode.
Obviously that person meant the chain lock that's separate from the key card lock. I hope not just the deadbolt; the ones built in to hotel key card lock mechanisms can be opened by the master key card. Not the ones the housekeepers carry but the one the chief maintenance guy keeps in his office. One assumes this hack can open the bolt as well as the regular latch.
We had a problem with a hotel safe once. When the tech guy came he popped the plastic keypad off to expose a serial port then hooked up his iPhone to it and opened the door. I wonder how secure that is...
No sig today...