After Hacker Exposes Hotel Lock Insecurity, Lock Firm Asks Hotels To Pay For Fix

Sparrowvsrevolution writes "In an update to an earlier story on Slashdot, hotel lock company Onity is now offering a hardware fix for the millions of hotel keycard locks that hacker Cody Brocious demonstrated at Black Hat were vulnerable to being opened by a sub-$50 Arduino device. Unfortunately, Onity wants the hotels who already bought the company's insecure product to pay for the fix. Onity is actually offering two different mitigations: The first is a plug that blocks the port that Brocious used to gain access to the locks' data, as well as more-obscure Torx screws to prevent intruders from opening the lock's case and removing the plug. That band-aid style fix is free. A second, more rigorous fix requires changing the locks' circuit boards manually. In that case, Onity is offering 'special pricing programs' for the new circuit boards customers need to secure their doors, and requiring them to also pay the shipping and labor costs."

You know what else can open a lock? A crowbar.

[Rogerborg]

Any hack that requires physical disassembly of the lock is just ePeen waving.

Given the choice between a $50 bit of magic juju that might work after 5 minutes of fiddling, and a $20 jimmy that will work 100% of the time in 10 seconds, I know which option 99% of "going equipped" criminals are going to go for.

So, no, I'm not blaming the lock manufacturer here. No security is absolute, it's a question of what's reasonable.

Re:You know what else can open a lock? A crowbar.

[ArsenneLupin]

RTFA. No need to disassemble the lock - all you do is plug in a small gadget into a nokia-charger-style plug at the bottom of the lock and volià - open door.

Not after the "free" workaround (cap that covers connector, and requires lock disassembly to remove) is applied.

And I guess, if you already have disassembled the lock, you won't need the gadget to open it: a short applied directly at the actuator would do the trick too.

So, the "bandaid-style workaround" (cap) might actually make more sense than the improved circuit board (which may only protect against the current intrusion software, but not against enhancend versions that take into account the new memory layoyt).

Re:You know what else can open a lock? A crowbar.

[adolf]

Forget applying a "short" "directly at the actuator" (whatever that means): If you've already got the lockset disassembled, you just unlock it mechanically; no electronics needed.

That said, presumably (and I did R most of TFA), neat disassembly also requires access to the locked room, as is the case with most locks which are designed to be secure in only one direction.

But without more data, I'm led to wonder if the "free" workaround cap is actually all that physically secure, anyway: Being both a retrofit and (and again I presume) only having been designed within the past month or so, and then built down to a cost that can be distributed for free, it seems entirely likely that the cap itself might still be vulnerable to defeat from outside.

Double standard

Hmmm, we take umbrage that a company charges for a hardware upgrade to a flawed physical device, but we have gotten used to having to pay for software upgrades to get our bugs fixed. It is the second of these that is the real scandal.

Re:Double standard

[FireFury03]

IANAL. But I've been corrected on this issue by someone who is, and who happened to be my boss at the time.

If you're talking about the UK (my version of "over here") most of the stuff to do with refunds and longer-term fitness for purpose only apply to individual consumers.

The Sale of Goods Act requires the retailer (*not* the manufacturer) to warrant a product for its "reasonable" life expectancy to be free of manufacturing and design defects and fit for purpose. Within the first 6 months the burden of proof is upon the retailer (if they don't want to refund/fix then within the first 6 months they have to prove that there was no defect or that its "reasonable" life expectancy has been exceeded). After the first 6 months the burden of proof is upon the consumer (you prove that there was a defect and that it is within its life expectancy).

No one sane expects a lock to be completely secure, but this sounds like gross negligence (sticking what is effectively a JTAG port on the outside of the door - that isn't an obscure mistake, anyone involved with security who looked at the design and thought it was ok to make a programming port accessible to the outside with no kind of hardware or software security and didn't spot a problem is incompetent), which would fall into the "not fit for purpose" category. And since this defect was clearly there at the of manufacture, rather than having developed over months/years of use, the case looks quite winnable.

I have often wondered how this applies to software... I think someone once informed me that software was explicitly excluded from the act, although I haven't checked myself. This seems a bit wrong - defects in software are easier to fix than defects in hardware (at least, on a large scale), so it seems more reasonable to ensure they are fixed rather than giving software vendors a free pass.

so far as I know, no-one's ever tried to use "the law" to resist paying for ongoing maintenance fees on computer hardware, or at least nobody's succeeded in such a venture. And again - IANAL.

