Slashdot Mirror

← Back to Stories (view on slashdot.org)

After Hacker Exposes Hotel Lock Insecurity, Lock Firm Asks Hotels To Pay For Fix

Posted by Soulskill on from the we-are-so-sorry-give-us-money dept.

Sparrowvsrevolution writes "In an update to an earlier story on Slashdot, hotel lock company Onity is now offering a hardware fix for the millions of hotel keycard locks that hacker Cody Brocious demonstrated at Black Hat were vulnerable to being opened by a sub-$50 Arduino device. Unfortunately, Onity wants the hotels who already bought the company's insecure product to pay for the fix. Onity is actually offering two different mitigations: The first is a plug that blocks the port that Brocious used to gain access to the locks' data, as well as more-obscure Torx screws to prevent intruders from opening the lock's case and removing the plug. That band-aid style fix is free. A second, more rigorous fix requires changing the locks' circuit boards manually. In that case, Onity is offering 'special pricing programs' for the new circuit boards customers need to secure their doors, and requiring them to also pay the shipping and labor costs."

49 of 244 comments (clear)

  1. You know what else can open a lock? A crowbar. by Rogerborg · · Score: 5, Insightful

    Any hack that requires physical disassembly of the lock is just ePeen waving.

    Given the choice between a $50 bit of magic juju that might work after 5 minutes of fiddling, and a $20 jimmy that will work 100% of the time in 10 seconds, I know which option 99% of "going equipped" criminals are going to go for.

    So, no, I'm not blaming the lock manufacturer here. No security is absolute, it's a question of what's reasonable.

    --
    If you were blocking sigs, you wouldn't have to read this.
    1. Re:You know what else can open a lock? A crowbar. by Anonymous Coward · · Score: 5, Informative

      RTFA. No need to disassemble the lock - all you do is plug in a small gadget into a nokia-charger-style plug at the bottom of the lock and volià - open door.

    2. Re:You know what else can open a lock? A crowbar. by Anonymous Coward · · Score: 2, Informative

      Isn't the point of the original hack that you can do it through the exposed programming port in seconds and leave no trace? Sounds superior to a crowbar, though my experience is limited.

    3. Re:You know what else can open a lock? A crowbar. by ArsenneLupin · · Score: 5, Insightful

      RTFA. No need to disassemble the lock - all you do is plug in a small gadget into a nokia-charger-style plug at the bottom of the lock and volià - open door.

      Not after the "free" workaround (cap that covers connector, and requires lock disassembly to remove) is applied.

      And I guess, if you already have disassembled the lock, you won't need the gadget to open it: a short applied directly at the actuator would do the trick too.

      So, the "bandaid-style workaround" (cap) might actually make more sense than the improved circuit board (which may only protect against the current intrusion software, but not against enhancend versions that take into account the new memory layoyt).

    4. Re:You know what else can open a lock? A crowbar. by adolf · · Score: 4, Insightful

      Forget applying a "short" "directly at the actuator" (whatever that means): If you've already got the lockset disassembled, you just unlock it mechanically; no electronics needed.

      That said, presumably (and I did R most of TFA), neat disassembly also requires access to the locked room, as is the case with most locks which are designed to be secure in only one direction.

      But without more data, I'm led to wonder if the "free" workaround cap is actually all that physically secure, anyway: Being both a retrofit and (and again I presume) only having been designed within the past month or so, and then built down to a cost that can be distributed for free, it seems entirely likely that the cap itself might still be vulnerable to defeat from outside.

      --
      Kid-proof tablet..
    5. Re:You know what else can open a lock? A crowbar. by ceoyoyo · · Score: 2

      Only if someone was dumb enough to put those wires on the outside of the door.

    6. Re:You know what else can open a lock? A crowbar. by dead_user · · Score: 5, Interesting

      I can attest that hotel room doors are pretty crowbar-resistant. During Katrina I was "essential personnel" and was "evacuated" to the hotel near City Hall so I could be at the ready once the storm passed. About $70k worth of equipment came with me to the hotel room to get it more protected. (Backup servers and their ilk.) The next evening when the national guard guys took us back to our rooms to get our stuff, there were three giant gouges in my door. But the door held. I was both impressed and disgusted. These people also beat up the hotel staff because they were upset that the hotel generators didn't also run the A/C's. Eventually, the hotel was abandoned and left to them. It was just too dangerous to the staff to stay. By the second night, they had defaced much of the hotel with spray painted signs declaring the hotel the "New 4th Ward", a project (slum) from New Orleans. Granted, their homes were flooded, but so was mine. So sad.

