After Hacker Exposes Hotel Lock Insecurity, Lock Firm Asks Hotels To Pay For Fix

Sparrowvsrevolution writes "In an update to an earlier story on Slashdot, hotel lock company Onity is now offering a hardware fix for the millions of hotel keycard locks that hacker Cody Brocious demonstrated at Black Hat were vulnerable to being opened by a sub-$50 Arduino device. Unfortunately, Onity wants the hotels who already bought the company's insecure product to pay for the fix. Onity is actually offering two different mitigations: The first is a plug that blocks the port that Brocious used to gain access to the locks' data, as well as more-obscure Torx screws to prevent intruders from opening the lock's case and removing the plug. That band-aid style fix is free. A second, more rigorous fix requires changing the locks' circuit boards manually. In that case, Onity is offering 'special pricing programs' for the new circuit boards customers need to secure their doors, and requiring them to also pay the shipping and labor costs."

lockgate=locksuit

just sayin'

Re:lockgate=locksuit

Anybody can sue. But the Hotel won't win in court without a purchase agreement that says the locks are uncrackable or that the locks will only open with a keycard.

You know what else can open a lock? A crowbar.

[Rogerborg]

Any hack that requires physical disassembly of the lock is just ePeen waving.

Given the choice between a $50 bit of magic juju that might work after 5 minutes of fiddling, and a $20 jimmy that will work 100% of the time in 10 seconds, I know which option 99% of "going equipped" criminals are going to go for.

So, no, I'm not blaming the lock manufacturer here. No security is absolute, it's a question of what's reasonable.

Re:You know what else can open a lock? A crowbar.

clearly you didn't RTFA or WTFV.

Re:You know what else can open a lock? A crowbar.

RTFA. No need to disassemble the lock - all you do is plug in a small gadget into a nokia-charger-style plug at the bottom of the lock and volià - open door.

Re:You know what else can open a lock? A crowbar.

Isn't the point of the original hack that you can do it through the exposed programming port in seconds and leave no trace? Sounds superior to a crowbar, though my experience is limited.

Re:You know what else can open a lock? A crowbar.

[ArsenneLupin]

RTFA. No need to disassemble the lock - all you do is plug in a small gadget into a nokia-charger-style plug at the bottom of the lock and volià - open door.

Not after the "free" workaround (cap that covers connector, and requires lock disassembly to remove) is applied.

And I guess, if you already have disassembled the lock, you won't need the gadget to open it: a short applied directly at the actuator would do the trick too.

So, the "bandaid-style workaround" (cap) might actually make more sense than the improved circuit board (which may only protect against the current intrusion software, but not against enhancend versions that take into account the new memory layoyt).

Re:You know what else can open a lock? A crowbar.

[adolf]

Forget applying a "short" "directly at the actuator" (whatever that means): If you've already got the lockset disassembled, you just unlock it mechanically; no electronics needed.

That said, presumably (and I did R most of TFA), neat disassembly also requires access to the locked room, as is the case with most locks which are designed to be secure in only one direction.

But without more data, I'm led to wonder if the "free" workaround cap is actually all that physically secure, anyway: Being both a retrofit and (and again I presume) only having been designed within the past month or so, and then built down to a cost that can be distributed for free, it seems entirely likely that the cap itself might still be vulnerable to defeat from outside.

Re:You know what else can open a lock? A crowbar.

Forget applying a "short" "directly at the actuator" (whatever that means): If you've already got the lockset disassembled, you just unlock it mechanically; no electronics needed.

Electric locks will have a deadbolt that's moved by a solenoid. That probably has nothing to grip onto to slide it mechanically, but all you need to do is apply a AA battery to the wires going into the solenoid and it'll slide right back.

Re:You know what else can open a lock? A crowbar.

A locksmith coworker of mine has told me more than once "All locks do is keep the honest people honest." Some of the tricks he's told me about are just plain simple and terrifying.

Re:You know what else can open a lock? A crowbar.

[tgd]

Forget applying a "short" "directly at the actuator" (whatever that means): If you've already got the lockset disassembled, you just unlock it mechanically; no electronics needed.

Electric locks will have a deadbolt that's moved by a solenoid. That probably has nothing to grip onto to slide it mechanically, but all you need to do is apply a AA battery to the wires going into the solenoid and it'll slide right back.

Of course you can open it mechanically, otherwise a dead battery would leave the lock permanently inoperable.

These are hotel doors, not bank safes.

Re:You know what else can open a lock? A crowbar.

[ceoyoyo]

Only if someone was dumb enough to put those wires on the outside of the door.

Re:You know what else can open a lock? A crowbar.

[dead_user]

I can attest that hotel room doors are pretty crowbar-resistant. During Katrina I was "essential personnel" and was "evacuated" to the hotel near City Hall so I could be at the ready once the storm passed. About $70k worth of equipment came with me to the hotel room to get it more protected. (Backup servers and their ilk.) The next evening when the national guard guys took us back to our rooms to get our stuff, there were three giant gouges in my door. But the door held. I was both impressed and disgusted. These people also beat up the hotel staff because they were upset that the hotel generators didn't also run the A/C's. Eventually, the hotel was abandoned and left to them. It was just too dangerous to the staff to stay. By the second night, they had defaced much of the hotel with spray painted signs declaring the hotel the "New 4th Ward", a project (slum) from New Orleans. Granted, their homes were flooded, but so was mine. So sad.

Re:You know what else can open a lock? A crowbar.

[Andy+Dodd]

That's the problem - If you can just remove a few torx screws and then remove the cap, you've at most increased the time it takes to defeat the lock.

One of the key things here is - People aren't going to notice a few missing screws immediately. An attacker could walk by, remove a screw, then get clear. Rinse and repeat until all screws are removed. In the time in between, most likely NO ONE would notice the lock was missing a screw or two - hell this happens in normal situations all the time.

Re:You know what else can open a lock? A crowbar.

[mark-t]

One of the operative words here is "untraceable". The hack leaves absolutely zero evidence of having been tampered with by this hack, and all the hacker has to do is put the plug cover back on, removal of which is hardly tantamount to fully disassembling the lock. Besides which, disassembling a lock that can later be easily reassembled should be something that can only be done from *INSIDE* of a unit... not from outside, as the plug they are offering does. If this port that this plug covers were only accessible inside of the unit, it would not be anywhere nearly as big of a security issue.

Re:You know what else can open a lock? A crowbar.

[Rich0]

Tend to agree. The plug-in hack probably takes no more time to execute than just using the key the lock was designed for, and wouldn't involve any fiddling that would look conspicuous from more than 20 feet away. Plus, this approach leaves the lock undamaged.

Once you're talking screwdrivers the fiddling looks much more conspicuous, though dressing like a repair guy probably would help as long as hotel staff doesn't catch you in the act.

Some of these comments are kind of crazy - dremels and such. I'm sure a nice sledge would bypass the door with a single hit, or a powered rotary saw would chop the whole lock out of the door in less time than it takes to elegantly disassemble the lock with tools that make just as much noise.

However, all of this fiddling will leave more signs of tampering, which may not be desirable.

Re:You know what else can open a lock? A crowbar.

[hairyfeet]

Exactly because other than Black hat how many times have we read about criminals carrying around custom tweaked Arduinos to pop locks in hotels? Lets face it folks criminals? Not the sharpest tacks in the box or else they wouldn't be risking years of their lives on low paying crimes like B&E.

You are much more likely to have some maid working on the inside that just opens the door or the criminal jamming a gun in someone's back to get in instead of this CSI style crap so their free fix would not only work just fine to get rid of this frankly totally unrealistic "threat" but I bet hotels that don't do anything at all aren't gonna see a sudden rise of B&E from Arduino carrying criminals. That kind of James Bond bullshit from your average hotel room robber is about as likely as me winning the powerball while being struck by lightning. Could happen but seriously doubt it.

Re:You know what else can open a lock? A crowbar.

[AmiMoJo]

It isn't really free when you have to pay someone to go around every lock in every hotel you own to open them up and install the cap. Plus in the time between the talk and you implementing this defence you might find insurance companies using it as an excuse not to cover losses due to theft since you didn't secure your rooms.

Re:You know what else can open a lock? A crowbar.

[nospam007]

"An attacker could walk by, remove a screw, then get clear."

For another 50 bucks you'get an overall with 'HOTEL SECURITY', then you have all the time in the world.

Re:You know what else can open a lock? A crowbar.

[sjames]

But the magic juju allows you to make your own seemingly legitimate card, even a master key. That accomplished you can then raise no suspicion at all by unlocking a door even if a guest sees you do it.

No security is absolute, but some security is at least good enough to make a crime evident and some is no better than a sign that says please don't commit a crime.

Re:You know what else can open a lock? A crowbar.

[sjames]

The band-aid will certainly make the lock more secure, but at the cost of removing part of the legitimate functionality that influenced selection of that lock by the hotel in the first place.

Re:You know what else can open a lock? A crowbar.

>> If this port that this plug covers were only accessible inside of the unit, it would not be anywhere nearly as big of a security issue.

It's a programming port. Every now and then a lock's memory fails or something and it needs to be reprogrammed. I don't know the exact cause of this issue but I've worked in hotels and have had to reprogram doors from time to time and can say it does happen. Anyway, if the port were on the inside and it's memory failed then you wouldn't be able to open the door to get to the programming port and would have to break in through a window or, much easier than all this mission impossible lock hacking or physical damaging, use the key card to shim the lock. Every lock that is not a deadbolt can be shimmed in about 2 seconds if you know where to insert and maneuver.

Re:You know what else can open a lock? A crowbar.

Any manufacturer of a lock / vault / security product, if being honest, will tell you the function of their product is to increase the time it takes to defeat the product, that it's not meant to be impenetrable, because there's no such thing. Higher end safes and vault door makers give you a rating which basically tells you how long it's likely to delay a skilled cracker.

The best solution would be to have no ports external to the hotel room of any kind, but all that does is open up other attack vectors.

Re:You know what else can open a lock? A crowbar.

[mark-t]

All electronic locks have a physical key system as well, which can open the lock regardless of the status of the electronic lock. It should be absolutely no different from any other keyless entry system in this regard. If something physically has gone wrong with the device, you can still use a real key to slide back the bolt and open the door so that you can effect repairs.

Re:You know what else can open a lock? A crowbar.

Manufacturers make battery-powered lock readers that can unlock doors with dead batteries. Drilling the door the old-fashioned way is the alternative, at least in my hotel experience.

