Slashdot Mirror

← Back to Stories (view on slashdot.org)

After Hacker Exposes Hotel Lock Insecurity, Lock Firm Asks Hotels To Pay For Fix

Posted by Soulskill on from the we-are-so-sorry-give-us-money dept.

Sparrowvsrevolution writes "In an update to an earlier story on Slashdot, hotel lock company Onity is now offering a hardware fix for the millions of hotel keycard locks that hacker Cody Brocious demonstrated at Black Hat were vulnerable to being opened by a sub-$50 Arduino device. Unfortunately, Onity wants the hotels who already bought the company's insecure product to pay for the fix. Onity is actually offering two different mitigations: The first is a plug that blocks the port that Brocious used to gain access to the locks' data, as well as more-obscure Torx screws to prevent intruders from opening the lock's case and removing the plug. That band-aid style fix is free. A second, more rigorous fix requires changing the locks' circuit boards manually. In that case, Onity is offering 'special pricing programs' for the new circuit boards customers need to secure their doors, and requiring them to also pay the shipping and labor costs."

4 of 244 comments (clear)

  1. You know what else can open a lock? A crowbar. by Rogerborg · · Score: 5, Insightful

    Any hack that requires physical disassembly of the lock is just ePeen waving.

    Given the choice between a $50 bit of magic juju that might work after 5 minutes of fiddling, and a $20 jimmy that will work 100% of the time in 10 seconds, I know which option 99% of "going equipped" criminals are going to go for.

    So, no, I'm not blaming the lock manufacturer here. No security is absolute, it's a question of what's reasonable.

    --
    If you were blocking sigs, you wouldn't have to read this.
    1. Re:You know what else can open a lock? A crowbar. by ArsenneLupin · · Score: 5, Insightful

      RTFA. No need to disassemble the lock - all you do is plug in a small gadget into a nokia-charger-style plug at the bottom of the lock and volià - open door.

      Not after the "free" workaround (cap that covers connector, and requires lock disassembly to remove) is applied.

      And I guess, if you already have disassembled the lock, you won't need the gadget to open it: a short applied directly at the actuator would do the trick too.

      So, the "bandaid-style workaround" (cap) might actually make more sense than the improved circuit board (which may only protect against the current intrusion software, but not against enhancend versions that take into account the new memory layoyt).

  2. Double standard by Anonymous Coward · · Score: 5, Insightful

    Hmmm, we take umbrage that a company charges for a hardware upgrade to a flawed physical device, but we have gotten used to having to pay for software upgrades to get our bugs fixed. It is the second of these that is the real scandal.

  3. They should act like Kryptonite. by Anonymous Coward · · Score: 5, Insightful

    Many slashdotters and/or cyclists remember the whole Kryptonite debacle where their locks could be opened with a Bic pen. Kryptonite offered free replacements, with free shipping, without requiring the receipt. They ate a huge cost but saved their company's reputation. People still buy their locks.

    This company is making its customers pay for their poor design. They are done.