    7. Re:You know what else can open a lock? A crowbar. by mark-t · · Score: 2

      One of the operative words here is "untraceable". The hack leaves absolutely zero evidence of having been tampered with by this hack, and all the hacker has to do is put the plug cover back on, removal of which is hardly tantamount to fully disassembling the lock. Besides which, disassembling a lock that can later be easily reassembled should be something that can only be done from *INSIDE* of a unit... not from outside, as the plug they are offering does. If this port that this plug covers were only accessible inside of the unit, it would not be anywhere nearly as big of a security issue.

      --
      File under 'M' for 'Manic ranting'
  2. The cheap one is worthless by gweihir · · Score: 5, Informative

    "Secure" screws are anything but. You can either print them (wax, photograph) and make matching bits pretty easily. You can even automatize this. Or you can force them with some pre-made approximations. (Yes, that may mean carrying around 50 possibles, and/or a file, but it is not hard.) There are other techniques as well, for example removal tools for broken screws or ice-spray and a hammer. Sawing a slit into the screw-head is also typically pretty easy.

    Yes, I have done it a few times. Not for these locks, but I would be surprised if they were any different.

    --
    Most ACs are not even worth the keystrokes to insult them. Be generically insulted by this and ignored otherwise.
    1. Re:The cheap one is worthless by bloodhawk · · Score: 2

      or why bother with any of that when a small crowbar will bypass it all.

    2. Re:The cheap one is worthless by Tastecicles · · Score: 3, Interesting

      tech overkill.

      I use a Gator Grip and have done for fifteen years. Yes, they work, no I don't work for them. Yes they're fantastic value and no, they don't charge for replacement in case of bad workmanship, act of Dog, act of Idiot, or jamming. I've only ever had to replace the small one because I managed to break it trying to loosen a disc brake caliper.

      --
      Operation Guillotine is in effect.
    3. Re:The cheap one is worthless by TubeSteak · · Score: 4, Informative

      Secure screw bits are a $20 bucks for an entire set (Made in China) of all the designs.

      The only "secure" screw head is one that is custom made for you.
      Otherwise, you should be using breakaway heads or one-way screws.

      --
      [Fuck Beta]
      o0t!
    4. Re:The cheap one is worthless by cyclomedia · · Score: 2

      How about this technique? http://www.youtube.com/watch?v=oG5vsPJ5Tos&t=1m20s

      --
      If you don't risk failure you don't risk success.
    5. Re:The cheap one is worthless by adolf · · Score: 5, Informative

      I had to defeat some stainless steel T10 Security Torx screws in the process of doing my job, recently, as I was moving old hardware from one place to another.

      Normally, I carry a large assortment of cheap "security" driver bits with me, but alas they were not with me at the time (indeed, they were 40 miles away).

      Solution: I used a regular-old Klein T10 driver. I smashed it into the head of the screw a few times with the palm of my hand (no hammer needed), and the protruding post neatly bent over and squished itself into the valley of the Torx socket. This left plenty of surface area to neatly grab the fastener in the conventional way (with the same, and now proper driver), and remove it.

      I was fairly amused that this worked the first time. And then I repeated it 7 more times for the other screws with similar success. (The Klein screwdriver was unfazed.)

      (For the uninitiated: Torx screws intentionally require very little engagement depth to properly mate a driver to the fastener, by design. It is perhaps the singular thing they're very good at, and also the one thing that allowed them to be so easily circumvented in this case of them being modified for "security.")

      --
      Kid-proof tablet..
    6. Re:The cheap one is worthless by adolf · · Score: 2

      How well does your Gator Grip work on small socket-cap Torx screws, such as those discussed in TFA?

      It looks like a lovely tool for removing things that have external facets (common hexagonal nuts and bolts), but from what I see it is a picture of failure and frustration for anything else -- especially if it is very small (which lockset screws typically are).