Re:You know what else can open a lock? A crowbar.

Never saw that on the news...

Re:You know what else can open a lock? A crowbar.

Well, anyone who has seen a yale lock bumped could tell you that.

The cheap one is worthless

[gweihir]

"Secure" screws are anything but. You can either print them (wax, photograph) and make matching bits pretty easily. You can even automatize this. Or you can force them with some pre-made approximations. (Yes, that may mean carrying around 50 possibles, and/or a file, but it is not hard.) There are other techniques as well, for example removal tools for broken screws or ice-spray and a hammer. Sawing a slit into the screw-head is also typically pretty easy.

Yes, I have done it a few times. Not for these locks, but I would be surprised if they were any different.

Re:The cheap one is worthless

[bloodhawk]

or why bother with any of that when a small crowbar will bypass it all.

Re:The cheap one is worthless

[gweihir]

or why bother with any of that when a small crowbar will bypass it all.

The damage is too visible, dramatically increasing attacker risk.

Re:The cheap one is worthless

[bloodhawk]

you aren't breaking down the door, levering open a lock in many cases is unnoticeable except on closer inspection, especially if you close the door afterwards.

Re:The cheap one is worthless

[gweihir]

Not likely on these. That was the whole point of the original hack. Otherwise Hotels would get burglarized this way all the time. They do not.

Anyways, your comment is irrelevant here. Attach it to the original story about the hack.

Re:The cheap one is worthless

[Tastecicles]

tech overkill.

I use a Gator Grip and have done for fifteen years. Yes, they work, no I don't work for them. Yes they're fantastic value and no, they don't charge for replacement in case of bad workmanship, act of Dog, act of Idiot, or jamming. I've only ever had to replace the small one because I managed to break it trying to loosen a disc brake caliper.

Re:The cheap one is worthless

[ArsenneLupin]

Most of these methods, except photographing, will mar or stain the screw heads, i.e. not suitable for undetected entry.

And if undetected is not a goal, a small crowbar will do the job easyer.

Re:The cheap one is worthless

[TubeSteak]

Secure screw bits are a $20 bucks for an entire set (Made in China) of all the designs.

The only "secure" screw head is one that is custom made for you.
Otherwise, you should be using breakaway heads or one-way screws.

Re:The cheap one is worthless

[ArsenneLupin]

Otherwise Hotels would get burglarized this way all the time.

There's personnel (or other guests) walking around all the time. The risk of getting caught is probably too big for most thieves.

Discounting the risk of getting caught, there's a very low tech attack against hotels with old-fashioned mechanical keys. Just walk by the reception desk while the receptionist is temporarily out, and grab a key...

Re:The cheap one is worthless

[crutchy]

or blind structural rivets (cherrymax)

Re:The cheap one is worthless

[fustakrakich]

Some locks can be screwed on from the inside of the door. Just steal a card from one of the maids if you want in.

Re:The cheap one is worthless

[cyclomedia]

How about this technique? http://www.youtube.com/watch?v=oG5vsPJ5Tos&t=1m20s

Re:The cheap one is worthless

[adolf]

I had to defeat some stainless steel T10 Security Torx screws in the process of doing my job, recently, as I was moving old hardware from one place to another.

Normally, I carry a large assortment of cheap "security" driver bits with me, but alas they were not with me at the time (indeed, they were 40 miles away).

Solution: I used a regular-old Klein T10 driver. I smashed it into the head of the screw a few times with the palm of my hand (no hammer needed), and the protruding post neatly bent over and squished itself into the valley of the Torx socket. This left plenty of surface area to neatly grab the fastener in the conventional way (with the same, and now proper driver), and remove it.

I was fairly amused that this worked the first time. And then I repeated it 7 more times for the other screws with similar success. (The Klein screwdriver was unfazed.)

(For the uninitiated: Torx screws intentionally require very little engagement depth to properly mate a driver to the fastener, by design. It is perhaps the singular thing they're very good at, and also the one thing that allowed them to be so easily circumvented in this case of them being modified for "security.")

Re:The cheap one is worthless

[adolf]

How well does your Gator Grip work on small socket-cap Torx screws, such as those discussed in TFA?

It looks like a lovely tool for removing things that have external facets (common hexagonal nuts and bolts), but from what I see it is a picture of failure and frustration for anything else -- especially if it is very small (which lockset screws typically are).

Re:The cheap one is worthless

[adolf]

I've defeated many "one-way" pan-head screws with force-multiplying pliers. Just grab and turn.

Re:The cheap one is worthless

E.g.: transport (noun) --verbify--> transportate (rarely used) --nounify--> transportation (noun again)

Re:The cheap one is worthless

transport is already the verb from 14th century, the 'means of transportation' noun sense wasn't until 17th century. So no need for transportate, which isn't in the dictionary.

Re:The cheap one is worthless

[jimicus]

How often do you think hotels have someone examine the underside of their locks?

Re:The cheap one is worthless

[Tastecicles]

as far as I can make out, if the tool can lock more than three pins around the head or in features then it will certainly grip enough to turn. I've seen (but not played with) finework versions of the Gator, and can only assume that they work on the same principle. If you can find one with fine enough pins for the job (I would say generally not to use a socket more than twice the size of the head to ensure proper grip) then sure: if a Gator will grip a rusted screw head (it will) enough to loosen it (if there's enough of a slot left for the pins to engage then generally this will happen), then it'll deal with a Torx head.

Re:The cheap one is worthless

[Ellis+D.+Tripp]

The fact that you were dealing with stainless steel screws worked to your advantage here. Stainless is soft enough to deform under the hammer blows, but a proper hardened steel screw wouldn't do so.

Re:The cheap one is worthless

[thegarbz]

The only "secure" screw head is one that is custom made for you.

Until someone comes with a tiny cordless Dremel and a screw extracting bit attached to the end.

Re:The cheap one is worthless

[Kalten]

The only "secure" screw head is one that is custom made for you.

What makes you think that? I work for a company that could not only make the screws for you, but also the bits to remove them for someone else.

(Okay, it'd be a heck of a lot more expensive than some of the other solutions, but...)

Re:The cheap one is worthless

The fact that you were dealing with stainless steel screws worked to your advantage here. Stainless is soft enough to deform under the hammer blows, but a proper hardened steel screw wouldn't do so.

Depending on the hardness, either it would deform, or it would break -- same effect. You might need a hammer in lieu of GP's hand, but it would work.

Re:The cheap one is worthless

[JDG1980]

Well, there's also the fact that Torx screws aren't really that obscure to begin with.

Re:The cheap one is worthless

[ArsenneLupin]

How often do you think hotels have someone examine the underside of their locks?

If something gets reported stolen (or a chambermaid claims to have been raped, ...) sure they will!

Re:The cheap one is worthless

[slothman32]

I googled several names but couldn't find out what force multiplying pliers are.
I found a couple questions but no pictures.
Ach.
As far as I can tell they are like Vise-grips.
Or maybe the pliers that multi-knives form when opened.
Having almost an extra pivet.
I still don't know how you would unscrew a one-way though.
Well without a file or drill.

P.S.
Interestingly enough, I found your comment on Google trying this.

P.P.S.
I try to use "PS's" anytime I can.

Re:The cheap one is worthless

I think the OP is referring to these:
http://www.mactools.com/shoponline/product/tabid/120/p-319223-9-12-self-gripping-pliers.aspx

These are really good pliers. I own a pair myself, and they will do what the OP says. The teeth are hardened, and they grip much better than vice grips.

Re:The cheap one is worthless

[tixxit]

Yeah. To me, torx wasn't meant for security, it was meant to say "hey, we'd rather you not remove this screw and doing so will probably void your warranty."

Re:The cheap one is worthless

[Ksevio]

The advantage to "secure" screws usually is that they can't be opened using the tools your average Joe might have handy. Last I checked the swiss army knife still didn't have the bit to dismantle a bathroom stall.

Re:The cheap one is worthless

[ArsenneLupin]

The only "secure" screw head is one that is custom made for you.

... until somebody comes with a Gator Grip.

Re:The cheap one is worthless

[Tekfactory]

SOG calls their Compound Leverage
http://nationalsurvivalcenter.com/sogpos60.html

There is supposed to be some gearing in there to make it easier.

Re:The cheap one is worthless

[omglolbah]

Torx is a superior head for a variety of reasons.

Having had to deal with a myriad of the options of screws for server racks I can say without a doubt that torx saves you a ton of time and annoyance.

All the force is applied in rotation and you do not have to keep pushing the bit into the screw-head to avoid slipping (like with positive or phillips heads).
That, and they are a hell of a lot more durable when abused (which will happen in real world situations...)

Use the wrong bit on a phillips head just once and it will be a PITA to work with later. Torx screws are much more forgiving there.

Re:The cheap one is worthless

To me torx says: "we have automated screwing process, and it works better with torx, as intented"

Re:The cheap one is worthless

[ceoyoyo]

Except they're torx screws, so you can just pull out your screwdriver, change the bit, and out they come.

Re:The cheap one is worthless

[ceoyoyo]

Swiss army quality really has slipped.

Re:The cheap one is worthless

[ledow]

I was moving some PC's that were bolted to the desks they stood on.

Basically, the security plates were a large metal plate, secured with epoxy to the PC, to give a large surface area that then took a stiff 10mm metal cable which tied them to the desks.

I didn't want to damage the PC casing or the desk so I had a look at what the school they were in had. They had a box of unlabelled keys along with some spare cables (so presumably they were the right keys if you could be bothered to try them all in every combination for 50+ PC's). I just didn't have the time.

I could see there was no way to cut through the cable. I could see the steel plate would need a hacksaw to release the cable of its own accord. I could see that there was no way to take the cable from the desk without damaging the desk.

So I got a flat-blade screwdriver, inserted it between the plate and the PC casing, and whacked it a bit. I mean, hitting it with a hammer to the point of deforming the casing on the "test" PC I was using. I must have been trying to prise it off for 20+ minutes.

Then, completely by accident, I rotated the screwdriver. The whole plate popped off and fell on the floor. There was some resin residue on the PC case but nothing to worry about.

Hell, I thought, must have been all the bashing or I got lucky or they weren't secured properly, or the epoxy was old or something. Turns out, no. You can pull the cable with two feet placed on the casing and hold your own weight and more and not make any headway to getting it off. You can bash at it all day long and destroy the casing. You can deform the metal to the point where it's unusable and still it won't let go.

