Slashdot Mirror
After Hacker Exposes Hotel Lock Insecurity, Lock Firm Asks Hotels To Pay For Fix
Sparrowvsrevolution writes "In an update to an earlier story on Slashdot, hotel lock company Onity is now offering a hardware fix for the millions of hotel keycard locks that hacker Cody Brocious demonstrated at Black Hat were vulnerable to being opened by a sub-$50 Arduino device. Unfortunately, Onity wants the hotels who already bought the company's insecure product to pay for the fix. Onity is actually offering two different mitigations: The first is a plug that blocks the port that Brocious used to gain access to the locks' data, as well as more-obscure Torx screws to prevent intruders from opening the lock's case and removing the plug. That band-aid style fix is free. A second, more rigorous fix requires changing the locks' circuit boards manually. In that case, Onity is offering 'special pricing programs' for the new circuit boards customers need to secure their doors, and requiring them to also pay the shipping and labor costs."
Any hack that requires physical disassembly of the lock is just ePeen waving.
Given the choice between a $50 bit of magic juju that might work after 5 minutes of fiddling, and a $20 jimmy that will work 100% of the time in 10 seconds, I know which option 99% of "going equipped" criminals are going to go for.
So, no, I'm not blaming the lock manufacturer here. No security is absolute, it's a question of what's reasonable.
If you were blocking sigs, you wouldn't have to read this.
"Secure" screws are anything but. You can either print them (wax, photograph) and make matching bits pretty easily. You can even automatize this. Or you can force them with some pre-made approximations. (Yes, that may mean carrying around 50 possibles, and/or a file, but it is not hard.) There are other techniques as well, for example removal tools for broken screws or ice-spray and a hammer. Sawing a slit into the screw-head is also typically pretty easy.
Yes, I have done it a few times. Not for these locks, but I would be surprised if they were any different.
Most ACs are not even worth the keystrokes to insult them. Be generically insulted by this and ignored otherwise.
Hmmm, we take umbrage that a company charges for a hardware upgrade to a flawed physical device, but we have gotten used to having to pay for software upgrades to get our bugs fixed. It is the second of these that is the real scandal.
Is this really a story? The conditions for repairs and upgrades are most likely regulated in the contract between the hotels and the supplier/manufacturer. Big deal.
Many slashdotters and/or cyclists remember the whole Kryptonite debacle where their locks could be opened with a Bic pen. Kryptonite offered free replacements, with free shipping, without requiring the receipt. They ate a huge cost but saved their company's reputation. People still buy their locks.
This company is making its customers pay for their poor design. They are done.
The real question is not whether the lock company should charge for fixing the bug
The real question is whether there is a guarantee that the new circuit board (the upgrade) that the lock company provides is hack proof
Or put it another way ---
Will any e-lock company dare to guarantee that their e-lock for hotel room will be hack-proof?
Muchas Gracias, Señor Edward Snowden !
Torx? Obscure? What decade do they think this is?
> "as well as more-obscure Torx screws to prevent intruders from
> opening the lock's case and removing the plug"
Because nobody capable and determined enough to rig up the electronic interface for $50 can handle the mental and financial stresses of a $10 Torx set from the hardware store.
"Well, we got the device. Open it up."
"Whoa! What kind of screws are these?"
"Lemme look -- MY GOD, IT'S FULL OF STARS!"
(-1: Post disagrees with my already-settled worldview) is not a valid mod option.
I was staying in Marriott and they have a small in room safe. Its the kind with a digital keypad where you select your own code. I put stuff in there while we went to the pool.
When we got back I guess one of the kids was playing with it and it stopped responding because they pressed too many buttons. So I looked it up online. All I had to do was press "lock" twice to enter supervisor mode then 999999 and it opened the safe bypassing my code.
So don't use those safes for anything real valuable. Next time I have to play around with supervisor mode to see if I can change that password.
I love Jesus, except for his foreign policy.
1979 (c. 54) provides:
14 Implied terms about quality or fitness.
(1)Except as provided by this section and section 15 below and subject to any other enactment, there is no implied term about the quality or fitness for any particular purpose of goods supplied under a contract of sale.