      --
      Kid-proof tablet..
  3. Double standard by Anonymous Coward · · Score: 5, Insightful

    Hmmm, we take umbrage that a company charges for a hardware upgrade to a flawed physical device, but we have gotten used to having to pay for software upgrades to get our bugs fixed. It is the second of these that is the real scandal.

    1. Re:Double standard by RaceProUK · · Score: 3, Funny

      Hmmm, we take umbrage that a company charges for a hardware upgrade to a flawed physical device, but we have gotten used to having to pay for software upgrades to get our bugs fixed. It is the second of these that is the real scandal.

      How much did you pay for a Windows Service Pack? Personally, I spent $0.00, consisting of a $0.00 deposit, 35 easy monthly payments of $0.00, and a final payment of $0.00 to keep it for life.

      --
      No colour or religion ever stopped the bullet from a gun
    2. Re:Double standard by FireFury03 · · Score: 3, Insightful

      IANAL. But I've been corrected on this issue by someone who is, and who happened to be my boss at the time.

      If you're talking about the UK (my version of "over here") most of the stuff to do with refunds and longer-term fitness for purpose only apply to individual consumers.

      The Sale of Goods Act requires the retailer (*not* the manufacturer) to warrant a product for its "reasonable" life expectancy to be free of manufacturing and design defects and fit for purpose. Within the first 6 months the burden of proof is upon the retailer (if they don't want to refund/fix then within the first 6 months they have to prove that there was no defect or that its "reasonable" life expectancy has been exceeded). After the first 6 months the burden of proof is upon the consumer (you prove that there was a defect and that it is within its life expectancy).

      No one sane expects a lock to be completely secure, but this sounds like gross negligence (sticking what is effectively a JTAG port on the outside of the door - that isn't an obscure mistake, anyone involved with security who looked at the design and thought it was ok to make a programming port accessible to the outside with no kind of hardware or software security and didn't spot a problem is incompetent), which would fall into the "not fit for purpose" category. And since this defect was clearly there at the of manufacture, rather than having developed over months/years of use, the case looks quite winnable.

      I have often wondered how this applies to software... I think someone once informed me that software was explicitly excluded from the act, although I haven't checked myself. This seems a bit wrong - defects in software are easier to fix than defects in hardware (at least, on a large scale), so it seems more reasonable to ensure they are fixed rather than giving software vendors a free pass.

      so far as I know, no-one's ever tried to use "the law" to resist paying for ongoing maintenance fees on computer hardware, or at least nobody's succeeded in such a venture. And again - IANAL.

      Maintenance fees usually get you something over and above the law. For example, it might get you an no-questions-asked same-day engineer callout to replace whatever hardware has failed, rather than requiring you to prove that a failure was caused by a defect (possibly involving the courts). Yes, without a maintenance contract, you could probably get that failed motherboard replaced by the retailer, but would it be done immediately and without any hassle, or would you be left without a server for weeks? (This isn't just a case of the vendor being difficult when there is no maintenance contract in place - the vendor may genuinely believe that the problem wasnt caused by a defect, but having a maintenance contract is likley to make them sweing the benefit of doubt in your favour).

      --
      http://blog.nexusuk.org
    3. Re:Double standard by ColdWetDog · · Score: 2

      And how often does your application software vendor supply bug and security fixes? I have to pay HUGE amounts to such software companies as Oracle and still end up with buggy, insecure from day zero software.

      If you're complaining about paying too much for Oracle stuff, you'll get no sympathy from any of us. It's not like we didn't warn you.

      --
      Faster! Faster! Faster would be better!
  4. Really a story? by FaxeTheCat · · Score: 4, Insightful

    Is this really a story? The conditions for repairs and upgrades are most likely regulated in the contract between the hotels and the supplier/manufacturer. Big deal.

  5. They should act like Kryptonite. by Anonymous Coward · · Score: 5, Insightful

    Many slashdotters and/or cyclists remember the whole Kryptonite debacle where their locks could be opened with a Bic pen. Kryptonite offered free replacements, with free shipping, without requiring the receipt. They ate a huge cost but saved their company's reputation. People still buy their locks.

    This company is making its customers pay for their poor design. They are done.