But put a flatblade even the smallest amount into the gap between plate and casing, and twist with no more torque than needed to do up a screw and it fell off. Consistently. Every time. Every PC. No matter the age or install date of that particular epoxy / plate or the surface it was adhering to.

The ironic thing? The school then asked me if I could re-attach those cables to the PC in their new locations. The only comforting thought as I did so (after HOURS of trying to scrape the epoxy residue off so I could re-glue them) was that some burglar might spend hours trying to pull and separate the PC's by brute force and not know how easy they were to remove.

Didn't matter, though. We had SmartWater on them and they weren't worth the price of the SmartWater database registration, let alone all the hassle. But, hey, I was being paid.

Re:The cheap one is worthless

correct. harded steel does not bend. If you did this to a hardend steel T10 security screw the little pin would simply snap off. This is how we open xbox 360 controllers.

Re:The cheap one is worthless

[ColdWetDog]

To me torx says: "we have automated screwing process, and it works better with torx, as intented"

Exactly. Torx screws were designed for automated assembly. It allows for wider tolerances between the screw and the driver and allows for more consistent torque settings. (Get it? Torx ....) The fact that it's turned out to be the 'new standard' screw is largely due to the fact that it's on hell of a lot better solution for than the old Phillip's head and modern manufacturing methods make them trivial to produce.

Re:The cheap one is worthless

[whoever57]

All the force is applied in rotation and you do not have to keep pushing the bit into the screw-head to avoid slipping (like with positive or phillips heads).

The need to apply lots of force to hold the driver in place while turning is a feature of Phillips screws (commonly found in the USA) , but not Posidriv (commonly found in Europe).

Re:The cheap one is worthless

When the Swiss army dismantle bathroom stalls, they use other equipment than their famous knives. . .

Re:The cheap one is worthless

"Secure" screws are anything but. You can either print them (wax, photograph) and make matching bits pretty easily. You can even automatize this. Or you can force them with some pre-made approximations. (Yes, that may mean carrying around 50 possibles, and/or a file, but it is not hard.) There are other techniques as well, for example removal tools for broken screws or ice-spray and a hammer. Sawing a slit into the screw-head is also typically pretty easy.

I just use my sonic screwdriver - much simpler and quicker.

Re:The cheap one is worthless

[gweihir]

I am not convinced these will work for advanced Torx-security, but definitely worth a try. Then, they may work flawlessly.

Re:The cheap one is worthless

[gweihir]

Wax should not leave anything, unless advanced forensics is used. For the rest, true, but depends on the level of inspection. Your crowbar can be seen by somebody alert without looking too hard. And just slip once and there will be possibly highly visible scratches. The screws are on the bottom of the thing, minimum is to bend down and look. Possibly needs a light to see anything.

Re:The cheap one is worthless

[gweihir]

These advanced Torx security are custom-made. Well, sort of. They cut out a shape with 4 angles and apparently have a few 1000 forms. Not in the Chinese security bits set. (I have one too, very useful!)

I agree with you tough. Gluing is also an option.

Re:The cheap one is worthless

[gweihir]

True, but they are also very nice for manual work. In fact, whenever I have a choice, I use Torx now.

It is funny how this evolved. Probably indeed due to advances in screw manufacturing methods.

Re:The cheap one is worthless

[gweihir]

No, they just stick to the law. And the law says you cannot make Tox security bits without approval by the patent-holder. Other people (Chinese, e.g.) just do not care.

Re:The cheap one is worthless

So, why 'transportation' at all? is the question.

Re:The cheap one is worthless

Try that with the cheap Chinese drivers/bits and you'll just break 'em after 1-3 attempts. It's still humorous that the Klein driver made such short work of the "security" heads. About like the "locks" on HP's server line for the RAID bays from a few generations back. Lockbar was made of ABS. I was the CTO/CIO for a company where we were locked out of a mail server and we needed the drives out of it for forensics. Took a flat superbar prybar, hooked the lockbar and twisted the prybar- with the resultant expected "pop" and access to the drives.

If you don't give a tinker's damn about whether you're obvious or not, there's quite a few "locks" that can be swiftly and brutally circumvented. Locks are only to keep the Honest and Stupid out.

Re:The cheap one is worthless

[sjames]

wonder how well the post would stand up to a hardened punch and a hammer blow.

Re:The cheap one is worthless

[sjames]

It's funny how that works sometimes. The screwdriver applied considerably less force, but it was focused against a much smaller area of glue. Once the glue broke in one place the plate itself became a lever and quickly propagated the break.

Re:The cheap one is worthless

[CityZen]

Kind of similar to the method used to tear a phonebook in half. It's easy when you're only starting to tear one page at a time.

Re:The cheap one is worthless

Forget the scew extracting bit. Use the dremel to cut a slot in the head of the screw, and carry a flathead screwdriver with you. Problem solved.

Re:The cheap one is worthless

If you wan't all of that, but don't want to bother with torx head anything, because they're more obscure making the screws and driver more expensive... robertson head. The screwdrivers and screws for these are everywhere under the sun

Re:The cheap one is worthless

Nope, On regular steel screws it easier to just break the middle nub off, instead of bending it...

Re:The cheap one is worthless

[michelcolman]

Yeah, it's funny how they think that someone who can build or buy a custom arduino device to hack a particular type of lock, will not be able to get his hands on a torx screwdriver. Those are soooo much harder to find!

Re:The cheap one is worthless

Secure screw bits are a $20 bucks for an entire set (Made in China) of all the designs.

$10

Re:The cheap one is worthless

[adolf]

They look like regular needle nose pliers, but with much longer handles. The joint is constructed such that force is multiplied, with a clever arrangement of sliding-bits and levers. They work with the speed and ease-of-use of normal pliers, but the force applied is such that you can just grab onto the outside of the fastener's head and turn.

I tried to find another pair on Google for your visual delight, but alas. Mine were purchased at an Autozone in western Ohio, sold under the Ampro name. I found them in the clearance bin for about $6, and they've paid for themselves many, many times over.

Re:The cheap one is worthless

Secure screw bits are a $20 bucks for an entire set (Made in China) of all the designs.

The only "secure" screw head is one that is custom made for you.
Otherwise, you should be using breakaway heads or one-way screws.

The one I have used has a two part head. You screw it in. If you try to unscrew, the top head shears off and leaves a crown.

Double standard

Hmmm, we take umbrage that a company charges for a hardware upgrade to a flawed physical device, but we have gotten used to having to pay for software upgrades to get our bugs fixed. It is the second of these that is the real scandal.

Re:Double standard

[RabidTimmy]

I don't really see a double standard here. The summary implied that the sellers of the lock are obligated to provide a software upgrade to fix the vulnerability. For there to be a double standard, that means that we must expect a hardware lock to be replaced. The only way I see either company (the hardware or software lock companies) is obligated to fix the lock for free is if they somehow implied that they would provide upgrade services or made some guarantee to being hack-proof. I don't know what the terms of the hotels' locks were, but if they were sold as is, as a device to reduce the chance of breakin, I see no obligation.

Re:Double standard

I wonder what the law in the US is...
Over here, a supplier has the responsibility to deliver a good product and to repair it when it appears to be flawed.
When repair is not possible, the goods can be returned and money has to be refunded.

Considering this, I always wonder how companies like Cisco can deliver equipment and give access to bug-fixing firmware updates
only to customers who pay extra for a maintenance contract. I think this practice is illegal. But maybe it isn't in the US?

Re:Double standard

[ratbag]

IANAL. But I've been corrected on this issue by someone who is, and who happened to be my boss at the time.

If you're talking about the UK (my version of "over here") most of the stuff to do with refunds and longer-term fitness for purpose only apply to individual consumers. As long as the Cisco device is supplied in a fit state at purchase time then a purchasing company has no come-back if bugs are revealed later and require a paid fix. And in general, a Cisco router, for example, will route packets as advertised. It may have edge cases and rarely-exercised bugs that are only revealed in the field, but Cisco sold it as a router, in good faith.

An individual consumer could expend some effort talking to Cisco about "reasonable" fitness for purpose for up to six years after purchase, but the probable end result would be that Cisco suggest you accept a refund for returning the item.

Have a look (if you've got a lot of time) at the Sale of Goods Act 1979 (and later modifications, etc.) for the basis of all this. There may be European law overlaid on this as well, but so far as I know, no-one's ever tried to use "the law" to resist paying for ongoing maintenance fees on computer hardware, or at least nobody's succeeded in such a venture. And again - IANAL.

Re:Double standard

[Zeromous]

There's a difference between bug fix and feature fix. I didn't realize vendors were charging me for bugfixes probably because they aren't.

Re:Double standard

[RaceProUK]

Hmmm, we take umbrage that a company charges for a hardware upgrade to a flawed physical device, but we have gotten used to having to pay for software upgrades to get our bugs fixed. It is the second of these that is the real scandal.

How much did you pay for a Windows Service Pack? Personally, I spent $0.00, consisting of a $0.00 deposit, 35 easy monthly payments of $0.00, and a final payment of $0.00 to keep it for life.

Re:Double standard

[FireFury03]

IANAL. But I've been corrected on this issue by someone who is, and who happened to be my boss at the time.

If you're talking about the UK (my version of "over here") most of the stuff to do with refunds and longer-term fitness for purpose only apply to individual consumers.

The Sale of Goods Act requires the retailer (*not* the manufacturer) to warrant a product for its "reasonable" life expectancy to be free of manufacturing and design defects and fit for purpose. Within the first 6 months the burden of proof is upon the retailer (if they don't want to refund/fix then within the first 6 months they have to prove that there was no defect or that its "reasonable" life expectancy has been exceeded). After the first 6 months the burden of proof is upon the consumer (you prove that there was a defect and that it is within its life expectancy).

No one sane expects a lock to be completely secure, but this sounds like gross negligence (sticking what is effectively a JTAG port on the outside of the door - that isn't an obscure mistake, anyone involved with security who looked at the design and thought it was ok to make a programming port accessible to the outside with no kind of hardware or software security and didn't spot a problem is incompetent), which would fall into the "not fit for purpose" category. And since this defect was clearly there at the of manufacture, rather than having developed over months/years of use, the case looks quite winnable.

I have often wondered how this applies to software... I think someone once informed me that software was explicitly excluded from the act, although I haven't checked myself. This seems a bit wrong - defects in software are easier to fix than defects in hardware (at least, on a large scale), so it seems more reasonable to ensure they are fixed rather than giving software vendors a free pass.

so far as I know, no-one's ever tried to use "the law" to resist paying for ongoing maintenance fees on computer hardware, or at least nobody's succeeded in such a venture. And again - IANAL.

