Slashdot Mirror

← Back to Stories (view on slashdot.org)

Hotel Keycard Lock Hack Gets Real In Texas

Posted by timothy on from the those-words-in-that-order dept.

Sparrowvsrevolution writes "You may remember a vulnerability in four million keycard locks presented at the Black Hat conference in July. Hacker Cody Brocious showed he could insert a device he built for less than $50 into the port at the bottom of the common hotel lock, read a key out of its memory, and open it in seconds. Two months later, it turns out at least one burglar was already making use of that technique to rob a series of hotel rooms in Texas. The Hyatt House Galleria in Houston has revealed that in at least three September cases of theft from its rooms, the thief used that Onity vulnerability to effortlessly open rooms and steal valuables like laptops. Petra Risk Solutions, an insurance firm focus the hospitality industry also reports that at least two other hotels in Texas were hit with the attack. Onity has been criticized for its less-than-stellar response to a glaring vulnerability in its devices. The Hyatt says Onity didn't provide a fix until after its break-ins, forcing the hotel to plug its locks' ports with epoxy. And even now, Onity is asking its hotel customers to pay for the full fix, which involves replacing the locks' circuit boards."

132 comments

  1. Not "rob", burglarize by Anonymous Coward · · Score: 1, Informative

    ...unless the victim was present.

    1. Re:Not "rob", burglarize by Anonymous Coward · · Score: 0

      Or burgled, for the rest of the world.

    2. Re:Not "rob", burglarize by clickclickdrone · · Score: 4, Informative

      Or just plain 'burgle' if you're English.

      --
      I want a list of atrocities done in your name - Recoil
    3. Re:Not "rob", burglarize by Anonymous Coward · · Score: 0

      Thank you. Would mod up if I could.

    4. Re:Not "rob", burglarize by X0563511 · · Score: 1

      verb tense, do you have it?

      --
      For large sets, this will be our guide even unto death, for the LORD will work for each type of data it is applied to...
    5. Re:Not "rob", burglarize by poofmeisterp · · Score: 1

      ...unless the victim was present.

      So you're saying the generalized term of "Rob Peter to pay Paul" cannot be used unless it's specifically analogue to robbing a person actively rather than just stealing property of theirs?

      Would the following term apply to burglary better?: "He Burglarized Peter for a laptop computer in order to sell it and have money to pay Paul's rent as a favor."

      /snark :-)

    6. Re:Not "rob", burglarize by Phreakiture · · Score: 4, Funny

      I bet you feel so embiggened for pointing out this incromulence.

      --
      www.wavefront-av.com
    7. Re:Not "rob", burglarize by mrbester · · Score: 1

      One would have to wonder if Paul was in any way involved in the insertion of the laptop into Peter. Were surgical instruments used in the removal? The plot thickens...

      --
      "Wait. Something's happening. It's opening up! My God, it's full of apricots!"
    8. Re:Not "rob", burglarize by History's+Coming+To · · Score: 4, Informative

      To burgle. He burgled. They will burgle. I was burgled. I suffered a burglary. etc

      --
      Please consider this account deleted, I just can't be bothered with the spam anymore.
    9. Re:Not "rob", burglarize by Dunbal · · Score: 1

      There is truthiness to what you said.

      --
      Seven puppies were harmed during the making of this post.
    10. Re:Not "rob", burglarize by poofmeisterp · · Score: 1

      One would have to wonder if Paul was in any way involved in the insertion of the laptop into Peter. Were surgical instruments used in the removal? The plot thickens...

      I see where your definition of "favor" falls. LOL

    11. Re:Not "rob", burglarize by X0563511 · · Score: 1

      Tense mismatch was my point, not conjugation.

      --
      For large sets, this will be our guide even unto death, for the LORD will work for each type of data it is applied to...
    12. Re:Not "rob", burglarize by Anonymous Coward · · Score: 0

      Oh, I'm sorry, sir. I'm anispeptic, frasmotic, even compunctuous to have caused you such pericombobulation.

    13. Re:Not "rob", burglarize by gnapster · · Score: 1

      And a good point it was. Viz: "to rob", "to burglarize", and "to burgle"; but not "to burgled".

    14. Re:Not "rob", burglarize by Anonymous Coward · · Score: 0

      Oh yeah, his tense was robbed!

    15. Re:Not "rob", burglarize by Anonymous Coward · · Score: 0

      my hotel has no rob

  2. Sure I will pay.... by Anonymous Coward · · Score: 5, Funny

    ....for a broken product you gave me......who are your competitors?

    1. Re:Sure I will pay.... by h4rr4r · · Score: 1

      That would be even more expensive.
      The replacement boards slide right into the existing locks, which the competitors product will not do.

    2. Re:Sure I will pay.... by Applekid · · Score: 5, Insightful

      If I were one of Onity's competitors, I would be fast-tracking a replacement system that uses the existing housings at least. Their lunch is right there, on the table, practically begging to get eaten.

      --
      More Twoson than Cupertino
    3. Re:Sure I will pay.... by plover · · Score: 3, Insightful

      The replacement boards slide right into the existing locks, which the competitors product will not do.

      Yet.

      There seems to be a market opportunity here for a vendor who can provide a trustworthy replacement board at a reasonable price. Of course, that means replacing the programming station as well, but it would get a hotel to a potentially better engineered solution, especially if the system was Open Source and scrutinized by the public eye for vulnerabilities.

      --
      John
    4. Re:Sure I will pay.... by Anonymous Coward · · Score: 1

      "There seems to be a market opportunity here for a vendor who can provide a trustworthy replacement board at a reasonable price."

      1. Offer
      2. Burgle
      3. Raise prices
      4. Re-offer
      5. Profit

    5. Re:Sure I will pay.... by IndustrialComplex · · Score: 3

      Very likely there exists a patent which covers some aspect of the board design for fitting in that slot, or interfacing with the remaining mechanism, etc.

      You probably could easily design a board to fit, but it would be seconds before Onity filed an infringement lawsuit, voided support contracts, etc. I'd be willing to bet some of the terminal equipment for programming the cards is leased as well.

