Slashdot Mirror

← Back to Stories (view on slashdot.org)

Hotel Keycard Lock Hack Gets Real In Texas

Posted by timothy on from the those-words-in-that-order dept.

Sparrowvsrevolution writes "You may remember a vulnerability in four million keycard locks presented at the Black Hat conference in July. Hacker Cody Brocious showed he could insert a device he built for less than $50 into the port at the bottom of the common hotel lock, read a key out of its memory, and open it in seconds. Two months later, it turns out at least one burglar was already making use of that technique to rob a series of hotel rooms in Texas. The Hyatt House Galleria in Houston has revealed that in at least three September cases of theft from its rooms, the thief used that Onity vulnerability to effortlessly open rooms and steal valuables like laptops. Petra Risk Solutions, an insurance firm focus the hospitality industry also reports that at least two other hotels in Texas were hit with the attack. Onity has been criticized for its less-than-stellar response to a glaring vulnerability in its devices. The Hyatt says Onity didn't provide a fix until after its break-ins, forcing the hotel to plug its locks' ports with epoxy. And even now, Onity is asking its hotel customers to pay for the full fix, which involves replacing the locks' circuit boards."

38 of 132 comments (clear)

  1. Sure I will pay.... by Anonymous Coward · · Score: 5, Funny

    ....for a broken product you gave me......who are your competitors?

    1. Re:Sure I will pay.... by Applekid · · Score: 5, Insightful

      If I were one of Onity's competitors, I would be fast-tracking a replacement system that uses the existing housings at least. Their lunch is right there, on the table, practically begging to get eaten.

      --
      More Twoson than Cupertino
    2. Re:Sure I will pay.... by plover · · Score: 3, Insightful

      The replacement boards slide right into the existing locks, which the competitors product will not do.

      Yet.

      There seems to be a market opportunity here for a vendor who can provide a trustworthy replacement board at a reasonable price. Of course, that means replacing the programming station as well, but it would get a hotel to a potentially better engineered solution, especially if the system was Open Source and scrutinized by the public eye for vulnerabilities.

      --
      John
    3. Re:Sure I will pay.... by IndustrialComplex · · Score: 3

      Very likely there exists a patent which covers some aspect of the board design for fitting in that slot, or interfacing with the remaining mechanism, etc.

      You probably could easily design a board to fit, but it would be seconds before Onity filed an infringement lawsuit, voided support contracts, etc. I'd be willing to bet some of the terminal equipment for programming the cards is leased as well.

      --
      Out of modpoints but really liked a post? 1BDkF6TtmmeZ3yqXbz9yhdYVqRYnwFoXDj
    4. Re:Sure I will pay.... by Anonymous Coward · · Score: 2, Insightful

      > ... voided support contracts...

      Does this still scare anyone?

    5. Re:Sure I will pay.... by Gordonjcp · · Score: 2

      voided support contracts

      Voided the support contract that says they don't have to fix a lock that doesn't actually lock in any conventionally meaningful sense of the term?

    6. Re:Sure I will pay.... by Vellmont · · Score: 4, Informative

      You assume hotels think that security is some sort of top priority. It's not. You think that there aren't hundreds of people that could open your hotel room?

      If push comes to shove, I guarantee you the preferred solution for 99% of hotels will be simply securing the physical port, and not monkeying around with circuit boards or replacing the whole system entirely. It's just too expensive for too little benefit. Hotel rooms aren't meant to be Fort Knox.

      --
      AccountKiller
    7. Re:Sure I will pay.... by cbiltcliffe · · Score: 2

      That would be a remarkable oversight on Onity's part.

      So is having the unencrypted software keys accessible from the external service port. What's your point?

      "Remarkable oversight" seems to be the company motto....

      --
      "City hall" in German is "Rathaus" Kinda explains a few things......
  2. And a normal locksmith will also charge by Gr33nJ3ll0 · · Score: 3, Insightful

    Normal key locks are vulnerable to various cheap lock picks as well, and, shock of shocks, a locksmith will charge you to upgrade those locks as well. So.... where's the story? I don't see anything on slashdot about normal burglars breaking into house with zipguns and the like, why is THIS news?