Maintenance fees usually get you something over and above the law. For example, it might get you an no-questions-asked same-day engineer callout to replace whatever hardware has failed, rather than requiring you to prove that a failure was caused by a defect (possibly involving the courts). Yes, without a maintenance contract, you could probably get that failed motherboard replaced by the retailer, but would it be done immediately and without any hassle, or would you be left without a server for weeks? (This isn't just a case of the vendor being difficult when there is no maintenance contract in place - the vendor may genuinely believe that the problem wasnt caused by a defect, but having a maintenance contract is likley to make them sweing the benefit of doubt in your favour).

Re:Double standard

So you received a DVD in the mail or via courier?

Otherwise, you paid $9.95+/month for your internet connection and ~$8+/hr for your time to download it from Microsoft.

Re:Double standard

[RaceProUK]

Way to miss the point entirely, unless you think Microsoft is my ISP.

Re:Double standard

no, i paid a fractional amount for the bandwidth (we're talking pennies here) and then a single click to download and apply the patches that windows had identified i needed - maybe a penny's worth of time. try to think more next time.

Re:Double standard

And how often does your application software vendor supply bug and security fixes? I have to pay HUGE amounts to such software companies as Oracle and still end up with buggy, insecure from day zero software.

Re:Double standard

[RaceProUK]

Since most of our software is MS, that's once a month, for free, with emergency updates in the interim when required.

Re:Double standard

[ratbag]

Good point on the retailer vs manufacturer. Agree entirely that this lock manufacturer is negligent/naive.

but having a maintenance contract is likley to make them sweing the benefit of doubt in your favour

If the vendor is sensible, they'll have used the maintenance contract fees to pay for appropriate insurance against future claims, so they'll be happier to deal with the issue swiftly. It seems that the lock manufacturer didn't do that...

Re:Double standard

[ColdWetDog]

And how often does your application software vendor supply bug and security fixes? I have to pay HUGE amounts to such software companies as Oracle and still end up with buggy, insecure from day zero software.

If you're complaining about paying too much for Oracle stuff, you'll get no sympathy from any of us. It's not like we didn't warn you.

Re:Double standard

I have often wondered how this applies to software... I think someone once informed me that software was explicitly excluded from the act, although I haven't checked myself. This seems a bit wrong - defects in software are easier to fix than defects in hardware (at least, on a large scale), so it seems more reasonable to ensure they are fixed rather than giving software vendors a free pass.

It doesn't matter. Read the microsoft EULA - they say explicitly that the software is not guaranteed to be fit for any particular purpose. So there is nothing to enforce. Now tell a salesman that you won't buy software "not fit for any particular purpose". Could be interesting . . .

Re:Double standard

Luck you - I'm still trying to save-up the $0.00. I've only got about $0.00 so far, but I hope in the coming months I'll have it all.

Re:Double standard

C'mon, since when is security proven unbreakable? We are talking about locks. If a thief can lockpick a physical lock, then is there a compensation for the old ones? Of course not!

And what does the company charge for? Only the psysical board. This is real service.

Can we please go back to intelligent sanity here?

Re:Double standard

[AmiMoJo]

There have been cases of software being rejected as "not fit for purpose" in the UK, but unfortunately I can't find a news article right now. As I recall it was custom written for an organization but failed to live up to expectations and was in fact mostly useless to them. They won in court.

Re:Double standard

[sjames]

Personally, I object to both, so I use Free software and avoid the problem.

Re:Double standard

[sjames]

That's getting a bit petty, don't you think?

Don't worry, MS commits plenty of sins, we don't have to curve fit them to this particular one.

Re:Double standard

[tepples]

There have been cases of software being rejected as "not fit for purpose" in the UK [where] it was custom written for an organization but failed to live up to expectations and was in fact mostly useless to them.

But that's a far cry from, say, a commercial off-the-shelf product.

Re:Double standard

Huh, my last employer bought a lot of Red Hat. Even after negotiated discounts, RHEL patches cost $250 a year per server. That didn't include any support. (Check https://www.redhat.com/apps/store/server/ and https://access.redhat.com/support/offerings/production/sla.html if you don't believe me.)

Yeah, it's a teensy bit insane to more to patch Linux than it costs to **BUY** Windows Server. In our case, it was c-level managerial mayhem plus a healthy dose of Oracle-compatibility fever.

Re:Double standard

Oops.

#s/insane to more/insane to spend more/g # headdesk!

Really a story?

[FaxeTheCat]

Is this really a story? The conditions for repairs and upgrades are most likely regulated in the contract between the hotels and the supplier/manufacturer. Big deal.

Re:Really a story?

The locks may not meet the expectation of being reasonably secure in the first place and that way all expense would fall upon the company that provided the locks. When you make a purchase you do have the reasonable expectation that the product is fit for sale. It would be one thing if the hack was provided by a large governmental hacker group but if one or two guys working in a basement were able to hack the product I would tend to believe that the product was unfit for sale and the purchase should be recoverable. After all if you went and brought a spanking new car that looked great but couldn't be started to leave the lot there would be a void sale. Selling locks means that the lock must secure and liability should attach if the lock fails to secure.

Re:Really a story?

They make crappy locks. Maybe they make crappy contracts too?

Re:Really a story?

[stephanruby]

Is this really a story? The conditions for repairs and upgrades are most likely regulated in the contract between the hotels and the supplier/manufacturer. Big deal.

That's only because you missed, or just skimmed, the original story. This story wasn't about bad design, or even perfect lock security. Perfect lock security doesn't exist, it probably never will.

But in this case, someone on the side of the lock manufacturer just got lazy and was intentionally negligent. That's the real story here. The company should be sued for negligence, all the board members and officers of the company should be sued for negligence, and the original engineer(s) should be sued for malpractice.

Once you do that, you'll find that some of those people were smart enough to have covered their own ass by emailing their concerns to others in the company, and then printed out those emails to take home for their own personal records (in case those internal emails/memos at work were ever made to "disappear").

Re:Really a story?

Well, I guess the story is as follows:

Company sells hot air as "security"
Guy finds out it is hot air
=> Now Guy is criminal & Company gets some bad press
Later
Company decides to sell a baloon for the hot air that already sold as "security"

I guess my main grievance here is that Company is not put out as criminal... They damned well knew they were selling hot air, so it amounts to fraud in my world, but alas...

Re:Really a story?

I am almost certain that this lock company doesn't want to go down on technical flaws like that. Making references to an old contract would likely not be a good idea. Many organizations like hotels and the like will retain paper copies and will likely also have kept the sales presentation on the locks they chose. Something tell me wording like "SECURE", "Advanced" and other similar buzz words would have been littered throughout those documents.

They should act like Kryptonite.

Many slashdotters and/or cyclists remember the whole Kryptonite debacle where their locks could be opened with a Bic pen. Kryptonite offered free replacements, with free shipping, without requiring the receipt. They ate a huge cost but saved their company's reputation. People still buy their locks.

This company is making its customers pay for their poor design. They are done.

Re:They should act like Kryptonite.

[Isaac-1]

I suspect Kryptonite had a bit more markup built into their business model, this sort of recall would likely bankrupt the lock company if they offered it for free which would leave the hotels without replacement parts, or locks for new constuction, etc. Remember hotels love standarization and these locks must offer remote programming from the front desk, etc.

Re:They should act like Kryptonite.

[norpy]

There is a difference here:

Kryptonite: Large number of customers with little knowledge of the issues protecting something cheap with something cheap, this warranty will likely not be taken up enmasse assuming the locks aren't already lost or rusting in a shed.

Onity: Relatively small number of customers with large numbers of locks and highly likely to find out about the flaw who also likely pay for maintenance contracts.

Re:They should act like Kryptonite.

[tixxit]

Intel recalled all processors with the FDIV bug back in the 90s and are still king of the hill today. However, very few companies have the resources to take a hit like that and come out intact. If they aren't offering the fix for free, it is probably because they just cannot afford it. I'm sure they are not completely brain dead and realize this looks bad to them. Most likely, they did more research leading up to this decision than we did.

Re:They should act like Kryptonite.

[ceoyoyo]

I have a Mazda 3. The first couple of model years had a flaw where you could pop the door locks by punching the door at just the right spot. You had to hit it hard enough to leave a dent, but not so hard that thieves would bother to use something other than their fists.

Mazda's (free) fix was to put a steel plate under that spot. After that I was tempted to install a camera just to see if I could watch someone trying the trick.

Re:They should act like Kryptonite.

Wow... (I am not a Lawyer: what follows is my understanding of the laws here... Seek licensed counsel if you find yourself in need of that sort of assistance)

The big problem Onity faces here is that they're actionable (Gross negligence in design doesn't entitle you to this BS they're running up the flagpole...) on a panopoly of varying State Laws (For example, they're being marketed as being reasonably secure- to whit the negligence here renders them not so. This is in a manner that it could be deemed to be a "laundry list" violation of the Texas Deceptive Trade Practices Act (Practice #5, "representing that goods or services have sponsorship, approval, characteristics, ingredients, uses, benefits, or quantities which they do not have or that a person has a sponsorship, approval, status, affiliation, or connection which he does not;") The DTPA doesn't make distinctions on accidental, careless, or knowing violations. There's a bunch of other laws in other States that they could likely be tripping across. The DTPA's nasty in that if it's a knowing act on their part, it's treble damages- if it's also deliberate (i.e. they knew and continued on making the defective devices...) it's sextuple.) in a manner that the damages/loss very probably exceeds $75k which triggers the thresholds to allow Diversity Jurisdiction (28 USC 1332) to apply and you get drug in to each and every State and have that State's law applied to you at the Federal level.

NOT doing at least the workaround for free is INSANE because you're playing chicken with your customers in a manner that can cost a hell of a lot more than just the internally retained cap mod for all the locks the customer has.

Re:They should act like Kryptonite.

Why on earth would a guest want to stay at a hotel with these locks there? The only way I would personally consider it is if the hotel replaced the board. Even then I'd expect there are issues with how they have implemented this fix. The physical fixes from what I have read are pathetic.

What?

I don't see a story here.

My foot can also open any locked door..

And in a hotel. Nobody will care so long as the noise stops quickly.

Is there any guarantee on the new circuit board?

[Taco+Cowboy]

The real question is not whether the lock company should charge for fixing the bug

The real question is whether there is a guarantee that the new circuit board (the upgrade) that the lock company provides is hack proof

Or put it another way ---
Will any e-lock company dare to guarantee that their e-lock for hotel room will be hack-proof?
 