      --
      Out of modpoints but really liked a post? 1BDkF6TtmmeZ3yqXbz9yhdYVqRYnwFoXDj
    6. Re:Sure I will pay.... by Anonymous Coward · · Score: 2, Insightful

      > ... voided support contracts...

      Does this still scare anyone?

    7. Re:Sure I will pay.... by Lumpy · · Score: 1

      "There seems to be a market opportunity here for a vendor who can provide a trustworthy replacement board at a reasonable price." Have you ever dealt with a hotel for selling them things or security? Their idea of "reasonable price" is about $3.00. The hotel industry is notorious for being Half assed cheapskates.

      --
      Do not look at laser with remaining good eye.
    8. Re:Sure I will pay.... by Princeofcups · · Score: 1

      If I were one of Onity's competitors, I would be fast-tracking a replacement system that uses the existing housings at least. Their lunch is right there, on the table, practically begging to get eaten.

      Do you really think that the housing design is not patented? That would be a remarkable oversight on Onity's part.

      --
      The only thing worse than a Democrat is a Republican.
    9. Re:Sure I will pay.... by Gordonjcp · · Score: 2

      voided support contracts

      Voided the support contract that says they don't have to fix a lock that doesn't actually lock in any conventionally meaningful sense of the term?

    10. Re:Sure I will pay.... by Anonymous Coward · · Score: 0

      The replacement boards slide right into the existing locks, which the competitors product will not do.

      Yet.

      There seems to be a market opportunity here for a vendor who can provide a trustworthy replacement board at a reasonable price. Of course, that means replacing the programming station as well, but it would get a hotel to a potentially better engineered solution, especially if the system was Open Source and scrutinized by the public eye for vulnerabilities.

      The alternative would be to fit a state of the art modern mechanical lock. It can probably be picked but not inside any timeframe that would work for a hotel thief. That require the their to force the locks which would be way more quickly noticed than a digital hack or scam his/her way in. I suppose he could try stealing master keys but that's all of those are already harder and more risky than just plugging in a netbook and downloading an encryption key. If you have separate masters for different sections of the hotel and keep a single set in the safe in the security cheif's office and another in a bank in a safety deposit box and set up a proper security/surveillance system it would still give you more security than these digital locks. If something like this happens with digital locks you might as well leave every room in the hotel unlocked.

    11. Re:Sure I will pay.... by Vellmont · · Score: 4, Informative

      You assume hotels think that security is some sort of top priority. It's not. You think that there aren't hundreds of people that could open your hotel room?

      If push comes to shove, I guarantee you the preferred solution for 99% of hotels will be simply securing the physical port, and not monkeying around with circuit boards or replacing the whole system entirely. It's just too expensive for too little benefit. Hotel rooms aren't meant to be Fort Knox.

      --
      AccountKiller
    12. Re:Sure I will pay.... by frosty_tsm · · Score: 1

      > ... voided support contracts...

      Does this still scare anyone?

      Not when their product is enabling easy break-ins.

    13. Re:Sure I will pay.... by Anonymous Coward · · Score: 0

      Wouldn't the support contract cover fixing all of these broken locks? Or is it inherently part of the system to be hackable? Or are all the support dollars for nothing?

    14. Re:Sure I will pay.... by Anonymous Coward · · Score: 0

      Then you have to pay a locksmith to change the lock every time a customer walks off with one of your keys, or several locks in the case of housekeeping loosing/walking off with one of the zone mater keys.

      The point behind digital locks is not to make rooms harder to break into, it's to make it easier to revoke lost/stolen keys, which in the case of a sizable hotel where literally hundreds of issue/revoke cycles can happen in a day will make the hotel as a whole more secure.

    15. Re:Sure I will pay.... by Ravaldy · · Score: 1

      When a manufacturer screws up, they will normally agree to eat a portion of the cost but not all if it's going to bankrupt them. It's in the best interest of the hotel to agree to a reasonnable price as the cost to replace the system is probably much more. This again depends on if the system as a whole is a failure or not.

      The way I see it, a bankrupted company will give you nothing so you're better off working with them...

    16. Re:Sure I will pay.... by SeaFox · · Score: 1

      Very likely there exists a patent which covers some aspect of the board design for fitting in that slot, or interfacing with the remaining mechanism, etc.

      You probably could easily design a board to fit, but it would be seconds before Onity filed an infringement lawsuit, voided support contracts, etc.

      Voiding support contracts on hardware we've replaced? O_o
      If you mean other systems related to this, something tells me they wouldn't support it at that point anyway even if they weren't upset about a patent infringement on the board design.

    17. Re:Sure I will pay.... by SeaFox · · Score: 1

      Wouldn't the support contract cover fixing all of these broken locks? Or is it inherently part of the system to be hackable? Or are all the support dollars for nothing?

      They might be treating the situation as "the hardware is functioning correctly as it was designed" and therefore the fix is a new "higher security level" product. Kind of like how if someone figures out how to pick a 5-pin lock the maker isn't on the hook to give you a new 7-pin lock or a design that uses different arrangement of the pins to prevent the original method from working.

      If this was a pure software venerability the picture might be different, but since replacing the board is requirement they could be framing this as "the lock is as good as we could make it for this product" and the hotel must be needing a "better" lock for their application.

    18. Re:Sure I will pay.... by plover · · Score: 1

      Oh, I know they don't like to spend money. But if the choice is between being forced into an upgrade by a clearly untrustworthy vendor for $50/room, and an unknown but Open Source vendor for $40/room, I should think that the money would win out above all other factors. And yes, I hear you that the preferential option that will likely be chosen by the sleazier hotels (read: almost all of them) will be to do nothing for $0/room.

      But all of that has to be weighed against the potential for lawsuits filed by burglary victims, or worse, by people who are assaulted on your property due in part to a failure of security. Upgrading all the locks in an entire building wing is likely cheaper than fighting a lawsuit that you are almost certain to lose if you knew about the problem but didn't upgrade.