    1. Re:And a normal locksmith will also charge by dav1dc · · Score: 5, Informative

      I believe its geek appeal is derived from the fact that a software hack utilized to break the locks, rather than a physical set of lock picks.

      There is also a sub-text about the social responsibility and obligation that manufacturers have to patch security holes found in their devices in a timely manner I suspect as well.

    2. Re:And a normal locksmith will also charge by Zero__Kelvin · · Score: 2

      Because we didn't know about it two hours ago, and now we do. It is news for the same reason that I'm certain it appeared on the local news stations in the area. True, their perspective and spin on it certainly differed, but the events happened and then those events were reported. We call that news in the English language.

      --
      Guns don't kill people; Physics kills people! - John Lithgow as Dick Solomon on Third Rock From The Sun
    3. Re:And a normal locksmith will also charge by wvmarle · · Score: 3, Informative

      Those locks are not sold as highly secure or so. While I'm quite positive Onity will have used "high security" as one of their sales pitches - part of the reason to use such expensive locks is that a guest not returning a key is not an issue any more, and that the keys are not so easy to copy.

    4. Re:And a normal locksmith will also charge by PlusFiveTroll · · Score: 3, Insightful

      It depends on how the locks are sold, If they cost 10x as much as a regular lock and advertized to protect against this kind of attack, then yes the lock selling company might have an issue. If I sell you a zipgun proof lock and it's not, it become an issue of product misrepresentation.

      Also, up till recently, most people thought of these lock devices as secure, or at least the level of attack that would have to occur would be difficult and rare. Now it's less noticeable to hack these locks then a regular door.

    5. Re:And a normal locksmith will also charge by h4rr4r · · Score: 2, Interesting

      Not so easy to copy?
      A cheap card encoder can be had for under $100.

    6. Re:And a normal locksmith will also charge by Anonymous Coward · · Score: 4, Informative

      Lock picks take time

      Google 'bump key'. They can open a lot of rotary yale-type locks in under 5 seconds.

      https://www.youtube.com/watch?v=hr23tpWX8lM (skip to 1:00)

      Needless to say I never leave the house without locking a deadbolt too.

    7. Re:And a normal locksmith will also charge by wvmarle · · Score: 4, Interesting

      Cards have a built-in expiry date; usually the date you're supposed to leave the hotel. When extending your stay, they will update your card. So while you may be able to copy them, it's not exactly useful.

    8. Re:And a normal locksmith will also charge by Runaway1956 · · Score: 3, Interesting

      AC's reply deserves your attention - as it's the same thing I was thinking.

      Not to mention - I have a huge pile of keys. I have keys that I haven't thrown away since my Navy days, more than thirty years ago. I just don't throw keys away, no matter how "useless" they might seem.

      From time to time, I need to open a lock. I examine the lock, think a bit, poke through my big pile of keys, and usually come up with a match. There are three keys that I carry on my key chain that don't fit anything - specific. They just seem to fit a lot of things that need to be opened. There are, after all, only so many combinations that can be cut into a blank key.

      I'll admit, though, that I have few keys that are likely to fit motel room doors.

      --
      "Windows is like the faint smell of piss in a subway: it's there, and there's nothing you can do about it." - Charlie Br
    9. Re:And a normal locksmith will also charge by Onymous+Coward · · Score: 2

      Do folks really use the term "zip gun" for lock pick guns? I thought zip guns were just improvised firearms.

    10. Re:And a normal locksmith will also charge by bdwebb · · Score: 2

      A locksmith may charge you to upgrade those locks but 99% of the time that locksmith is not the creator of the locks he installed and is therefore not responsible for the vulnerabilities therein. In this case, Onity is the manufacturer of these locks and they hold the patents for design and build of the locks. I think as a responsible, forward-thinking company they should be responsible for fixing the vulnerability that caused the loss even though it represents a significant loss...ultimately they are not requried to do so, though.