(2)Where the seller sells goods in the course of a business, there is an implied term that the goods supplied under the contract are of satisfactory quality.
(2A)For the purposes of this Act, goods are of satisfactory quality if they meet the standard that a reasonable person would regard as satisfactory, taking account of any description of the goods, the price (if relevant) and all the other relevant circumstances.
(2B)For the purposes of this Act, the quality of goods includes their state and condition and the following (among others) are in appropriate cases aspects of the quality of goods—
(a)fitness for all the purposes for which goods of the kind in question are commonly supplied,
(b)appearance and finish,
(c)freedom from minor defects,
(d)safety, and
(e)durability.
(2C)The term implied by subsection (2) above does not extend to any matter making the quality of goods unsatisfactory—
(a)which is specifically drawn to the buyer’s attention before the contract is made,
(b)where the buyer examines the goods before the contract is made, which that examination ought to reveal, or
(c)in the case of a contract for sale by sample, which would have been apparent on a reasonable examination of the sample.
emphases mine.
If a lock is described as a lock, and looks like a lock, is it unreasonable to expect it to perform as such? I don't think so.
If a device is described as a lock and does not in fact perform that function, to the point where intervention is required, then is it unreasonable to assume that the defect is by design? I would say not.
Therefore, the effect of the failure of the product to perform *as advertised* constitutes a material breach of contract, one which should be pursued for restitution and remedy.
DISCLAIMER: IAAL.
Operation Guillotine is in effect.
Of course not. Nobody has ever guaranteed such a thing, except for shady dealing liars with the worst security of all. Anybody who works in security knows that any system which protects something sufficiently valuable, or is sufficiently widely deployed will eventually come up against some lock pick or safe cracker who has enough intelligence, free time, and interest. it's just a question of how long it takes to happen, and how inconvenient it is when he shows up. Adding such a guarantee would just be a giant banner attracting more interest from such people.
Besides, this isn't software. If the guarantee is disproven, and you have to push out patches, you can't just put them on an FTP server. you have to build physical hardware, ship it out, etc. It would be unreasonable to expect any company to do all of that for free. In some cases a company will do a free, voluntary recall out of pocket for the sake of good PR. But, it's hardly something you can demand.
All I had to do was press "lock" twice to enter supervisor mode then 999999 and it opened the safe bypassing my code.
"six-nines" availability!
Set your phasers on "funky"!
It is common knowledge that locks only keep out honest people.
Corollarily, a lock which allows entry by dishonest people is still a lock.
If it were a mechanical lock with pins and tumblers, it would be defeatable by dishonest people. This lock happens to be electronic, and is also defeatable by dishonest people.
I don't see the difference in the context that you specify.
Kid-proof tablet..
At the worst you can just turn up with a drill and drill straight through the lock if you're really determined to gain entry.
Really, for most locks, and most doors, it's about providing an approximately equal amount of protection from all points of entry. Allowing a subtle entry is considered worse than an obvious entry.
Locks are already generally to the point that you don't try to physically defeat them - you go after the door instead. If you want in and don't care about being obvious, a small sledge will get you into most hotel doors with one whack, ~5 seconds. If the pins are on the outside, you pop those out and remove the door ~30 seconds. Put the pins back in and you have a covert entry.
$50 worth of parts and technical knowledge required is actually a fairly high bar.
I don't read AC A human right
In you think about it, this is all common practice. Some bugs in hardware and software NEVER get fixed. Instead new versions are released for sale. That recall fixes happen from time to time is a careful balance of deciding whether the public outcry will result in loss of business.
That said, the locks aren't much more insecure than they were prior to the revelation. It requires tools and expertise to accomplish this feat. It's not like some dumb thief off the street will be any more of a threat than they were before.
The added protection; is it worth the effort? Even if it was free to put out the update is it worth the effort? Tough question. Is it worth the manufacturer updating the design to thwart the new hack? Surely. I think the right choices have been made in this case.
If, someone markets a hotel hacking kit with instructions to the public and they somehow get away with it, that might be another matter. But are traditional metal key locks out of style or use in light of lock picking kits? Nope...