      --
      John
    19. Re:Sure I will pay.... by IndustrialComplex · · Score: 1

      I was thinking of things like the POS hw or the software system that manages all the keys, accesses, etc.

      Such a system would manage employee access logins, assigning keys, revoking, inventory, logs.

      Its not that complicated, but it isn't trivial.
      The door locks are probably just one part of a comprehensive system.

      --
      Out of modpoints but really liked a post? 1BDkF6TtmmeZ3yqXbz9yhdYVqRYnwFoXDj
    20. Re:Sure I will pay.... by cbiltcliffe · · Score: 2

      That would be a remarkable oversight on Onity's part.

      So is having the unencrypted software keys accessible from the external service port. What's your point?

      "Remarkable oversight" seems to be the company motto....

      --
      "City hall" in German is "Rathaus" Kinda explains a few things......
    21. Re:Sure I will pay.... by rHBa · · Score: 1

      Also, I bet 99% of break-ins aren't down to technical vulnerabilities but are caused by social engineering attacks (or as I call it in this case: PEBKAFD, Problem Exists Between Keycard And Front Desk).

      So I can see why replacing millions of $$$ worth of hardware to fix 1% of break-ins would sound like a false economy.

    22. Re:Sure I will pay.... by Wolfrider · · Score: 1

      --Which is total BS. Their hardware has been shown to be defective by design, and asking their customers to pay for fixing the gaping security hole is asinine. They'll be lucky if they're not sued into the ground.

      --
      .
      == WolfriderV6 == I'm willing to admit that *I just might* be wrong... Are you??
    23. Re:Sure I will pay.... by Paul+server+guy · · Score: 1

      Not quite.
      1. offer (Profit)
      2. Burgle (Profit)
      3. Raise prices (Profit)
      4. Re-offer (Profit)
      5. Profit (Re-Profit)

      FTFY

      Their seems to be profit in every layer, except for the customer (hotel) and the hotel guest, who is the one paying for it all in the end.
      I wonder how much the guests are suing for? I would certainly hope they all had tens of thousands of family heirloom jewels and a new alienware in there.

      --
      Your Moon, Your Mission, Get involved! http://www.openluna.org
    24. Re:Sure I will pay.... by Anonymous Coward · · Score: 0

      I will update

    25. Re:Sure I will pay.... by Smallpond · · Score: 1

      No. They just need to specify that it only be used in areas with stupid criminals. Then its the hotel's problem for not following directions. Kind of like all electronic products say "not for use in life-support applications" so if anybody gets killed due to the part failing, they can claim it was used improperly.

  3. And a normal locksmith will also charge by Gr33nJ3ll0 · · Score: 3, Insightful

    Normal key locks are vulnerable to various cheap lock picks as well, and, shock of shocks, a locksmith will charge you to upgrade those locks as well. So.... where's the story? I don't see anything on slashdot about normal burglars breaking into house with zipguns and the like, why is THIS news?

    1. Re:And a normal locksmith will also charge by dav1dc · · Score: 5, Informative

      I believe its geek appeal is derived from the fact that a software hack utilized to break the locks, rather than a physical set of lock picks.

      There is also a sub-text about the social responsibility and obligation that manufacturers have to patch security holes found in their devices in a timely manner I suspect as well.

    2. Re:And a normal locksmith will also charge by Zero__Kelvin · · Score: 2

      Because we didn't know about it two hours ago, and now we do. It is news for the same reason that I'm certain it appeared on the local news stations in the area. True, their perspective and spin on it certainly differed, but the events happened and then those events were reported. We call that news in the English language.

      --
      Guns don't kill people; Physics kills people! - John Lithgow as Dick Solomon on Third Rock From The Sun
    3. Re:And a normal locksmith will also charge by wvmarle · · Score: 3, Informative

      Those locks are not sold as highly secure or so. While I'm quite positive Onity will have used "high security" as one of their sales pitches - part of the reason to use such expensive locks is that a guest not returning a key is not an issue any more, and that the keys are not so easy to copy.

    4. Re:And a normal locksmith will also charge by PlusFiveTroll · · Score: 3, Insightful

      It depends on how the locks are sold, If they cost 10x as much as a regular lock and advertized to protect against this kind of attack, then yes the lock selling company might have an issue. If I sell you a zipgun proof lock and it's not, it become an issue of product misrepresentation.

      Also, up till recently, most people thought of these lock devices as secure, or at least the level of attack that would have to occur would be difficult and rare. Now it's less noticeable to hack these locks then a regular door.

    5. Re:And a normal locksmith will also charge by Culture20 · · Score: 1

      A zipgun leaves obvious clues, and can draw attention. Lock picks take time, and you don't look like you're using an ordinary key while using them. With this method, presumably it takes little time to cycle through numbers, and if someone sees you in the hallway, it looks no different than a keycard (with a cable running up your jacket sleeve that few would notice). The ease of use combined with the lessened chance of getting caught makes this a story. Of course it's less effective than using a maid's key.

    6. Re:And a normal locksmith will also charge by Mr.+Freeman · · Score: 1

      It takes much longer for physical methods to work. This system takes almost no time at all.

      --
      -1 disagree is not a modifier for a reason. -1 troll, flaimbait, redundant, overrated are NOT acceptable substitutes.
    7. Re:And a normal locksmith will also charge by h4rr4r · · Score: 2, Interesting

      Not so easy to copy?
      A cheap card encoder can be had for under $100.

    8. Re:And a normal locksmith will also charge by Anonymous Coward · · Score: 4, Informative

      Lock picks take time

      Google 'bump key'. They can open a lot of rotary yale-type locks in under 5 seconds.

      https://www.youtube.com/watch?v=hr23tpWX8lM (skip to 1:00)

      Needless to say I never leave the house without locking a deadbolt too.

    9. Re:And a normal locksmith will also charge by mcgrew · · Score: 1

      Normal key locks are vulnerable to various cheap lock picks as well

      How fast can you pick an industrial-strength lock? This method takes no longer to get in than using a real card. If you're burglarizing people, you want to get in and out as quick as possible. Plus, how many people know how to pick a lock? This is as easy as using a legit key; anyone can do it, unlike picking a lock.