Maintenance fees usually get you something over and above the law. For example, it might get you an no-questions-asked same-day engineer callout to replace whatever hardware has failed, rather than requiring you to prove that a failure was caused by a defect (possibly involving the courts). Yes, without a maintenance contract, you could probably get that failed motherboard replaced by the retailer, but would it be done immediately and without any hassle, or would you be left without a server for weeks? (This isn't just a case of the vendor being difficult when there is no maintenance contract in place - the vendor may genuinely believe that the problem wasnt caused by a defect, but having a maintenance contract is likley to make them sweing the benefit of doubt in your favour).

Really a story?

[FaxeTheCat]

Is this really a story? The conditions for repairs and upgrades are most likely regulated in the contract between the hotels and the supplier/manufacturer. Big deal.

They should act like Kryptonite.

Many slashdotters and/or cyclists remember the whole Kryptonite debacle where their locks could be opened with a Bic pen. Kryptonite offered free replacements, with free shipping, without requiring the receipt. They ate a huge cost but saved their company's reputation. People still buy their locks.

This company is making its customers pay for their poor design. They are done.

Say what?

[Ignacio]

Torx? Obscure? What decade do they think this is?

Re:Is there any guarantee on the new circuit board

[forkazoo]

Will any e-lock company dare to guarantee that their e-lock for hotel room will be hack-proof?

Of course not. Nobody has ever guaranteed such a thing, except for shady dealing liars with the worst security of all. Anybody who works in security knows that any system which protects something sufficiently valuable, or is sufficiently widely deployed will eventually come up against some lock pick or safe cracker who has enough intelligence, free time, and interest. it's just a question of how long it takes to happen, and how inconvenient it is when he shows up. Adding such a guarantee would just be a giant banner attracting more interest from such people.

Besides, this isn't software. If the guarantee is disproven, and you have to push out patches, you can't just put them on an FTP server. you have to build physical hardware, ship it out, etc. It would be unreasonable to expect any company to do all of that for free. In some cases a company will do a free, voluntary recall out of pocket for the sake of good PR. But, it's hardly something you can demand.

Re:You know what?

[adolf]

If a device is described as a lock and does not in fact perform that function, to the point where intervention is required, then is it unreasonable to assume that the defect is by design? I would say not.

It is common knowledge that locks only keep out honest people.

Corollarily, a lock which allows entry by dishonest people is still a lock.

If it were a mechanical lock with pins and tumblers, it would be defeatable by dishonest people. This lock happens to be electronic, and is also defeatable by dishonest people.

I don't see the difference in the context that you specify.

Re:Is there any guarantee on the new circuit board

[Firethorn]

At the worst you can just turn up with a drill and drill straight through the lock if you're really determined to gain entry.

Really, for most locks, and most doors, it's about providing an approximately equal amount of protection from all points of entry. Allowing a subtle entry is considered worse than an obvious entry.

Locks are already generally to the point that you don't try to physically defeat them - you go after the door instead. If you want in and don't care about being obvious, a small sledge will get you into most hotel doors with one whack, ~5 seconds. If the pins are on the outside, you pop those out and remove the door ~30 seconds. Put the pins back in and you have a covert entry.

$50 worth of parts and technical knowledge required is actually a fairly high bar.

Re:Is there any guarantee on the new circuit board

[erroneus]

In you think about it, this is all common practice. Some bugs in hardware and software NEVER get fixed. Instead new versions are released for sale. That recall fixes happen from time to time is a careful balance of deciding whether the public outcry will result in loss of business.

That said, the locks aren't much more insecure than they were prior to the revelation. It requires tools and expertise to accomplish this feat. It's not like some dumb thief off the street will be any more of a threat than they were before.

The added protection; is it worth the effort? Even if it was free to put out the update is it worth the effort? Tough question. Is it worth the manufacturer updating the design to thwart the new hack? Surely. I think the right choices have been made in this case.

If, someone markets a hotel hacking kit with instructions to the public and they somehow get away with it, that might be another matter. But are traditional metal key locks out of style or use in light of lock picking kits? Nope...

I don't remember seeing anything in the reports

[kaizendojo]

that Onity gauranteed the locks to be unhackable. A researcher discovered a flaw, they are offering two solutions to correct it; one free and one (better) for a reduced price. What's the issue? Maybe I'm missing something, but they seem to be acting fairly and responsibly.