    1. Re:They should act like Kryptonite. by Isaac-1 · · Score: 3, Informative

      I suspect Kryptonite had a bit more markup built into their business model, this sort of recall would likely bankrupt the lock company if they offered it for free which would leave the hotels without replacement parts, or locks for new constuction, etc. Remember hotels love standarization and these locks must offer remote programming from the front desk, etc.

    2. Re:They should act like Kryptonite. by tixxit · · Score: 2

      Intel recalled all processors with the FDIV bug back in the 90s and are still king of the hill today. However, very few companies have the resources to take a hit like that and come out intact. If they aren't offering the fix for free, it is probably because they just cannot afford it. I'm sure they are not completely brain dead and realize this looks bad to them. Most likely, they did more research leading up to this decision than we did.

  6. Is there any guarantee on the new circuit board? by Taco+Cowboy · · Score: 4, Interesting

    The real question is not whether the lock company should charge for fixing the bug

    The real question is whether there is a guarantee that the new circuit board (the upgrade) that the lock company provides is hack proof

    Or put it another way ---
    Will any e-lock company dare to guarantee that their e-lock for hotel room will be hack-proof?
     

    --
    Muchas Gracias, Señor Edward Snowden !
  7. Say what? by Ignacio · · Score: 4, Insightful

    Torx? Obscure? What decade do they think this is?

    1. Re:Say what? by Gaygirlie · · Score: 2

      Here in Finland you can buy torx-screwdrivers from any store that sells any kinds of screwdrivers, ie. even your average small-time store has those. Hell, you'd actually be somewhat hard-pressed to find a screwdriver kit without torx. I really have a hard time believing finding torx-tools in the U.S. is that much more difficult.

  8. Sweet. by Impy+the+Impiuos+Imp · · Score: 5, Funny

    > "as well as more-obscure Torx screws to prevent intruders from
    > opening the lock's case and removing the plug"

    Because nobody capable and determined enough to rig up the electronic interface for $50 can handle the mental and financial stresses of a $10 Torx set from the hardware store.

    "Well, we got the device. Open it up."

    "Whoa! What kind of screws are these?"

    "Lemme look -- MY GOD, IT'S FULL OF STARS!"

    --
    (-1: Post disagrees with my already-settled worldview) is not a valid mod option.
  9. Of course they won't be by Rix · · Score: 3, Funny

    I can hack any hotel room door.

    With an axe.

    1. Re:Of course they won't be by fustakrakich · · Score: 2

      Wendy, I'm home

      --
      “He’s not deformed, he’s just drunk!”
    2. Re:Of course they won't be by DarwinSurvivor · · Score: 2

      Lock Picking. A subtle and proud art... Long since rendered obsolete by the Broad Axe.
      http://img200.imageshack.us/img200/336/motivationalposterlockp.jpg

      Sorry about the imageshack link, but every devotevational website seems to have removed this one. Someone must have gone on a DMCA rampage or something :(

  10. Master key systems can be hacked too by twosat · · Score: 3, Interesting

    I remember reading years ago about Matt Blaze, a security researcher at AT&T Labs-Research who discovered how to create a master key from a key and a lock which is opened by it. His method was a trade secret used by many locksmiths, which pissed them off when he publicised it.

    http://it.slashdot.org/story/03/01/23/0359230/att-identifies-widespread-security-hole---in-locks

    http://www.nytimes.com/2003/01/23/business/many-locks-all-too-easy-to-get-past.html

  11. Hotel In room "safe" by trout007 · · Score: 5, Informative

    I was staying in Marriott and they have a small in room safe. Its the kind with a digital keypad where you select your own code. I put stuff in there while we went to the pool.

    When we got back I guess one of the kids was playing with it and it stopped responding because they pressed too many buttons. So I looked it up online. All I had to do was press "lock" twice to enter supervisor mode then 999999 and it opened the safe bypassing my code.

    So don't use those safes for anything real valuable. Next time I have to play around with supervisor mode to see if I can change that password.

    --
    I love Jesus, except for his foreign policy.
    1. Re:Hotel In room "safe" by isorox · · Score: 2

      I was staying in Marriott and they have a small in room safe. Its the kind with a digital keypad where you select your own code. I put stuff in there while we went to the pool.

      When we got back I guess one of the kids was playing with it and it stopped responding because they pressed too many buttons. So I looked it up online. All I had to do was press "lock" twice to enter supervisor mode then 999999 and it opened the safe bypassing my code.