      --
      Free Martian Whores!
    10. Re:And a normal locksmith will also charge by wvmarle · · Score: 4, Interesting

      Cards have a built-in expiry date; usually the date you're supposed to leave the hotel. When extending your stay, they will update your card. So while you may be able to copy them, it's not exactly useful.

    11. Re:And a normal locksmith will also charge by Applekid · · Score: 1

      Only if you can get a copy of a maintenance or master key.

      --
      More Twoson than Cupertino
    12. Re:And a normal locksmith will also charge by Rob+the+Bold · · Score: 1

      . . . the keys are not so easy to copy.

      That made me wonder a little. Enough to do a little googling around . . . Looks like you can get a magstripe reader/writer or an automatic keycutter machine in about the same price range: $500 or so for a basic models. The keycutter looks harder to use to me, just from a quick glance at the instruction manual -- maybe someone into machine shop-type tools and not computers would feel the other way. The card writer would be a more subtle thing to carry around since you'd just stuff it in your laptop bag. The 30lb+ cutter would be a lot less convenient (and a lot noisier). I'm assuming the the "get the key copied at the hardware store" option is out, that they would respect the "do not duplicate" stamp, but that's not necessarily true.

      --
      I am not a crackpot.
    13. Re:And a normal locksmith will also charge by Rob+the+Bold · · Score: 1

      Only if you can get a copy of a maintenance or master key.

      Thieves have done it with traditional keys. I think they could use the same practices and skill set to get the keycard version, too.

      --
      I am not a crackpot.
    14. Re:And a normal locksmith will also charge by Anrego · · Score: 1

      The real difference is that the cards are usually invalidated when the guest leaves, so copying the card is mostly useless, unlike a traditional key where they are unlikely to change the lockset after every stay incase the previous guest made a copy of his key.

    15. Re:And a normal locksmith will also charge by Anonymous Coward · · Score: 0

      ...and how much are mechanical lock picking tools?

      (...not to mention the technical learning curve for BOTH comparatively, and proficiency to necessary to employ them during a real live break-in during a well-timed scenario)

    16. Re:And a normal locksmith will also charge by travisco_nabisco · · Score: 1

      This whole fiasco reminds me of a few years ago when it was determined that you could open one of the Kryptonite bike locks with the end of a Bic pen. These were the locks with the circular keys. In the end, I think it was due to a class action suite, you could get a replacement lock for free that used a different key type.

      If every hotel chain that that uses these locks sues, then they will get a replacement deal of some kind.

    17. Re:And a normal locksmith will also charge by Anonymous Coward · · Score: 0

      It's entirely irrelevant because using a simple plastic cars you can shim any hotel door open instantly.

      Source: I worked for a hotel and when the batteries died in a door that a guest needed into in a hurry we did exactly this, often to the amusement or horror of the guest to which we strongly recommended using the flip lock and taking valuables with you when you go out.

    18. Re:And a normal locksmith will also charge by Runaway1956 · · Score: 3, Interesting

      AC's reply deserves your attention - as it's the same thing I was thinking.

      Not to mention - I have a huge pile of keys. I have keys that I haven't thrown away since my Navy days, more than thirty years ago. I just don't throw keys away, no matter how "useless" they might seem.

      From time to time, I need to open a lock. I examine the lock, think a bit, poke through my big pile of keys, and usually come up with a match. There are three keys that I carry on my key chain that don't fit anything - specific. They just seem to fit a lot of things that need to be opened. There are, after all, only so many combinations that can be cut into a blank key.

      I'll admit, though, that I have few keys that are likely to fit motel room doors.

      --
      "Windows is like the faint smell of piss in a subway: it's there, and there's nothing you can do about it." - Charlie Br
    19. Re:And a normal locksmith will also charge by Onymous+Coward · · Score: 2

      Do folks really use the term "zip gun" for lock pick guns? I thought zip guns were just improvised firearms.

    20. Re:And a normal locksmith will also charge by Lumpy · · Score: 1

      REally? I can get my hands on a maids key far easier than a room key. and those dont expire. Oh and they let me in EVERY room.

      --
      Do not look at laser with remaining good eye.
    21. Re:And a normal locksmith will also charge by Culture20 · · Score: 1
      Bumping a lock is a little noisy too, even if you use a rubber mallet. If you try to bump several doors in a hotel hallway, someone's going to notice.

      From time to time, I need to open a lock. I examine the lock, think a bit, poke through my big pile of keys, and usually come up with a match.

      That is not going to be a fast process like with these keycards. In fact, picking the lock is faster than your method.

    22. Re:And a normal locksmith will also charge by bdwebb · · Score: 2

      A locksmith may charge you to upgrade those locks but 99% of the time that locksmith is not the creator of the locks he installed and is therefore not responsible for the vulnerabilities therein. In this case, Onity is the manufacturer of these locks and they hold the patents for design and build of the locks. I think as a responsible, forward-thinking company they should be responsible for fixing the vulnerability that caused the loss even though it represents a significant loss...ultimately they are not requried to do so, though.

      Onity did offer two fixes to the problem - 1) use a plug for the port to make it inaccessible and utilize torx screws to secure the housing or 2) ship the board back to them for replacement at the customer's expense. While rudimentary tools can make option number 1 useless (a pen casing and a lighter can break through this easily), it would be interesting to see if Onity offers continued warranty support on these products if the customer uses a more permanent solution such as epoxy to plug the hole and block access to the maintenance port. If they do, I would say that while that is still a bit janky, the company is at least willing to meet customers 1/4 of the way if not half the way. Ultimately IMO Onity should replace these at their expense because it is their junk equipment - since they have effectively given the finger to their customers, though, it would be interesting to see what percentage of their keycard lock business goes to competitors over the next few years.

    23. Re:And a normal locksmith will also charge by mcgrew · · Score: 1

      I think he meant a physical key isn't as easy to copy, and for a hotel room you'd have to change the lock or whoever had the key last could break right in. With key cards, it takes seconds to reprogram the lock and key.