You know what?

[Tastecicles]

Fuck your company, I'll go someplace else for my locks. Maybe to a company that knows the LAW when it comes to selling hardware that is FIT FOR PURPOSE!

Re:You know what?

[MysteriousPreacher]

Maybe to a company that knows the LAW when it comes to selling hardware that is FIT FOR PURPOSE!

Maybe they are perfectly within the law. In the UK, consumers cannot waive protections given by the Sales of Goods Act, but businesses can. It's not as black and white for businesses as it is with consumers. Exactly which law do you think the lock company should know, and how do you know they're breaking it?

I do agree though - go elsewhere for locks. Even if not contractually or legally obliged to do so, with such a sloppy and blatant design issue, Onity should be picking up the tab. Hopefully the bigger chains will walk away from Onity.

Re:You know what?

[wvmarle]

Shopping around may be a good idea for a new set-up, but this has to do with existing hotels.

Replacing the lock means purchasing a complete new set of locks, purchasing a complete new set of key cards and programming equipment, labour cost of replacing all these locks plus probably adaptations to the existing doors and door frames, possibly even the need to replace all the doors because there is no way to fit the new lock in the existing space in a good looking way.

Going with the upgrade option on offer sounds cheaper and more practical/less intrusive to me.

Then there is the legal question of whether the existing locks are "fit for purpose" or not. Being able to hack a lock does not necessarily mean they're not good enough, as given enough time/effort any lock can be broken. That it can be broken this easily, doesn't necessarily mean the company selling them has the legal obligation to fix this. It's definitely not as easy or as black/white as you and many others here would like to believe. Affected hotels will have to sue the company to get back their costs for replacement.

Re:You know what?

[Tastecicles]

1979 (c. 54) provides:

14 Implied terms about quality or fitness.

(1)Except as provided by this section and section 15 below and subject to any other enactment, there is no implied term about the quality or fitness for any particular purpose of goods supplied under a contract of sale.
(2)Where the seller sells goods in the course of a business, there is an implied term that the goods supplied under the contract are of satisfactory quality.
(2A)For the purposes of this Act, goods are of satisfactory quality if they meet the standard that a reasonable person would regard as satisfactory, taking account of any description of the goods, the price (if relevant) and all the other relevant circumstances.
(2B)For the purposes of this Act, the quality of goods includes their state and condition and the following (among others) are in appropriate cases aspects of the quality of goods—
(a)fitness for all the purposes for which goods of the kind in question are commonly supplied,
(b)appearance and finish,
(c)freedom from minor defects,
(d)safety, and
(e)durability.
(2C)The term implied by subsection (2) above does not extend to any matter making the quality of goods unsatisfactory—
(a)which is specifically drawn to the buyer’s attention before the contract is made,
(b)where the buyer examines the goods before the contract is made, which that examination ought to reveal, or
(c)in the case of a contract for sale by sample, which would have been apparent on a reasonable examination of the sample.

emphases mine.

If a lock is described as a lock, and looks like a lock, is it unreasonable to expect it to perform as such? I don't think so.
If a device is described as a lock and does not in fact perform that function, to the point where intervention is required, then is it unreasonable to assume that the defect is by design? I would say not.

Therefore, the effect of the failure of the product to perform *as advertised* constitutes a material breach of contract, one which should be pursued for restitution and remedy.

DISCLAIMER: IAAL.

Re:You know what?

[Dr_Barnowl]

Security is all about raising the cost of intrusion beyond the value of intrusion ; the cost of intrusion for these locks will decrease rapidly as the knowledge of how to build the lock-cracker spreads. At first it will only be people with the time to reproduce the hack ; then when one of these is unscrupulous enough to spread this information, it will be enough to be merely proficient with a computer and a soldering iron. Then people will start selling them and anyone who just knows it's possible will be able to acquire the means to do it, and the rate of it actually being used to steal from hotel rooms will skyrocket.

Re:You know what?

[adolf]

If a device is described as a lock and does not in fact perform that function, to the point where intervention is required, then is it unreasonable to assume that the defect is by design? I would say not.

It is common knowledge that locks only keep out honest people.

Corollarily, a lock which allows entry by dishonest people is still a lock.

If it were a mechanical lock with pins and tumblers, it would be defeatable by dishonest people. This lock happens to be electronic, and is also defeatable by dishonest people.

I don't see the difference in the context that you specify.

Re:You know what?

[Neil_Brown]

Therefore, the effect of the failure of the product to perform *as advertised* constitutes a material breach of contract, one which should be pursued for restitution and remedy.

Absolutely — provided that this term is actually incorporated into the contract, which is the key issue here. (Let's assume that English law applies here.)

Although the term is an "implied term," and thus can exist even if it is not written into a contract (if there is a written contract) or expressly stated as part of the agreement, there's no general principle of law which says that implied terms cannot be excluded. Instead, we have to look to specific laws on this.

For this particular term, section 6 of the Unfair Contract Terms Act 1977 provides that:

(2) As against a person dealing as consumer, liability for breach of the obligations arising from— (a) section 13, 14, or 15 of the 1979 Act (sellers’s implied undertakings as to conformity of goods with description or sample, or as to their quality or fitness for a particular purpose); ... cannot be excluded or restricted by reference to any contract term.

As such, in a contract where one party deals as a consumer, the section you reference cannot be excluded — but there is no such prohibition in contracts between businesses. There is debate as to what it means to "deal as a consumer," though — could a business deal as a consumer for a particular transaction? It would be a question of fact in each case, but there's an argument that, yes, it could.

So whilst there's no definite prohibition on excluding this term in a business to business transaction, businesses are not entirely out of luck, although by virtue of s6(3), there is a variable at play, which makes the position less certain:

(3) As against a person dealing otherwise than as consumer, the liability specified in subsection (2) above can be excluded or restricted by reference to a contract term, but only in so far as the term satisfies the requirement of reasonableness.

The business would need to look and see whether liability was excluded under the contract. If there's nothing saying that the term is excluded, brilliant. If the contract does attempt to exclude liability, the business would need to argue that this exclusion was unreasonable:

... the requirement of reasonableness ... is that the term shall have been a fair and reasonable one to be included having regard to the circumstances which were, or ought reasonably to have been, known to or in the contemplation of the parties when the contract was made. (s11(1))

This would be a question of fact, highly dependent on the circumstances. If the exclusion clause is unreasonable, the implied term as to fitness for purpose stands. If it is reasonable, it falls.

I can only speak from my experience, but getting a general "fitness for purpose" clause in a business contract is rare — it's a very broad warranty to give. More likely, I would have thought, is that the seller will have excluded the term, and the hotel will either need to make an argument about reasonableness of the exclusion, or else dig through its agreement to see whether the product failed to comply with an agreed specification or to a particular performance level, or anything like that.

Just my musings, could be wrong, not your lawyer, hate that one might argue I need to exclude the possibility that someone might consider this legal advice etc.

Re:You know what?

[thegarbz]

DISCLAIMER: IAAL.

Of course you are. This is blatantly an advertisement for your services against lock makers of the world given how every house in America can be broken into with a lockpick. Does that make it defective by design?

I smell a class action.

Re:You know what?

[gman003]

The question is one of difficulty and context.

For instance, the lock on my floppy disc holder (yes, I still have one) can be opened simply by sticking a flathead screwdriver in it and turning. I would consider that to "meet the standard that a reasonable person would regard as satisfactory" for a cheap plastic floppy holder. I would NOT consider that lock to "meet the standard that a reasonable person would regard as satisfactory" for securing a hotel room.

So it depends on how difficult it is to hack. Personally, the description makes it seem like a reasonably technical hack; the design was fairly solid, and any hack that requires disassembling the lock is not something you can do discreetly. So I would say it "meets the standard that a reasonable person would regard as satisfactory" for a hotel. But not for, say, securing a bank vault.

Re:You know what?

[mark-t]

There are three factors here... and it is not any single one, but rather the combination of all three that makes this vulnerability serious enough that I would consider a lock with this vulnerability to not be "fit for purpose".

• 1. The lock's security can be compromised by anybody, using tools that anybody can very easily acquire, without requiring access to particular trade skills or resources;
• 2. Access to the vulnerable port can done entirely from outside of the unit (the plug adds a little bit of protection, but as removal of this plug can still be done outside of the unit by anybody with a torx screwdriver that you can buy in a hardware store, I'd suggest that this may arguably be even worse since it adds an illusion of security where there isn't any); and finally,
• 3. It is untraceable. Not in the sense that you cannot know who did it, but in the sense that the hack does not leave any evidence behind that it had occurred. If the lock had to be physically disassembled to a state that was impractical to quickly reassemble, and especially if said disassembly was visibly obvious from casual observance of the lock, then that, too, would probably be sufficient.

If any one of these three issues were not present, this would simply amount to a security problem that is no worse than any other you might find in any other highly secure physical lock that is vulnerable to being defeated by dishonest people.

Re:You know what?

[MysteriousPreacher]

Thanks. Looks pretty clear cut, as I cant imagine Marriott signing a contract that specifically states "devices for novelty use - not expected to function as locks".

Re:You know what?

[freeze128]

The lock was a perfectly capable lock BEFORE the hack was produced. How long does this fitness for purpose clause last? Maybe for about 7 days?

Re:You know what?

[BorelHendrake]

And how does this work with the fact that your regular lock is easily bypassed using a bump key?

Seems to me that your argument should apply to regular locks and yet it doesn't seem like it is...

Re:You know what?

Welcome to lawschool.

FULL DISLOSURE: I am not a moron.

Now, as laws depend on words, which are mostly a play of catch-22's in dictionaries, WHAT YOU THINK THEY IMPLY, DOES NOT MEAN IT ACTUALLY MEANS THAT, AND ONLY THAT. Now take a look at On Denoting, by Russel, and go figure why good lawyers are able to win, even in the most rediculous cases.

The word you are looking for is Chess. Playing pieces are laws and psychology, wich includes, but not limited to; neurological programming.

Why do you think, words are defined like variables, in legal documents?

Welcome to a world that has people who are a gazillion times smarter than almost any /. reader :)

Enjoy your governments.

Re:You know what?

[Svartalf]

The problem is that it's got a stupid design defect that makes it very defeatable.

They're advertising it as being more secure than regular locks, just for starters. If you don't see the context he's specifying, you're being willfully obtuse.

Re:You know what?