      So don't use those safes for anything real valuable. Next time I have to play around with supervisor mode to see if I can change that password.

      If I'm staying in a dodgy city for a period of time, I spread the risk. £100 and passport copy in the safe, normal wallet and passport on me, and I always keep a credit card in my dirty laundry in the suitcase just in case.

    2. Re:Hotel In room "safe" by trout007 · · Score: 2

      I forgot. I took a video of it. It's a Safemark safe.

      http://youtu.be/UYjJuE7l7VM

      --
      I love Jesus, except for his foreign policy.
    3. Re:Hotel In room "safe" by trout007 · · Score: 2

      Additional Information:

      It was a Safemark Safe.
      It was displaying an error ebar.
      I used those to look up the information.

      Also sites suggested to try 000000, 123456, 999999 as the supervisor password.

      The point I'm making is that hotel maintenance has a supervisor password and most likely it's something very easy to guess or share. I'm not claiming 999999 will unlock everyone.

      --
      I love Jesus, except for his foreign policy.
  12. Re:You know what? by Tastecicles · · Score: 4, Informative

    1979 (c. 54) provides:

    14 Implied terms about quality or fitness.

    (1)Except as provided by this section and section 15 below and subject to any other enactment, there is no implied term about the quality or fitness for any particular purpose of goods supplied under a contract of sale.
    (2)Where the seller sells goods in the course of a business, there is an implied term that the goods supplied under the contract are of satisfactory quality.
    (2A)For the purposes of this Act, goods are of satisfactory quality if they meet the standard that a reasonable person would regard as satisfactory, taking account of any description of the goods, the price (if relevant) and all the other relevant circumstances.
    (2B)For the purposes of this Act, the quality of goods includes their state and condition and the following (among others) are in appropriate cases aspects of the quality of goods—
    (a)fitness for all the purposes for which goods of the kind in question are commonly supplied,
    (b)appearance and finish,
    (c)freedom from minor defects,
    (d)safety, and
    (e)durability.
    (2C)The term implied by subsection (2) above does not extend to any matter making the quality of goods unsatisfactory—
    (a)which is specifically drawn to the buyer’s attention before the contract is made,
    (b)where the buyer examines the goods before the contract is made, which that examination ought to reveal, or
    (c)in the case of a contract for sale by sample, which would have been apparent on a reasonable examination of the sample.

    emphases mine.

    If a lock is described as a lock, and looks like a lock, is it unreasonable to expect it to perform as such? I don't think so.
    If a device is described as a lock and does not in fact perform that function, to the point where intervention is required, then is it unreasonable to assume that the defect is by design? I would say not.

    Therefore, the effect of the failure of the product to perform *as advertised* constitutes a material breach of contract, one which should be pursued for restitution and remedy.

    DISCLAIMER: IAAL.

    --
    Operation Guillotine is in effect.
  13. Re:Is there any guarantee on the new circuit board by forkazoo · · Score: 4, Insightful

    Will any e-lock company dare to guarantee that their e-lock for hotel room will be hack-proof?

    Of course not. Nobody has ever guaranteed such a thing, except for shady dealing liars with the worst security of all. Anybody who works in security knows that any system which protects something sufficiently valuable, or is sufficiently widely deployed will eventually come up against some lock pick or safe cracker who has enough intelligence, free time, and interest. it's just a question of how long it takes to happen, and how inconvenient it is when he shows up. Adding such a guarantee would just be a giant banner attracting more interest from such people.

    Besides, this isn't software. If the guarantee is disproven, and you have to push out patches, you can't just put them on an FTP server. you have to build physical hardware, ship it out, etc. It would be unreasonable to expect any company to do all of that for free. In some cases a company will do a free, voluntary recall out of pocket for the sake of good PR. But, it's hardly something you can demand.

  14. Now that's what I call... by srussia · · Score: 5, Funny

    All I had to do was press "lock" twice to enter supervisor mode then 999999 and it opened the safe bypassing my code.

    "six-nines" availability!

    --
    Set your phasers on "funky"!
  15. Re:You know what? by adolf · · Score: 4, Insightful

    If a device is described as a lock and does not in fact perform that function, to the point where intervention is required, then is it unreasonable to assume that the defect is by design? I would say not.