      --
      Free Martian Whores!
    24. Re:And a normal locksmith will also charge by kootsoop · · Score: 3, Informative

      Actually, housekeeping staff keys are often set to expire on a daily basis. The first thing a housekeeper needs to do in the morning is to revalidate their card. If the card isn't revalidated in time, it needs to human intervention (other than the housekeeper) to be reactivates. Source: I used to work for Onity's parent company (UTC Fire & Security, as it was then), and I worked requirements for some of Onity's newer products.

      --
      "Engineering is the art of making what you want from things you can get" - Jerry Avins
    25. Re:And a normal locksmith will also charge by Richy_T · · Score: 2

      You must have worked in a shitty hotel with equally shitty locks. I don't think I've stayed in a hotel where that would work that I've noticed.

    26. Re:And a normal locksmith will also charge by Anonymous Coward · · Score: 0

      Traditional, physical lock/keys combinations are much more difficult to change when someone checks out of the room. This means that a would-be burglar could make an imprint and subsequent copy of the traditional key and burgle that room at their leisure. Additionally, most locks which can be opened by a 'master key' can have that master key reverse engineered simply by comparing 2-4 non-master keys for that lock set. This means that someone could, potentially, get the master key by staying somewhere every few weekends for a month or two. (So long as they got a different room each time.) This would then leave them in possession of a master key which would enable them to burgle every room in the hotel at will.

      Magnetic stripe key cards and their locks can be reprogrammed with a new code on a moment's notice, so even if someone *does* leave the hotel without turning in their card, that card will no longer function as a key. Additionally, there doesn't have to *be* a permanent master key, as a given lock can be programmed to accept multiple cards, or a duplicate key can be created based on the lock's currently assigned code.

      These factors, combined with the fact that mag-stripe cards are significantly cheaper and easier to replace than a traditional key are the biggest draws of these lock systems.

    27. Re:And a normal locksmith will also charge by green1 · · Score: 1

      Needless to say I never leave the house without locking a deadbolt too.

      Considering that the clip you link to specifically shows using a bump key in a deadbolt... what exactly are you accomplishing?

      Now to be fair, I'm sure it's still a good idea to lock your doors with a good deadbolt despite bump keys, but maybe the better option is to get a higher security lock (The clip you link to recommends Medeco, but I was under the impression that they too can be bumped, I believe Abloy locks are one of the few that can't) or get an alarm or a dog (The dog is probably the absolute best security you can have for your house, but it's also the most expensive in terms of ongoing maintenance...)

    28. Re:And a normal locksmith will also charge by Capt.Albatross · · Score: 2

      So.... where's the story? I don't see anything on slashdot about normal burglars breaking into house with zipguns and the like, why is THIS news?

      Security, and in particular the continuing use of amateurs to develop software and systems that should be secure, is a topic that definitely belongs here (as would new developments in lock-picking, in my opinion).

      This lock was very badly designed, and Onity acted irresponsibly in not taking security seriously (and for a lock, no less). It will send a valuable message to the marketplace if they go out of business as a result.

    29. Re:And a normal locksmith will also charge by Bryansix · · Score: 1

      A locksmith is not analogous to a manufacturer. Yes, you pay the locksmith to replace your locks but that doesn't mean you forget about the problem. You can also complain to the manufacturer for making such junk locks. The method for preventing picking in locks has been well known for a long time now. In fact there are many methods. This company was negligent. They should have made the port to reprogram the lock, only accessible if the lock was unlocked or removed from the door.

    30. Re:And a normal locksmith will also charge by Lumpy · · Score: 1

      Even in that case, one swipe and I have at least 8 hours to ransack as many rooms as I need to.

      This is the biggest problem, The door locks are so cheap they dont report suspicious behavioral patterns like keycard 44372 is being used over and over rapidly across the facility or at two places at once., heck they dont even keep a log.

      --
      Do not look at laser with remaining good eye.
    31. Re:And a normal locksmith will also charge by Anonymous Coward · · Score: 0

      Someone always asks that question. At least in this story it was a bit of an update on the article mentioned in the summery. We knew it was going to happen, and here it is.

    32. Re:And a normal locksmith will also charge by markxz · · Score: 1

      To spot suspicious activity the locks would need to be networked. For retrofitting into an existing hotel this would not have been practical so a stand-alone system was developed.

      Some systems do keep logs (the Ving Classic lock claims to store 600 events) so it would be possible to see which cards have opened the lock.

    33. Re:And a normal locksmith will also charge by Anonymous Coward · · Score: 0

      But the locksmith will upgrade other vendors' locks. This is the only vendor for this specific lock, and the fact that the port existed meant they shipped it with a known vulnerability. Would any other lock vendor get away with that?

    34. Re:And a normal locksmith will also charge by Anonymous Coward · · Score: 0

      Would the pattern of the alleged thief be all that different from that of housekeeping staff?

    35. Re:And a normal locksmith will also charge by Anonymous Coward · · Score: 0

      It is replacing a LOCK. It has more functionality and security than a LOCK. Your requirement for network-based activity logging and unusual activity detection is so far out of the scope of a LOCK that it is laughable. This isn't the requirement for a Secret Facility, or a Classified Building, it is a hotel room. Arguably, the electronic card method of swiping is more secure than a LOCK (which is vulnerable to zip guns, credit card jiggling, bump keys, and simply making a copy of the key).

      And, of course, the lock is only one of a number of security methods. You can always just kick in the door.

    36. Re:And a normal locksmith will also charge by Anonymous Coward · · Score: 0

      And...if we network the locks, there is probably the potential for unlocking them all at once instead of individually.

      This hotel card geek is a niche, and kind of a unique individual. And so is his nemesis, the burglar who used his techniques to steal. Probably a handful of people on the planet would attempt either effort or even be capable. But the world is FULL of network geeks and hackers. If you put locks on a network then geeks would flock to the challenge and eventually random low-level thieves would be opening hotel room doors with their cellphone.

      It's just a bad idea, in my opinion.