[Tastecicles]

A lockpick is a specialised tool designed specifically and solely for picking locks.

Someone who is carrying a lockpick is not going to perform a manicure. He's going to defeat a lock.

An Arduino is not a lockpick. It is, as demonstrated here, however able to be programmed to defeat an electronic lock with the aid of nothing more than a common electronic connector.

This is not a demonstration of the Arduino's utility as a lockpicking device; it is a demonstration of the failure of the electronic lock as a security device.

Re:You know what?

[thegarbz]

I don't buy it. If we take an Arduino, put it in a pretty case and write the lock-breaker-2000 on it does it now make it specialised?
What about putting a knife on the other end of the lock picks? There it's now a perfectly normal multi-purpose tool right?

Just because the Arduino can do other things doesn't mean that when it is programmed for a specific task it isn't a very specific tool.

Re:You know what?

if the lock which is in place has been known to have issues it is no longer deemed a 'SAFE' lock. I am certain that when most people check into a hotel room they expect that the needed precautions have been taken to secure peoples rooms.

I think a great example of this would be the old style traditional keys (similar to handcuffs) based on your statement I as an honest person should be well within my legal limits to redo all of my guests locks to use nothing more then a standard handcuff key.

Say what?

[Ignacio]

Torx? Obscure? What decade do they think this is?

Re:Say what?

[wvmarle]

Well, insofar, it's not one that I have in my toolbox. That's how obscure and uncommonly used they are.

It's also not one that I couldn't buy at the local hardware shop, if I'd need one.

Re:Say what?

who cares for torx. Nothing a flat head can resolve quicker.

Re:Say what?

Really? Lowes and Home Depot both carry Torx head sets...

Re:Say what?

[isorox]

Well, insofar, it's not one that I have in my toolbox. That's how obscure and uncommonly used they are.

It's also not one that I couldn't buy at the local hardware shop, if I'd need one.

Yet the standard screwdriver set I keep in one of our overseas offices cost under USD10 and contains 4 different sizes

Re:Say what?

[rjr162]

Really? Every German car made uses torx to take apart (even to mount an after market radio into a new Beatle).

Same with secure torx.. They aren't secure as you can get sets with the bits about anywhere.

Even the extremely odd screw Nissan uses in some of their altimas and other models to hold the bcm into the car (and I'm talking odd) can be found online (which some installers must purchase to do remote starts in those cars since they require connections at the bcm but the bcm is in a very tight spot)

So, like others have said... Torx is anything but obscure.

Re:Say what?

[dissy]

Torx? Obscure? What decade do they think this is?

Exactly what I was thinking! I picked up one of these nice "100 piece security bit" sets from a local store for $10. Even at Amazon it's only $13 plus shipping.

http://www.amazon.com/Neiko-100-Piece-Security-Bits-Storage/dp/B000O5XDOG

Product Description
100 pc. Security Bits Set Security bits set contains many of the most common tamper proof type security bit sizes, including tri-wing bits, torx bits, spanner bits, and hex bits. Security bits set contains: 1 - wing nut driver. 1 - magnetic bit holder. 1 - socket bit holder. 1 - 1/4" sq. x 1/4" hex x 1" extension. 1 - 1/4" sq. x 1/4" hex x 2" extension. 3 - clutch bits (# 1, 2 & 3). 3 - torq bits (# 6, 8 & 10). 3 - spline bits (M-5, 6 & 8). 4 - tri-wing bits (# 1, 2, 3 & 4). 4 - square recess bits (# 0, 1, 2 & 3). 4 - spanner bits (# 4, 6, 8 & 10). 6 - metric hex tamper proof bits (2, 2.5, 3, 4, 5 & 6). 6 - SAE hex tamper proof bits (5/64, 3/32, 7/64, 1/8, 9/64 & 5/32). 8 - phillips bits (0, 1, 2{5} & 3). 8 - pozi drive bits (0, 1, 2{5} & 3). 9 - slotted bits (3, 4, 4.5, 5, 5.5, 6, 6.5, 7 & 8). 9 - metric hex bits (1.5, 2, 2.5, 3, 4, 5, 5.5, 6 & 8). 9 - torx bits (T-8, 10, 15, 20, 25, 27, 30, 35 & 40). 9 - torx tamper proof bits (T-8, 10, 15, 20, 25, 27, 30, 35 & 40). 10 - SAE hex bits (1/16, 5/64, 3/32, 7/64, 1/8, 9/64, 5/32, 3/16, 7/32 & 1/4). Set includes plastic storage / carry case.

Re:Say what?

Containing both regular and tamper-resistant ("pinout") torx bits is redundant. Pinout torx drivers are backwards-compatible with regular torx screws. I only bother to keep the pinout versions of the drivers around for this reason.

Re:Say what?

[Gaygirlie]

Here in Finland you can buy torx-screwdrivers from any store that sells any kinds of screwdrivers, ie. even your average small-time store has those. Hell, you'd actually be somewhat hard-pressed to find a screwdriver kit without torx. I really have a hard time believing finding torx-tools in the U.S. is that much more difficult.

Re:Say what?

[tixxit]

Are you sure? The $50 socket set I bought years ago has a screw-driver attachment with several sizes of torx bits. I also have a few others lying around, not sure where they came from. Probably from replacement screens for my phone and things like that.

Re:Say what?

[ceoyoyo]

You have both a crappy toolbox and a crappy hardware shop.

I have to admit, I'm not exactly sure where my T10 is at the moment, because people keep borrowing it because they're used in all sorts of things. But you can generally find cheap torx sets at the local dollar store and sometimes convenience and gas station stores. No need to even go to a hardware store.

Re:Say what?

[ColdWetDog]

Well, insofar, it's not one that I have in my toolbox

That's not even wrong....

Re:Say what?

[michelcolman]

Well, you're a geek so you might have access to geek tools like Torx screwdrivers. The people they are trying to thwart, however, don't have access to anything fancier than... say... custom arduino devices to hack electronic locks. Sure, anyone can wire boards together to create electronic gizmos. But Torx screwdrivers, that's a whole different ball game, they're much less likely to get their hands on those.

Re:Say what?

[JeffAtl]

I think you missed the OP's double negative. He stated that torx is NOT one that he COULD NOT buy.

In other words, he is saying that he could buy it at the hardware store.

Re:Say what?

[ceoyoyo]

You're right. Whoops. He still doesn't have a very good toolbox. Bikes have used various sizes of Torx, including the infamous T10 for ages.

Re:Say what?

[Inda]

Ah! Star bits!

Sorry, I had to Google Torx, then I realised I have 10 sets of them at home, all unused. If you've ever bought an electric screwdriver in the UK, you probably have a complete set of Torx bits, probably 10.

Torx? Secure?

[tconnors]

Torx? Secure? Is this some kind of security through obscurity that this company are obviously so good at?

I've lost count at the number of torx screwdriver sets I have.

Sweet.

[Impy+the+Impiuos+Imp]

> "as well as more-obscure Torx screws to prevent intruders from
> opening the lock's case and removing the plug"

Because nobody capable and determined enough to rig up the electronic interface for $50 can handle the mental and financial stresses of a $10 Torx set from the hardware store.

"Well, we got the device. Open it up."

"Whoa! What kind of screws are these?"

"Lemme look -- MY GOD, IT'S FULL OF STARS!"

Re:Sweet.

$50 is too much. Search eBay and you can buy a cheaper Arduino easily. $18 for a chin-duino or something. (shipped)

Of course they won't be

[Rix]

I can hack any hotel room door.

With an axe.

Re:Of course they won't be

[fustakrakich]

Wendy, I'm home

Re:Of course they won't be

[DarwinSurvivor]

Lock Picking. A subtle and proud art... Long since rendered obsolete by the Broad Axe.
http://img200.imageshack.us/img200/336/motivationalposterlockp.jpg

Sorry about the imageshack link, but every devotevational website seems to have removed this one. Someone must have gone on a DMCA rampage or something :(

Re:Of course they won't be

[cffrost]

Wendy, I'm home

Haha I was about to post the exact same reply! Used to be my sig, in fact... Favorite movie of all time. :D

Master key systems can be hacked too

[twosat]

I remember reading years ago about Matt Blaze, a security researcher at AT&T Labs-Research who discovered how to create a master key from a key and a lock which is opened by it. His method was a trade secret used by many locksmiths, which pissed them off when he publicised it.

http://it.slashdot.org/story/03/01/23/0359230/att-identifies-widespread-security-hole---in-locks

http://www.nytimes.com/2003/01/23/business/many-locks-all-too-easy-to-get-past.html

Hotel In room "safe"

[trout007]

I was staying in Marriott and they have a small in room safe. Its the kind with a digital keypad where you select your own code. I put stuff in there while we went to the pool.

When we got back I guess one of the kids was playing with it and it stopped responding because they pressed too many buttons. So I looked it up online. All I had to do was press "lock" twice to enter supervisor mode then 999999 and it opened the safe bypassing my code.

So don't use those safes for anything real valuable. Next time I have to play around with supervisor mode to see if I can change that password.

Re:Hotel In room "safe"

[isorox]

I was staying in Marriott and they have a small in room safe. Its the kind with a digital keypad where you select your own code. I put stuff in there while we went to the pool.

When we got back I guess one of the kids was playing with it and it stopped responding because they pressed too many buttons. So I looked it up online. All I had to do was press "lock" twice to enter supervisor mode then 999999 and it opened the safe bypassing my code.

So don't use those safes for anything real valuable. Next time I have to play around with supervisor mode to see if I can change that password.

If I'm staying in a dodgy city for a period of time, I spread the risk. £100 and passport copy in the safe, normal wallet and passport on me, and I always keep a credit card in my dirty laundry in the suitcase just in case.

Re:Hotel In room "safe"

[trout007]

I forgot. I took a video of it. It's a Safemark safe.

http://youtu.be/UYjJuE7l7VM

Re:Hotel In room "safe"

Sorry, this is b***s***. The only thing that comes up on Google is your post.

Re:Hotel In room "safe"

[trout007]

Did you see my video?

http://youtu.be/UYjJuE7l7VM

Re:Hotel In room "safe"

[trout007]

Additional Information:

It was a Safemark Safe.
It was displaying an error ebar.
I used those to look up the information.

Also sites suggested to try 000000, 123456, 999999 as the supervisor password.

The point I'm making is that hotel maintenance has a supervisor password and most likely it's something very easy to guess or share. I'm not claiming 999999 will unlock everyone.

