Slashdot Mirror
Maker of Hackable Hotel Locks Finally Agrees To Pay For Bug Fix
Sparrowvsrevolution writes "Slashdot readers are no doubt familiar by now with the case of Onity, the company whose locks are found on 4 million hotel room doors worldwide and, as came to light over the summer, can be opened in seconds with a $50 Arduino device. Since that hacking technique was unveiled by Mozilla developer Cody Brocious at Black Hat, Onity first downplayed its security flaws and then tried to force its hotel customers to pay the cost of the necessary circuit board replacements to fix the bug. But now, after at least one series of burglaries exploiting the bug hit a series of hotel rooms in Texas, Onity has finally agreed to shoulder the cost of replacing the hardware itself — at least for its locks in major chain hotels in the U.S. installed after 2005. Score one point for full disclosure."
They didn't want to ship them even after the knowledge was made public. It's not like there was any chance in hell they would have done it if nobody had known about the problem.
If by that you mean disassembling the face of the lock, plugging the widget in shoving the magic electrons in.
You know what else works "in seconds"? A $10 crowbar, 100% of the time.
It's a ridiculous nerd-rage non-issue, given that to work the hack you'd have to be on site for an extended period, cool as a cucumber, looking and acting like a member of staff. You might as well be staff, and that's where the real vulnerability is, and always will be.
If you were blocking sigs, you wouldn't have to read this.
They didn't want to ship them even after the knowledge was made public. It's not like there was any chance in hell they would have done it if nobody had known about the problem.
It's not like there was any need they should have done it if nobody had known about the problem.
Any lock is hackable. Just because Onity got targetted doesn't mean they are suddenly less secure than all the others.
Obviously, not wanting to fix a known security issue IS a problem.
Slashdot social media options: AIM, ICQ, Yahoo, Jabber and Mobile Text. Why no MySpace?
Actually, the moment that lock was publicly compromised in this way, it DID become less secure than other non-compromised locks.
A regular mechanical lock is secure, but the moment it becomes public knowledge that it can be defeated with a pen it becomes a lot less secure than other locks.
Locks are supposed to deter and delay. Deter regular people and delay thieves. When the lock is completely compromised like this one, it no longer delays thieves, thus making it useless.
Your locks have one purpose. To stay shut against an intruder. That's all. Sure, we don't expect the room to be impenetrable or them to be crowbar-proof, but we do expect you to not be able to walk up to them with just a device and start changing their settings without that device being authenticated, revokable and protocol-protected. And certainly not to the point that you can work out what to do to make it accept any card from just a lock alone without some serious reverse-engineering.
Well, it's not as if you can just stick in an unbent paper clip or the barrel of a stick pen. And it's not as if you can connect a quickly hacked together "pick" out of an old wall wart and a 9 Volt battery. You have to stick in a specifically crafted piece of sophisticated electronics, The manufacturer thought that would be enough of a barrier.
But what I wouldn't accept would be it taking MONTHS to get to the position that a fix was available after a successful public demonstration. You should have been calling me up and shipping the updated boards/firmware the next day, at least, and worrying about the cost later.
You want to go from zero to having authenticated, revokable and protocol-protected lock programmers in a day? Dream on, chum, dream on.
When our name is on the back of your car, we're behind you all the way!
Restricting the knowledge to thieves and a company that didn't want to fix their problem is not a solution.