    37. Re:And a normal locksmith will also charge by 0100010001010011 · · Score: 2

      "Industrial strength lock"? I think not

      I've played with bump keys enough times to be able to unlock any door into my house in under a second or two.

    38. Re:And a normal locksmith will also charge by mcgrew · · Score: 1

      It's been my experience that nobody picks a lock to break intro a house, it's easier to just break the door down, as I discovered to my dismay last year. That hundred dollar lock did me no good whatever, they simply pried the door open. The lock held, the door frame didn't.

      --
      Free Martian Whores!
    39. Re:And a normal locksmith will also charge by Anonymous Coward · · Score: 0

      Salto locks keep a log in the lock as well and can be downloaded with the PPD.
      Logs are also gathered on the server thu the Slato gatways.

    40. Re:And a normal locksmith will also charge by Anonymous Coward · · Score: 0

      Normal key locks are vulnerable to various cheap lock picks as well, and, shock of shocks, a locksmith will charge you to upgrade those locks as well.

      So.... where's the story? I don't see anything on slashdot about normal burglars breaking into house with zipguns and the like, why is THIS news?

      The difference is that the locksmith likely did not manufacture the lock on your door.

      Onity made these locks, are responsible for any flaws in the design, and therefore are obligated to fix them.

    41. Re:And a normal locksmith will also charge by Anonymous Coward · · Score: 0

      I will contact supplier and do it

    42. Re:And a normal locksmith will also charge by drkim · · Score: 1

      I believe its geek appeal is derived from the fact that a software hack utilized to break the locks, rather than a physical set of lock picks.

      But, like a set of lock picks, you still need a physical device to insert in the lock and apply the software hack.

      Still geeky, though...

    43. Re:And a normal locksmith will also charge by drkim · · Score: 1

      Would the pattern of the alleged thief be all that different from that of housekeeping staff?

      Yes, one would be ransacking the room for valuables, clearing out the mini-fridge, urinating on the bed, and trying to pry the in-room safe open...

      ...the other would be the thief.

    44. Re:And a normal locksmith will also charge by Smallpond · · Score: 1

      I believe you, AC. I also believe that video where the woman unlocks the car with a tennis ball.

  4. A Fix? They're On It, Sort Of by guttentag · · Score: 5, Funny

    Chocolatey = Chocolate, Sort of...
    Onity = On It, Sort of...

    1. Re:A Fix? They're On It, Sort Of by wwalker · · Score: 1

      Irony, as opposed to wrinkly (saw it on a t-shirt).

    2. Re:A Fix? They're On It, Sort Of by Anonymous Coward · · Score: 0

      I do believe it was a Woot shirt.

    3. Re:A Fix? They're On It, Sort Of by Anonymous Coward · · Score: 0

      do it

  5. Well handled by slashmydots · · Score: 4, Funny

    The Hyatt says Onity didn't provide a fix until after its break-ins, forcing the hotel to plug its locks' ports with epoxy

    Well, at least they issued a patch.

    1. Re:Well handled by bughunter · · Score: 2

      From now on, I'll be providing my own patch. When I'll be travelling, I'll be taking a wad of Mighty Putty.

      I advise you all to do the same.

      --
      I can see the fnords!
    2. Re:Well handled by AmiMoJo · · Score: 1

      Epoxying the service ports made the situation worse for Onity, since there is now no way to issue a software fix without opening the lock.

      --
      const int one = 65536; (Silvermoon, Texture.cs)
      SJW, n: "Someone I don't like, and by the way I'm a fuckwit" - AC
  6. Took them two months?! by wvmarle · · Score: 4, Interesting

    Surprised it took thieves two months before starting to use this exploit. Even more surprising that the summary says "already".

    The exploit was very well documented, and rather simple to copy. It took mere days for YouTube videos showing off the same hack to appear.

    It is more likely that other hotels were hit with the issue already, but didn't disclose it to the public for fear of attracting more thieves to their hotels, and/or for the bad publicity and the risk of guests staying away from their insecure rooms.

    1. Re:Took them two months?! by rsmith84 · · Score: 4, Insightful

      You have to let the chatter about the exploit die down enough so that you can pull the heist off with better success. Going out and attempting it immediately after Black Hat is too risky and the sign of foolish thief.

    2. Re:Took them two months?! by Anonymous Coward · · Score: 0

      It must have taken some effort for the hotels to determine that this particular hack was being used in the break-ins, and that fact is not something that can be determined by every hotel security manager out there.

    3. Re:Took them two months?! by Rob+the+Bold · · Score: 4, Insightful

      Surprised it took thieves two months before starting to use this exploit. Even more surprising that the summary says "already".

      Maybe it's only after the exploit was revealed that anyone thought to suspect this was the way some hotel burglaries were happening. We don't necessarily know that Brocious was the first to discover the attack mode -- only that he was the first to publicize it.

      --
      I am not a crackpot.
    4. Re:Took them two months?! by Anonymous Coward · · Score: 0

      Surprised it took thieves two months before starting to use this exploit. Even more surprising that the summary says "already".

      The exploit was very well documented, and rather simple to copy. It took mere days for YouTube videos showing off the same hack to appear.

      It is more likely that other hotels were hit with the issue already, but didn't disclose it to the public for fear of attracting more thieves to their hotels, and/or for the bad publicity and the risk of guests staying away from their insecure rooms.

      Correction: it took two months for a hotel:

      1. Figure it out
      2. Admit it.
      3. Be picked up as a story by a news media organization

  7. Paying for a fix that should have in place? by grumpyman · · Score: 0

    Now who's the robber/thief?

    1. Re:Paying for a fix that should have in place? by Lieutenant_Dan · · Score: 2

      Easy now; don't blame something on stupidity that you assign to sheer incompetence. Or a third variation, towards a quest of more profit!

      I can design a super-secure lock. It will cost more to develop, and then it will cost more to produce, which will raise its price. Which in turn will lower my potential customers (90% of folks just want a lock that can be easily managed and is simple for their users). The accounting people said, "Do the simpler version, it will be good enough and return us 87% more profit. BTW, we already printed the brochures so your comments are moot."