Isn't the problem offering access to the outside?

[91degrees]

So, how about cutting wires to the port, and wiring a new port on the other side of the door. Presumably this could be done fairy neatly.

Seems to fundamental flaw is that the access port is on the outside of the door.

It's a moot point though. Hotel rooms aren't secure. Dozens of people have access. My suggestion is to use the safe to store valuables.

Re:Isn't the problem offering access to the outsid

[gl4ss]

the lock to the safe is usually equally worthless, too bad. better to just stash the stuff under the drawers.

Re:Is there any guarantee on the new circuit board

[forkazoo]

Will any e-lock company dare to guarantee that their e-lock for hotel room will be hack-proof?

Of course not. Nobody has ever guaranteed such a thing, except for shady dealing liars with the worst security of all. Anybody who works in security knows that any system which protects something sufficiently valuable, or is sufficiently widely deployed will eventually come up against some lock pick or safe cracker who has enough intelligence, free time, and interest. it's just a question of how long it takes to happen, and how inconvenient it is when he shows up. Adding such a guarantee would just be a giant banner attracting more interest from such people.

Besides, this isn't software. If the guarantee is disproven, and you have to push out patches, you can't just put them on an FTP server. you have to build physical hardware, ship it out, etc. It would be unreasonable to expect any company to do all of that for free. In some cases a company will do a free, voluntary recall out of pocket for the sake of good PR. But, it's hardly something you can demand.

Now that's what I call...

[srussia]

All I had to do was press "lock" twice to enter supervisor mode then 999999 and it opened the safe bypassing my code.

"six-nines" availability!

Re:Now that's what I call...

[adolf]

*5*

Re:Is there any guarantee on the new circuit board

They don't offer the same guarantee for real locks either. Just that it's very very very difficult. Some locks can be very quickly opened by a bump key, others claim to be virtually unpickable but nothing's 100%. At the worst you can just turn up with a drill and drill straight through the lock if you're really determined to gain entry.

All locks are only meant as a deterrent, or to slow down an intruder long enough that they draw attention to themselves so that they're either foiled or remembered.

Not exactly Inconspicuous

[damn_registrars]

If the hack requires someone to physically open up the lock with a screwdriver and pull a plug out from the mechanism, it's not really something that can be done quickly and easily without likely attracting attention. Sure, a screwdriver is a lot less noticeable than say a blowtorch or a hacksaw, but most people would notice it if they were walking down the hallway and wonder what is going on.

In other words I doubt many people would find this to be a practical hack to employ. They'd likely me more successful with a little bit of social engineering at the front desk instead.

Re:Not exactly Inconspicuous

[drinkypoo]

I can remove two security torx screws in five seconds or less with some practice and the right screwdriver. That is a non-fix.

Re:Not exactly Inconspicuous

[ColdWetDog]

Nah. It would be like the old 'Mission Impossible' episodes (the TV ones) when Barney would come through in his step van and overalls and act like he belongs there. Who the hell would know? The maids - they don't care as long as he's not making a mess. The junior night clerk? He's still sitting at the front desk sexting his GF (or BF or furry friend or whatever).

The surveillance cams would record you but anyone with ten dollars of theatrical makeup (just like in Mission Impossible) could defeat that.

Really, all anyone needs to do is look at a bunch of old Mission Impossible episodes and read this guy's hack and you're golden.

Re:Is there any guarantee on the new circuit board

[Firethorn]

At the worst you can just turn up with a drill and drill straight through the lock if you're really determined to gain entry.

Really, for most locks, and most doors, it's about providing an approximately equal amount of protection from all points of entry. Allowing a subtle entry is considered worse than an obvious entry.

Locks are already generally to the point that you don't try to physically defeat them - you go after the door instead. If you want in and don't care about being obvious, a small sledge will get you into most hotel doors with one whack, ~5 seconds. If the pins are on the outside, you pop those out and remove the door ~30 seconds. Put the pins back in and you have a covert entry.

$50 worth of parts and technical knowledge required is actually a fairly high bar.

This isn't necessarily the end of the world

[jimicus]

The thing about any security issue is you've got to weigh up the cost versus the benefit.

First off: The hotel doesn't really care about the fact your digital camera might have holiday snaps from your once-in-a-lifetime holiday on there. Nor do they care that you brought your laptop (complete with the only photographs you have of your recently-deceased granny) and haven't backed it up lately.

All they care about is "How much is failing to fix this going to cost us? Will it be more than the cost of fixing it?". And given that most hotel rooms aren't exactly impregnable anyway, I don't think it's that much of a big deal - it's considerably easier and cheaper for an outsider to buy a set of overalls and a toolkit and force their way in that way. If questioned, simply produce a mocked-up job sheet that shows there's a fault with the lock and you're fixing it.

Doesn't matter

[Dunbal]

This doesn't affect me because I keep all my valuables in the hotel safe!

Re:Is there any guarantee on the new circuit board

[oobayly]

Immediately thought of this:

From Sneakers

Re:Isn't the problem offering access to the outsid

[drinkypoo]

So, how about cutting wires to the port, and wiring a new port on the other side of the door. Presumably this could be done fairy neatly.

Seems to fundamental flaw is that the access port is on the outside of the door.

The fundamental flaw in your comment is that the port needs to be on the outside of the door so that it can be used in cases where the door cannot otherwise be opened.

Re:Is there any guarantee on the new circuit board

[erroneus]

In you think about it, this is all common practice. Some bugs in hardware and software NEVER get fixed. Instead new versions are released for sale. That recall fixes happen from time to time is a careful balance of deciding whether the public outcry will result in loss of business.

That said, the locks aren't much more insecure than they were prior to the revelation. It requires tools and expertise to accomplish this feat. It's not like some dumb thief off the street will be any more of a threat than they were before.

The added protection; is it worth the effort? Even if it was free to put out the update is it worth the effort? Tough question. Is it worth the manufacturer updating the design to thwart the new hack? Surely. I think the right choices have been made in this case.

If, someone markets a hotel hacking kit with instructions to the public and they somehow get away with it, that might be another matter. But are traditional metal key locks out of style or use in light of lock picking kits? Nope...

Re:Isn't the problem offering access to the outsid

I believe the access port is provided so that they can reset the key for a lock when they're locked out of the room without having to breakdown and damage the door - pretty useless if the port's only inside the room.

Re:Is there any guarantee on the new circuit board

[mwvdlee]

Will any e-lock company dare to guarantee that their e-lock for hotel room will be hack-proof?

And preferably do so a atleast few weeks before the next Black Hat convention.

Re:Is there any guarantee on the new circuit board

Torx screws? Shop class wins the day again! It would be a few minutes work to make a tool to unscrew them

Re:Isn't the problem offering access to the outsid

Or the safe is bolted in a cupboard to a removable shelf and can easily fit complete with shelf into a normal sized suitcase, as was the case in the last hotel I stayed at.

Perfectly Fair

The lock company is being perfectly fair in this case. More so than I had expected. They are offering a free fix that will work quite well, despite the poster's glib insinuations. They are also offering a more comprehensive fix that requires replacing a significant portion(cost wise) of the lock, which they are charging for to cover the extensive parts and labor involved.

Most lock companies would have simply offered to sell them new "improved" locks, that they can install for an additional charge.

Hardware, meet software.

[miffo.swe]

Welcome to the software world, where you pay for the product, support of the product and anything that needs to be done to make the product work as advertised.

I don't remember seeing anything in the reports

[kaizendojo]

that Onity gauranteed the locks to be unhackable. A researcher discovered a flaw, they are offering two solutions to correct it; one free and one (better) for a reduced price. What's the issue? Maybe I'm missing something, but they seem to be acting fairly and responsibly.

Re:I don't remember seeing anything in the reports

[bussdriver]

The poster and possibly the people who pushed the article up to the top do not understand how many business to business relationships work. This is not consumer relations this is a business customer who is LOCKED IN to a provider critical to their business. They do not get free recall solutions unless it is dirt cheap and even then the fix might be a profitable scam by the supplier.

If you want something even resembling consumer level care you have to make a big stink and threaten lawsuits. That doesn't work plenty of times because they'll have law firms on retainer-- there are plenty of business vs business lawsuits and arbitration that DO NOT involve patent disputes.

easy fix

Fill port with epoxy!

Re:easy fix

[JazzLad]

Hotel would never do this, but sounds like something a geeky guest should have. It'll take them months if they ever discover it was filled with epoxy, meanwhile your room is slightly more tamper-proof.

Re:Isn't the problem offering access to the outsid

[leonardluen]

that is why most electronic locks still have physical keys. otherwise how would you open the door when the battery goes dead on the lock? most hotel locks operate off a battery. also what happens if the solenoid that engages the lock breaks? without a physical key, it would be impossible to open the door without breaking the door down.

They really should put the programming ports on the inside.

note: i work with various kinds of electronic locks. however i do not work for a hotel.

Re:Isn't the problem offering access to the outsid

[leonardluen]

most electronic doors still have physical keys to allow access for when the lock malfunctions. there is no need to put the port on the outside of the door other than laziness.

i work with various kinds of electronic locks. however i do not work for a hotel.

Re:Torx? Secure?

http://en.wikipedia.org/wiki/Torx#Variants

Adobe is in the lock business now?

[VeryVito]

Why should this revenue stream be available only to large software companies and gang protection rackets?

Sure, we'll be glad to pay!

By buying the other guys locks and suing you for the cost of the installs.

Lock

[bickerdyke]

That hack needs access to a debug/programing interface. Shouldn't that interface have been protected by a _mechanical_ lock in the first place?

Re:Is there any guarantee on the new circuit board

[Hotawa+Hawk-eye]

Will any e-lock company dare to guarantee that their e-lock for hotel room will be hack-proof?

Of course not. Nobody has ever guaranteed such a thing, except for shady dealing liars with the worst security of all. Anybody who works in security knows that any system which protects something sufficiently valuable, or is sufficiently widely deployed will eventually come up against some lock pick or safe cracker who has enough intelligence, free time, and interest. it's just a question of how long it takes to happen, and how inconvenient it is when he shows up. Adding such a guarantee would just be a giant banner attracting more interest from such people.

Besides, there's always the social engineering approach to lockpicking, namely holding the person with the key at gunpoint/knifepoint until they open the door. I'm not going to link to the obvious XKCD.

Besides, this isn't software. If the guarantee is disproven, and you have to push out patches, you can't just put them on an FTP server. you have to build physical hardware, ship it out, etc. It would be unreasonable to expect any company to do all of that for free. In some cases a company will do a free, voluntary recall out of pocket for the sake of good PR. But, it's hardly something you can demand.