      Onity did offer two fixes to the problem - 1) use a plug for the port to make it inaccessible and utilize torx screws to secure the housing or 2) ship the board back to them for replacement at the customer's expense. While rudimentary tools can make option number 1 useless (a pen casing and a lighter can break through this easily), it would be interesting to see if Onity offers continued warranty support on these products if the customer uses a more permanent solution such as epoxy to plug the hole and block access to the maintenance port. If they do, I would say that while that is still a bit janky, the company is at least willing to meet customers 1/4 of the way if not half the way. Ultimately IMO Onity should replace these at their expense because it is their junk equipment - since they have effectively given the finger to their customers, though, it would be interesting to see what percentage of their keycard lock business goes to competitors over the next few years.

    11. Re:And a normal locksmith will also charge by kootsoop · · Score: 3, Informative

      Actually, housekeeping staff keys are often set to expire on a daily basis. The first thing a housekeeper needs to do in the morning is to revalidate their card. If the card isn't revalidated in time, it needs to human intervention (other than the housekeeper) to be reactivates. Source: I used to work for Onity's parent company (UTC Fire & Security, as it was then), and I worked requirements for some of Onity's newer products.

      --
      "Engineering is the art of making what you want from things you can get" - Jerry Avins
    12. Re:And a normal locksmith will also charge by Richy_T · · Score: 2

      You must have worked in a shitty hotel with equally shitty locks. I don't think I've stayed in a hotel where that would work that I've noticed.

    13. Re:And a normal locksmith will also charge by Capt.Albatross · · Score: 2

      So.... where's the story? I don't see anything on slashdot about normal burglars breaking into house with zipguns and the like, why is THIS news?

      Security, and in particular the continuing use of amateurs to develop software and systems that should be secure, is a topic that definitely belongs here (as would new developments in lock-picking, in my opinion).

      This lock was very badly designed, and Onity acted irresponsibly in not taking security seriously (and for a lock, no less). It will send a valuable message to the marketplace if they go out of business as a result.

    14. Re:And a normal locksmith will also charge by 0100010001010011 · · Score: 2

      "Industrial strength lock"? I think not

      I've played with bump keys enough times to be able to unlock any door into my house in under a second or two.

  3. A Fix? They're On It, Sort Of by guttentag · · Score: 5, Funny

    Chocolatey = Chocolate, Sort of...
    Onity = On It, Sort of...

  4. Well handled by slashmydots · · Score: 4, Funny

    The Hyatt says Onity didn't provide a fix until after its break-ins, forcing the hotel to plug its locks' ports with epoxy

    Well, at least they issued a patch.

    1. Re:Well handled by bughunter · · Score: 2

      From now on, I'll be providing my own patch. When I'll be travelling, I'll be taking a wad of Mighty Putty.

      I advise you all to do the same.

      --
      I can see the fnords!
  5. Took them two months?! by wvmarle · · Score: 4, Interesting

    Surprised it took thieves two months before starting to use this exploit. Even more surprising that the summary says "already".

    The exploit was very well documented, and rather simple to copy. It took mere days for YouTube videos showing off the same hack to appear.

    It is more likely that other hotels were hit with the issue already, but didn't disclose it to the public for fear of attracting more thieves to their hotels, and/or for the bad publicity and the risk of guests staying away from their insecure rooms.

    1. Re:Took them two months?! by rsmith84 · · Score: 4, Insightful

      You have to let the chatter about the exploit die down enough so that you can pull the heist off with better success. Going out and attempting it immediately after Black Hat is too risky and the sign of foolish thief.

    2. Re:Took them two months?! by Rob+the+Bold · · Score: 4, Insightful

      Surprised it took thieves two months before starting to use this exploit. Even more surprising that the summary says "already".

      Maybe it's only after the exploit was revealed that anyone thought to suspect this was the way some hotel burglaries were happening. We don't necessarily know that Brocious was the first to discover the attack mode -- only that he was the first to publicize it.

      --
      I am not a crackpot.
  6. Re:Paying for a fix that should have in place? by Lieutenant_Dan · · Score: 2

    Easy now; don't blame something on stupidity that you assign to sheer incompetence. Or a third variation, towards a quest of more profit!

