Slashdot Mirror
Maker of Hackable Hotel Locks Finally Agrees To Pay For Bug Fix
Sparrowvsrevolution writes "Slashdot readers are no doubt familiar by now with the case of Onity, the company whose locks are found on 4 million hotel room doors worldwide and, as came to light over the summer, can be opened in seconds with a $50 Arduino device. Since that hacking technique was unveiled by Mozilla developer Cody Brocious at Black Hat, Onity first downplayed its security flaws and then tried to force its hotel customers to pay the cost of the necessary circuit board replacements to fix the bug. But now, after at least one series of burglaries exploiting the bug hit a series of hotel rooms in Texas, Onity has finally agreed to shoulder the cost of replacing the hardware itself — at least for its locks in major chain hotels in the U.S. installed after 2005. Score one point for full disclosure."
Full disclosure by a third party.
Sheesh, evil *and* a jerk. -- Jade
I give it a month before the new firmware is discovered vulnerable to a very similar attack, or a way to bypass the plug is found.
That said, if I were Marriot, of course I'd have negotiated just this kind of deal. It would be quite simple, and any number of electronic lock-makers would fall over themselves to install reduced costs locks (or even compatible boards) and just live off the future support for them.
What bothers me is not the replacement policy (which looks like you need to argue lots to get something quite reasonable, like a free firmware fix), or the security (we all know that lots of modern products have security flaws and to be honest, this one requires quite some skills / balls to exploit), but the denials and brushing-under-the-carpet.
Your locks have one purpose. To stay shut against an intruder. That's all. Sure, we don't expect the room to be impenetrable or them to be crowbar-proof, but we do expect you to not be able to walk up to them with just a device and start changing their settings without that device being authenticated, revokable and protocol-protected. And certainly not to the point that you can work out what to do to make it accept any card from just a lock alone without some serious reverse-engineering.
Damn right, you'd replace my locks. Or your insurance would have one huge hefty claim on it by now from chains like Marriott. Hell, I'd even let you off if I could fit them myself on my own schedule so as to not disturb guests or interfere with business operations, and even let you charge me for delivery.
But what I wouldn't accept would be it taking MONTHS to get to the position that a fix was available after a successful public demonstration. You should have been calling me up and shipping the updated boards/firmware the next day, at least, and worrying about the cost later.
If there's a repeat of this incident with the new board, I would need to KNOW that you were going to do something timely about it BEFORE burglaries start hitting my hotel insurance, which may not even pay out if the locks are that bad.
Too many !!
I think you could have a career in politics.
It is a miracle that curiosity survives formal education. - Einstein
The leaked agreement contains this paragraph:
"Onity’s proposal for franchisees is conditioned on the franchisee’s acknowledgement that Onity does not guarantee a lock’s invulnerability to hacking."
While this is a reasonable statement on its own, the real issue here is competence. Onity's design was in such blatant and avoidable violation of basic security principles (e.g. a small keyspace and a lack of real cryptography) that it might be be called negligent.
They didn't want to ship them even after the knowledge was made public. It's not like there was any chance in hell they would have done it if nobody had known about the problem.
If by that you mean disassembling the face of the lock, plugging the widget in shoving the magic electrons in.
You know what else works "in seconds"? A $10 crowbar, 100% of the time.
It's a ridiculous nerd-rage non-issue, given that to work the hack you'd have to be on site for an extended period, cool as a cucumber, looking and acting like a member of staff. You might as well be staff, and that's where the real vulnerability is, and always will be.
If you were blocking sigs, you wouldn't have to read this.
They didn't want to ship them even after the knowledge was made public. It's not like there was any chance in hell they would have done it if nobody had known about the problem.
It's not like there was any need they should have done it if nobody had known about the problem.
Any lock is hackable. Just because Onity got targetted doesn't mean they are suddenly less secure than all the others.
Obviously, not wanting to fix a known security issue IS a problem.
Slashdot social media options: AIM, ICQ, Yahoo, Jabber and Mobile Text. Why no MySpace?
Actually, the moment that lock was publicly compromised in this way, it DID become less secure than other non-compromised locks.
A regular mechanical lock is secure, but the moment it becomes public knowledge that it can be defeated with a pen it becomes a lot less secure than other locks.
Locks are supposed to deter and delay. Deter regular people and delay thieves. When the lock is completely compromised like this one, it no longer delays thieves, thus making it useless.
Restricting the knowledge to thieves and a company that didn't want to fix their problem is not a solution.
Too many !!
But were they "legitimate?"