    It is common knowledge that locks only keep out honest people.

    Corollarily, a lock which allows entry by dishonest people is still a lock.

    If it were a mechanical lock with pins and tumblers, it would be defeatable by dishonest people. This lock happens to be electronic, and is also defeatable by dishonest people.

    I don't see the difference in the context that you specify.

    --
    Kid-proof tablet..
  16. Re:Is there any guarantee on the new circuit board by Firethorn · · Score: 4, Insightful

    At the worst you can just turn up with a drill and drill straight through the lock if you're really determined to gain entry.

    Really, for most locks, and most doors, it's about providing an approximately equal amount of protection from all points of entry. Allowing a subtle entry is considered worse than an obvious entry.

    Locks are already generally to the point that you don't try to physically defeat them - you go after the door instead. If you want in and don't care about being obvious, a small sledge will get you into most hotel doors with one whack, ~5 seconds. If the pins are on the outside, you pop those out and remove the door ~30 seconds. Put the pins back in and you have a covert entry.

    $50 worth of parts and technical knowledge required is actually a fairly high bar.

    --
    I don't read AC A human right
  17. Re:Is there any guarantee on the new circuit board by oobayly · · Score: 2

    Immediately thought of this:

    From Sneakers

  18. Re:Isn't the problem offering access to the outsid by drinkypoo · · Score: 2

    So, how about cutting wires to the port, and wiring a new port on the other side of the door. Presumably this could be done fairy neatly.

    Seems to fundamental flaw is that the access port is on the outside of the door.

    The fundamental flaw in your comment is that the port needs to be on the outside of the door so that it can be used in cases where the door cannot otherwise be opened.

    --
    "You're right," Fisheye says. "I should have set it on 'whip' or 'chop.'"
  19. Re:Is there any guarantee on the new circuit board by erroneus · · Score: 4, Insightful

    In you think about it, this is all common practice. Some bugs in hardware and software NEVER get fixed. Instead new versions are released for sale. That recall fixes happen from time to time is a careful balance of deciding whether the public outcry will result in loss of business.

    That said, the locks aren't much more insecure than they were prior to the revelation. It requires tools and expertise to accomplish this feat. It's not like some dumb thief off the street will be any more of a threat than they were before.

    The added protection; is it worth the effort? Even if it was free to put out the update is it worth the effort? Tough question. Is it worth the manufacturer updating the design to thwart the new hack? Surely. I think the right choices have been made in this case.

    If, someone markets a hotel hacking kit with instructions to the public and they somehow get away with it, that might be another matter. But are traditional metal key locks out of style or use in light of lock picking kits? Nope...

  20. I don't remember seeing anything in the reports by kaizendojo · · Score: 3, Insightful

    that Onity gauranteed the locks to be unhackable. A researcher discovered a flaw, they are offering two solutions to correct it; one free and one (better) for a reduced price. What's the issue? Maybe I'm missing something, but they seem to be acting fairly and responsibly.

  21. Re:Is there any guarantee on the new circuit board by trum4n · · Score: 2

    Or a walk to ACE hardware...

  22. Re:Is there any guarantee on the new circuit board by Applekid · · Score: 2

    A lighter and a bic pen can make a suitable conforming screwdriver for most security bits of appropriate size. For other sizes, other sizes of polycarbonate pens / barrels / rods will do.

    --
    More Twoson than Cupertino
  23. MSN by tepples · · Score: 2

    unless you think Microsoft is my ISP

    It's possible.

  24. Windows upgrades by tepples · · Score: 2

    How much did you pay for a Windows Service Pack?

    Windows 7 has been nicknamed Windows Vista Service Pack 3 by the press, and Microsoft charges for it. So to answer your question, search for windows 7 upgrade price on Bing or Google.

  25. Rural Internet with single digit GB/mo by tepples · · Score: 2

    i paid a fractional amount for the bandwidth (we're talking pennies here)

    It's pennies for people who live within range of fiber, cable, or DSL. But if you're stuck on satellite or cellular Internet with its single digit GB/mo cap, it's either a $10 per GB download or a drive into town to find a library or coffee shop that will let you bring in your computer and monitor.