      If Onity comes up with a more secure model then it could well be that there is a cost associated. Mind you, this is a PR nightmare, so some companies would just eat the cost.

      The hotels bought a lock for a specific purpose. It provides a decent detterent. Someone motivated will always find a way in.

      Car analogy: You bought the BMW 325 to impress your friends while driving with the collar of your polo shirt up. It turns out that thieves can steal your muffler for the precious precious platinum in the catalyctic converted. The brand new M3 model developed after the news broke out has the muffler protected by the body. Do you expect a free upgrade from BMW?

      --
      Wearing pants should always be optional.
    2. Re:Paying for a fix that should have in place? by rockiams · · Score: 1

      I don't think your car analogy is accurate. In this case I bought the BMW(and really a 325 impresses my friends? I need better friends!) to impress my friends, not to protect the platinum in my muffler. If someone steals my muffler, my friends should still be impressed by my status symbol, so long as it isn't running. (Unless my friends are Joe Dirt, and then that loud roar is badass, yeeehaawww!)

      A lock on the other hand, was purchased for the sole purpose of denying entry to unauthorized people. It failed to do so.

      So I guess a better car analogy would be I bought a BMW 750i to impress my friends, but since they are all hippie GNU users who shun material things, it failed to do so. I would have been better off buying a Tesla Motors car to appeal to their green side.

      Oh wait, the car didn't fail, my friends failed to appreciate the Ultimate Driving Machine. Sorry, my car-analogy-fu is weak today.

    3. Re:Paying for a fix that should have in place? by plover · · Score: 1

      Car analogy: You bought the BMW 325 to impress your friends while driving with the collar of your polo shirt up. It turns out that thieves can steal your muffler for the precious precious platinum in the catalyctic converted. The brand new M3 model developed after the news broke out has the muffler protected by the body. Do you expect a free upgrade from BMW?

      +1 for the car analogy. And as far as my ancient Ford truck goes, I don't think they'd issue a recall for anything other than a safety issue. But a BMW? I would indeed expect a product recall from BMW, where they would freely install some "catalytic converter locks" that would be nearly as effective as the body redesign solution you hypothesized.

      --
      John
    4. Re:Paying for a fix that should have in place? by Lieutenant_Dan · · Score: 1

      Well done. Yeah, I suck at car analogies. The thing is, the muffler is an important ingredient in the overall product.

      One could argue that the only "key" (pun partly intended) feature is the security of the room protected by the lock as you rightly stated, and yes, it failed to do so. The other pieces would be the management of the cards, auditing of entry to the rooms and the wow factor to the clientele.
      Could also the argument not be made that it would deter 99.99% of unauthorized access? In most circles, that would be pretty good. This is not a trivial exploit either.

      Your analogy has more potential than mine: maybe you expect BMW to get you a Tesla or a new set of country-club friends?

      --
      Wearing pants should always be optional.
    5. Re:Paying for a fix that should have in place? by Anonymous Coward · · Score: 0

      Easy now; don't blame something on stupidity that you assign to sheer incompetence.

      *sigh* All right, all right, I'll take one for the team and ask. What, pray tell, IS the difference between stupidity and incompetence in this context?

    6. Re:Paying for a fix that should have in place? by Lieutenant_Dan · · Score: 2

      Nicely caught. I meant to say "malice" instead of "stupidity". I'm stuck in a two-hour meeting with the project management team at work, so my subsconscious let out a small cry for help in my post.

      --
      Wearing pants should always be optional.
    7. Re:Paying for a fix that should have in place? by Anonymous Coward · · Score: 0

      The car analogy failed. The hotels needed a lock and were sold something that lets the baddies open it easily enough.
      A more apt car analogy: you buy your BMW, later some hackers discover that the car speed can be remotely limited to 2kmh, do you expect a free upgrade from BMW? hell yes, i wanted a car, not a semovent piece of furniture.

    8. Re:Paying for a fix that should have in place? by rockiams · · Score: 2

      I would argue that the muffler is not as important, more akin to the management of cards or the 'wow factor.' A car's main function is transportation, so if it fails that it almost can't impress anyone. So a lock can have several ancillary features but if it is easily defeated, it gets a fail in my book.

      And I am not sure how you would measure a lock to get the 99.99% and if that number is even possible for a lock(Google 'myth 5 9s')

      And I am happy with my hippie GNU friends...and I let MUNI drive me around, so I'm probably not impressing anyone who would be impressed by a car. I would love to drive a Tesla for a couple of days though.

    9. Re:Paying for a fix that should have in place? by stabiesoft · · Score: 1

      The car analogy is simple. The uber secure keyless systems in cars turned out to be insecure like the hotel rooms. Maybe a tad more difficult to break, but still very breakable. BMW is one of the lucky ones to be hacked. Just one example http://www.geekosystem.com/keyless-bmw-hacked-3-minutes/

  8. Where is the next story? by paiute · · Score: 1

    I am waiting for the story about Cody Brocious being sued by Onity for enabling this crime.

    --
    If Slashdot were chemistry it would look like this:Cadaverine
    1. Re:Where is the next story? by Lieutenant_Dan · · Score: 1

      Considering that he went for glory by not providing some professional courtesy (your mileage may vary) and disclosing this to Onity before his Black Hat presentation, he may get suffer potentially a bit by "enabling crimininals to circumvent the protection offered by the lock". It is a Black Hat conference after all, so the motivations and the spirit is a tad different other "community" InfoSec conferences. I won't argue what the right approach is. At the end of the day, the vulnerability probably shouldn't exist, so the fault lies entirely with Onity there.

      As well, Onity is asleep at the wheel. It was July when the problem surfaced. In September the thefts happened. It's now November.

      Someone in PR and Media Relations at Onity isn't doing their job. R&D is probably working overtime and Legal Affairs is probably writing up something nice to make an example of Cody.