    I can design a super-secure lock. It will cost more to develop, and then it will cost more to produce, which will raise its price. Which in turn will lower my potential customers (90% of folks just want a lock that can be easily managed and is simple for their users). The accounting people said, "Do the simpler version, it will be good enough and return us 87% more profit. BTW, we already printed the brochures so your comments are moot."

    If Onity comes up with a more secure model then it could well be that there is a cost associated. Mind you, this is a PR nightmare, so some companies would just eat the cost.

    The hotels bought a lock for a specific purpose. It provides a decent detterent. Someone motivated will always find a way in.

    Car analogy: You bought the BMW 325 to impress your friends while driving with the collar of your polo shirt up. It turns out that thieves can steal your muffler for the precious precious platinum in the catalyctic converted. The brand new M3 model developed after the news broke out has the muffler protected by the body. Do you expect a free upgrade from BMW?

    --
    Wearing pants should always be optional.
  7. Onity provides a fix .... for a fee. by 140Mandak262Jamuna · · Score: 5, Informative
    Onity has announced two step solution. The first one is making it difficult to access the port. There is a cover at the bottom it looks like and they are strengthening it. May be metal instead of plastic. And adding a *security* torx screw too. Yeah, may be they will also make it need pentalobulous head like Apple iPads. But all it will do is to slow down but can't stop the intruder. This part is free.

    They are also providing a software solution. Even when the locks are programmable and upgradable, flashing the new firmware is available for a "nominal" fee. And if your lock does not have upgradable firmware? Well, you need to call in and ask for the price. I think the current pricing is one arm and one leg per upgrade.

    http://www.securityinfowatch.com/news/10766203/onity-provides-lock-upgrades-following-hack

    --
    sed -e 's/Chuck Norris/Rajnikant/g' joke > fact
  8. Re:Not "rob", burglarize by clickclickdrone · · Score: 4, Informative

    Or just plain 'burgle' if you're English.

    --
    I want a list of atrocities done in your name - Recoil
  9. Re:Paying for a fix that should have in place? by Lieutenant_Dan · · Score: 2

    Nicely caught. I meant to say "malice" instead of "stupidity". I'm stuck in a two-hour meeting with the project management team at work, so my subsconscious let out a small cry for help in my post.

    --
    Wearing pants should always be optional.
  10. Re:Not "rob", burglarize by Phreakiture · · Score: 4, Funny

    I bet you feel so embiggened for pointing out this incromulence.

    --
    www.wavefront-av.com
  11. Re:Paying for a fix that should have in place? by rockiams · · Score: 2

    I would argue that the muffler is not as important, more akin to the management of cards or the 'wow factor.' A car's main function is transportation, so if it fails that it almost can't impress anyone. So a lock can have several ancillary features but if it is easily defeated, it gets a fail in my book.

    And I am not sure how you would measure a lock to get the 99.99% and if that number is even possible for a lock(Google 'myth 5 9s')

    And I am happy with my hippie GNU friends...and I let MUNI drive me around, so I'm probably not impressing anyone who would be impressed by a car. I would love to drive a Tesla for a couple of days though.

  12. Re:Not "rob", burglarize by History's+Coming+To · · Score: 4, Informative

    To burgle. He burgled. They will burgle. I was burgled. I suffered a burglary. etc

    --
    Please consider this account deleted, I just can't be bothered with the spam anymore.
  13. Hotel in room safes are not much better by trout007 · · Score: 4, Interesting

    I was in a hotel with an in room safe. My kid closed the door and managed to lock it so I called maintenance. The guy came up and hit the # key twice to enter supervisor mode then keyed in 6 9's. Here is a video I shot after he left. I'm pretty sure they don't have an override maintenance code for each room. You could try a few standard combos on your room to figure it out for the hotel. Or just get maintenance up to your room to show you it.

    https://www.youtube.com/watch?v=UYjJuE7l7VM

    --
    I love Jesus, except for his foreign policy.
  14. Re:Even though this is the Hyatt... by Richy_T · · Score: 3, Insightful

    Dunno? Deep seated prejudice and intolerance?