I imagine there's probably going to be at least one lawsuit out of this, and if it reaches discovery and there's evidence that the lock manufacturer was aware of the flaw and didn't fix it (because it would be too expensive, for instance) then they may wish they'd replaced the circuit board component for free.

Re:Is there any guarantee on the new circuit board

[trum4n]

Or a walk to ACE hardware...

Re:Is there any guarantee on the new circuit board

[jnork]

Or out to my garage.

A better solution

[Sentrion]

Just find out what type of lock is on the door and call the manufacturer's technical support hotline. If you have brief access to the room, say, during maid service when the doors are open and hardly anyone is giving much attention to guests passing down the hall, check the door lock for manufacturer, serial number, and any other markings. Take pics to make the inspection quicker. Look up the exact model on the company's website and study the user's manual. Then when you have the manufacturer's tech support online just describe the lock you have and claim that you lost the code or the master key or whatever is used to program the lock. They are usually very helpful and rarely ever ask for your name, company, or any proof that you are the owner of the locks.

I've used this approach to open an abondoned combination safe.

Alternatively, you can use social engineering to gain entry to just about any hotel room. Just walk down the hall with nothing but a towel (change clothes in the janitor's closet, stairwell, or by the ice machine and hide your clothes well) during maid service and act like you just realized that you left your key in the room and need to get back in. Given your apparent predicament most maids will let you in any room without any question.

Re:A better solution

[ColdWetDog]

Just walk down the hall with nothing but a towel ..

Please don't say stuff like that around here. Somebody is likely to listen to you.

We don't want that. Really, we don't.

Think of the children!

Re:Is there any guarantee on the new circuit board

[omnichad]

There's a number of tamper-resistent Torx variations out there, only one of which is likely to be at ACE.

This is an easy fix for anybody...

[bobbied]

Locks are simply to deter unauthorized/undetected entry. Even a bank vault is designed simply to deter unauthorized entry and make it obvious when the vault was opened when it shouldn't have been. Locks provide varying degrees of protection by being hard to open, but a "good" device will be hard to open without the key or combination and will show obvious signs when it is brute forced open.

The issue with these locks is that they permit unauthorized entry that is not easily detected. One just hooks up some device to the exposed port and one can gain entry in a way that is undetectable. But it is easy to make it difficult to hide when it is forced.

For existing locks, The cover is a good idea, using less common hardware (secure torx or other style) helps too. However, I think that adding a secure sticker, designed to show when the electronic port is accessed should be sufficient for most of us. The cover makes accessing the port more difficult and the sticker makes it obvious when the port is used. Both of these would cost very little to do and should meet reasonable expectations for hotel room door locks.

This doesn't mean the manufacturer shouldn't make some efforts to secure that port in future locks sold. I would suspect that it would be fairly easy to change the firmware in the lock and the supplied support equipment that it delivers in the future and add some additional security to the system. Any number of techniques would work great and make this current exploit go away. However, they should always keep in mind that if it is possible to open the lock from the port, it is hackable, and they should attempt to provide detection of hacking attempts.. This means that they should keep the cover in place and make it evident when it is tampered with.

Yah well the pen might be mightier

[future+assassin]

than the sword but not mightier than Porta Power http://www.kmstools.com/autobody-11000000/porta-power-hydraulic-items-11040000/

They were also volnuralbe to freezing with butane and then smaking the lock base with a hammer. This was before the pen exploit.

Re:Is there any guarantee on the new circuit board

[Applekid]

A lighter and a bic pen can make a suitable conforming screwdriver for most security bits of appropriate size. For other sizes, other sizes of polycarbonate pens / barrels / rods will do.

Re:Is there any guarantee on the new circuit board

[omnichad]

What's that have to do with going to ACE Hardware?

Re:Is there any guarantee on the new circuit board

[StuartHankins]

Because carrying a few Torx screwdrivers is riskier then carrying a disposable pen and lighter.

Obscure?

[kimvette]

Torx fasteners have not been obscure for at least 20 years. Torx have been used on cars for at least that long. Besides, torx fasteners that size are easy to "defeat" with a simple flat screwdriver.

Re:Obscure?

[Red_Chaos1]

Not quite so easy if it's a security Torx. That center pin blocks your flathead pretty well.

Re:Obscure?

[kimvette]

Not quite so easy if it's a security Torx. That center pin blocks your flathead pretty well.

Sure, it will block the flathead screwdriver, but but any tech, electrician, or professional crook will have a set of security torx bits on hand - or simply pry or grind out the center pin. Those fasteners only provide a false sense of security.

Implied warranty of fitness for use

[davidwr]

In many jurisdictions, products are sold with a legally enforceable, implied warranty that they do what they say they do.

When you buy a lock, you expect it to work and you expect it to not be easy to pick. Or, if it's a consumer-grade lock, you DO expect it will be easy for a trained thief with a few tools to pick.

When a decent hotel buys a lock, it expects it won't be easy to pick.

More importantly, many states require hotels to furnish all guest rooms with locks that work. A lock that is easy to pick may not meet this legal requirement, rendering the rooms legally un-rentable.

The "free workaround" likely meets the legal requirements of a "lock that works" but it won't make the affected hotel-owners happy.

Competition

[dumky2]

What other brands of locks hotels can buy? Seems to me that Onity is inviting some of its customers to ditch them.

If you have to pay for the proper fix, then it is marginally more attractive to use that money towards a set of locks that are less flawed from a company who takes service seriously. This is not helping Onity's reputation, which is a good opportunity for its better competitors.

Robbing a hotel room requires WAY more balls....

.... than I would credit a typical person capable of building this arduino code breaker device to be in possession of.

Think RadioShack

[RobertLTux]

ask the guy pushing cell phones where the 64 series tools are (i think you want the green case)

or you could track down a Harbor Freight Tools location and really have some fun

Re:Think RadioShack

[wvmarle]

FYI I'm not anywhere near those American-brand stores. Our local hardware shops have pretty much anything.

MSN

[tepples]

unless you think Microsoft is my ISP

It's possible.

Re:MSN

[RaceProUK]

Didn't think that was still going. Doesn't apply to me though, as I'm in the UK.

Windows upgrades

[tepples]

How much did you pay for a Windows Service Pack?

Windows 7 has been nicknamed Windows Vista Service Pack 3 by the press, and Microsoft charges for it. So to answer your question, search for windows 7 upgrade price on Bing or Google.

Rural Internet with single digit GB/mo

[tepples]

i paid a fractional amount for the bandwidth (we're talking pennies here)

It's pennies for people who live within range of fiber, cable, or DSL. But if you're stuck on satellite or cellular Internet with its single digit GB/mo cap, it's either a $10 per GB download or a drive into town to find a library or coffee shop that will let you bring in your computer and monitor.

Re:Is there any guarantee on the new circuit board

[sjames]

As TFA pointed out, since the programmer needs no upgrade after installing the new boards, it is seriously questionable. I would expect a real fix to at least require a flash upgrade to the programmer firmware.

Speaking of which, if the lock was well designed in the first place, the programmer should have been able to re-flash the lock to fix the issue.

Security is NOT cheap

[sapgau]

The locks appeared to be safe initially but were not fully tested to this type of attack.
Hindsight is 20/20. They should have spent more on testing against these hacking attacks, but how much would that be?

Time for the government to certify these products?

Re:Is there any guarantee on the new circuit board

[dgatwood]

There's a number of tamper-resistent Torx variations out there, only one of which is likely to be at ACE.

Who cares. A Dremel or a cordless drill will remove all of them. If you're breaking into a room, odds are you don't care about property damage. If you want to hide the evidence long enough to escape, a little self-stick tape will hold the covers on just as well as the screws.

Re:Is there any guarantee on the new circuit board

[omnichad]

A dremel won't make a standard Torx screwdriver fit into a pentalobular screw. My understanding is that this was to be a non-standard shape as well as a security pin.

Re:Is there any guarantee on the new circuit board

[omnichad]

And this is about quick and easy access on the order of seconds.

Re:Is there any guarantee on the new circuit board

[dgatwood]

I take it you've never drilled the head of a screw. Hint: it doesn't hold anything on after you do that.

A PLUG AND A TORX BIT!!!

[GameboyRMH]

OH NOES I AM THWARTED!!!1UNO!

Re:Is there any guarantee on the new circuit board

[omnichad]

I have. It's loud.

Re:Is there any guarantee on the new circuit board

[michelcolman]

If you're already carrying an arduino device to plug into the port, I don't think the torx screwdrivers are going to significantly increase your risk of attracting attention.

Re:Is there any guarantee on the new circuit board

[StuartHankins]

Arduino by itself isn't suspicious, for instance put one in a remote control housing, phone housing etc. If you get caught it might not be looked at too closely as "theives' tools"... but everyone knows what screwdrivers are for. I guess I was saying the less obvious the better, if you're into this sort of thing.

I would eventually pay

[SpaghettiPattern]

I would eventually pay to have the locks replaced by another company.

Re:Is there any guarantee on the new circuit board

[dgatwood]

Sure. But that doen't matter, because, in practice, nobody ever asks why you're doing it. That's the thing about social engineering. If you look like a maintenance person and act in a way that no sane criminal would ever act, nobody will ever assume you're anything but a maintenance person. Most of the time, even the rest of the staff will assume you're a new hire. Ironically, the best way to avoid detection is to be as overt as possible about what you're doing.

Re:Is there any guarantee on the new circuit board

FYI, if the door is forced, these electronic systems go into an alarm that is very loud and obnoxious. There is no way you could get a covert entry. I was having problems with my door reading my key card here at a hotel in China. Not only did it randomly start refusing my key card, but they reset it and it refused the new keys as well. So they
Forced it, broke the door which was much weaker than the lock, set off the alarm, and I was able to get my stuff out and move into another room on another floor where I could still hear the alarm on my old room for several more hours...

No unusual or necessarily bad

Asking customers to pay for an upgrade?? Say it's not so.

The only real issue (legally) is how they "sold" the security. If they said something stupid like "NSA/CIA/DOD secure", then someone will probably have a case (and moral authority).

If they sold the security as "comparable to key locks but easier to manage", for example, well, then since key locks have only minimal security, it's not like they actually "oversold" the security at all so insisting that hotels pay upgrades is perfectly reasonable.

I don't know which was their sales pitch but if they had half a brain it would have been the latter.