      --
      Wearing pants should always be optional.
  9. Onity provides a fix .... for a fee. by 140Mandak262Jamuna · · Score: 5, Informative
    Onity has announced two step solution. The first one is making it difficult to access the port. There is a cover at the bottom it looks like and they are strengthening it. May be metal instead of plastic. And adding a *security* torx screw too. Yeah, may be they will also make it need pentalobulous head like Apple iPads. But all it will do is to slow down but can't stop the intruder. This part is free.

    They are also providing a software solution. Even when the locks are programmable and upgradable, flashing the new firmware is available for a "nominal" fee. And if your lock does not have upgradable firmware? Well, you need to call in and ask for the price. I think the current pricing is one arm and one leg per upgrade.

    http://www.securityinfowatch.com/news/10766203/onity-provides-lock-upgrades-following-hack

    --
    sed -e 's/Chuck Norris/Rajnikant/g' joke > fact
    1. Re:Onity provides a fix .... for a fee. by Anonymous Coward · · Score: 0

      Hey man, thanks for the info. Funny you mentioned the security torx. Had to open my PVR and get a special screwdriver. Nothing secure there.

    2. Re:Onity provides a fix .... for a fee. by Anonymous Coward · · Score: 0

      I think you mean one ARM [based bored] and one leg.

    3. Re:Onity provides a fix .... for a fee. by Anonymous Coward · · Score: 0

      Is the total fee less than the cost of a complete retrofit minus the price you could get for the used system on eBay?

      Brocious has identified a 32-bit key that identifies the hotel’s “sitecode.” The worst part is that every Onity lock has this key. By reading the key back to the lock, the lock opens. The hack is so simple that he’s surprised more people haven’t found out about it yet.

      A 32-bit key... really!

      After reading this, what surprises me is that Onity is still in business.

    4. Re:Onity provides a fix .... for a fee. by Anonymous Coward · · Score: 0

      Particularly since AES-128 can be run just fine and with reasonable performance (well, fast enough that encrypting serial port communications does not slow it down) on a simple ATmega 8-bit microcontroller.

  10. who to blame by Anonymous Coward · · Score: 0

    usually socially the person who figured it out gets the blame for letting this dangerous knowledge out and into the hands of criminal rather than the criminal who used it but it isn't like criminals wouldn't have figured it out as then it would just be reported as hotel theft and be left at that until it becomes an epidemic which would get less of an outrage as there is a proper role of victim and perpetrator rather than the perception of someone openly teaching someone how to steal

  11. Ö or Õ? by Anonymous Coward · · Score: 0

    I thought it was "oh-nity", like "chocolatey" = "you got chocolate", and "onity" = "you got owned"

    1. Re:Ö or Õ? by Anonymous Coward · · Score: 0

      "Ownity".

  12. Even though this is the Hyatt... by Phelony · · Score: 1

    Why is it when I hear "Texas" and "Hotel", I think of an obese tattooed couple with a meth lab in a suitcase? (obviously both meat-eaters??)

    1. Re:Even though this is the Hyatt... by Redmancometh · · Score: 1

      Because you're an ignorant asshole. It DID end in a question mark...

    2. Re:Even though this is the Hyatt... by Richy_T · · Score: 3, Insightful

      Dunno? Deep seated prejudice and intolerance?

    3. Re:Even though this is the Hyatt... by emho24 · · Score: 1

      All that hate is going to burn you up kid

      --
      You must gather your party before venturing forth.
  13. Hotel in room safes are not much better by trout007 · · Score: 4, Interesting

    I was in a hotel with an in room safe. My kid closed the door and managed to lock it so I called maintenance. The guy came up and hit the # key twice to enter supervisor mode then keyed in 6 9's. Here is a video I shot after he left. I'm pretty sure they don't have an override maintenance code for each room. You could try a few standard combos on your room to figure it out for the hotel. Or just get maintenance up to your room to show you it.

    https://www.youtube.com/watch?v=UYjJuE7l7VM

    --
    I love Jesus, except for his foreign policy.
    1. Re:Hotel in room safes are not much better by Anonymous Coward · · Score: 0

      This is amazing. Combine this with the fact that most luggage are fitted with TSA locks, that means the average person has nowhere to leave valuables in the hotel room.

      TSA locks are numbered, but I have only ever seen TSA002
      Even wiki has 002 http://en.wikipedia.org/wiki/Transportation_Security_Administration#Luggage_locks

      I guess there is one skeleton key that opens all TSA locks, one device to open all hotel rooms, and one six digit number to open all safes.

    2. Re:Hotel in room safes are not much better by Anonymous Coward · · Score: 0

      I worked for a company that made yacht alarm systems. Their product has a number of glaring security holes including a default password. I suspect that this is a lot more common than you think.

      *I tried to bring up one of their security holes that I had spotted almost immediately once, but I was assured it wasn't a problem; they think their system is secure.

  14. "Get's Real"? by Richy_T · · Score: 1

    Next up: Apple to Samsung: "Oh no you din't" and "Axe Slashdot"

    1. Re:"Get's Real"? by Richy_T · · Score: 1

      Arg. Apostrophe blunder...

  15. Dictonaries are by Anonymous Coward · · Score: 0

    . . . useful. Rob is correct, just not specific. Look it up yourself. Burgle would be more specific. Burglarize is a silly word that means burgled.

  16. I think the person that released by Stan92057 · · Score: 0

    I think the person that released to exploit to the world should be paying over half the experiences. The manufacturer who sells the lock needs to pay to get the fix installed that should be taken from any profits they initially made from a defective product. But in real life the only ones who are going to pay are the customers of the hotel.

    --
    Jack of all trades,master of none
  17. Does Onity Meet their own spec? by Anonymous Coward · · Score: 0

    Some of their locks appear to be spec'd to ANSI level 3.
      I wonder if that means able to withstand 30 minutes with reasonable tools.
            (IE Big guy with sledge hammer.)

    If so, seems like a modified dry eraser might be a 'reasonable' tool.
        Especially if it includes no non-public key information.

    First step would be to get the certification lab to pull the approval for the existing locks.
        Then get have a lawyer write them a nice letter explaining why they need to fix the problem.