Ransomware Infects a Hotel's Key System

An anonymous reader writes: A luxury hotel "paid "thousands" in Bitcoin ransom to cybercriminals who hacked into their electronic key system. The "furious" hotel manager says it's the third time their electronic system has been attacked, though one local news site reports that "on the fourth attempt the hackers had no chance because the computers had been replaced and the latest security standards integrated, and some networks had been decoupled." The 111-year-old hotel is now planning to remove all their electronic locks, and return to old-fashioned door locks with real keys. But they're going public to warn other hotels -- some of which they say have also already been hit by ransomware.
UPDATE: The hotel's managing director has clarified today that despite press reports, "We were hacked, but nobody was locked in or out" of their rooms.

Yay, connectivity and IoT

[Anonymous+Brave+Guy]

Who thought it was a good idea for essential systems like this to be online in the first place?!

This is why the Internet of Things is such a horrible concept. Most things don't need to be online and connected to everything else, and the cost of trying to be trendy is huge increases in risks to the privacy, security and reliability of everyday items.

Closed networks do just fine for these kinds of systems, don't actually need to cost that much more, and have none of the vulnerabilities.

Re:Yay, connectivity and IoT

[NotInHere]

Probably the network the hotel was connected to was already reasonably firewalled or maybe even inside some virtual chain intranet. But such networks are still very easy to hack because of shitty update policies, microsoft windows, and attachment.zip.exe.

It doesn't need to be "thing that talks with cloud and you talk with cloud to talk with thing" like IOT to be hackable.

Re: Yay, connectivity and IoT

[Going_Digital]

Was it connected to the internet? Was it a thing capable of being controlled using that internet connection? So why then is it not an Internet Thing?

Re: Yay, connectivity and IoT

[Anonymous+Brave+Guy]

The article doesn't specify the exact system or how it was compromised, so unless you have some other source to share, none of us know whether the devices that were compromised in this specific case were directly Internet-connected. Some modern hotel systems are. It could also be that the repeated hacks in this case accessed the room key system indirectly via some other system that was compromised first. The fundamental issues raised are the same either way.

Re: Yay, connectivity and IoT

[bill_mcgonigle]

Plus you don't have a situation like this where three guests died waiting for the BTC confirmation.

Re:Yay, connectivity and IoT

That's not the failure here. The failure here is that there's no way of manually unlocking the door from the inside. That has to be some sort of firecode violation.

The fact that the computer that ran that was also connected to the internet just compounds the problem. People should always be able to get out, no matter what's going on with the computer system.

Re:Yay, connectivity and IoT

[CaptainDork]

... easy to hack because of shitty update policies, [...], and attachment.zip.exe.

Agree, and it's because the hotel thinks the bottom line is accounts payable/accounts receivable where revenue exceeds expenses.

Loss-prevention is a cost of doing business.

Hotels can pay for that up front, or pay for it later.

Delay is expensive.

As discussed in TFS, they have to pay the ransom and then go back and pay to harden the system.

Re: Yay, connectivity and IoT

[geoskd]

This has nothing to do with IoT.

This has everything to do with IoT. Its the same principles being used to design hardware and software that gets connected to the Internet. The root of the problem here is that the IoT is entirely unregulated. Anyone who wants to know what unregulated industry looks like: This is it. The free market simply will not correct this situation, because it has no mechanism to do so. Until the IoT is regulated, shit like this is just going to keep happening and escalating until something truly lethal happens, and then, *then* people will go "Oh my god, this needs some kind of regulation!".

Re:Yay, connectivity and IoT

[Anonymous+Brave+Guy]

Obviously there should be physical safeguards for when the tech screws up, but I don't think that diminishes the scale of the original screw up.

Re: Yay, connectivity and IoT

[ShanghaiBill]

The free market simply will not correct this situation, because it has no mechanism to do so.

Yes it does: Civil law torts.

Until the IoT is regulated, shit like this is just going to keep happening

Regulation means that the spec is written by government bureaucrats, or (even worse) a congressional committee. That will lead to ossification and a focus on compliance checklists rather than real security.

This hotel had their card system hacked THREE TIMES, yet still had it connected to the Internet. You can't regulate away that level of stupidity.

Re: Yay, connectivity and IoT

[Kjella]

I know nothing about Austrian law, but in America this lock system would have been ILLEGAL, and I am astonished that something like this was ever designed and installed. It is a blatant violation of every fire code I have ever seen. Locking people out is fine, but you NEVER NEVER NEVER lock people IN, nor do you ever design something where human safety depends on software or electricity. Egress should always be possible using only mechanical means.

EU law is rarely softer than US law when it comes to consumer safety, so I doubt they were actually trapped. The problem is probably that this was tied into breaking the glass and setting off the fire alarm with sirens and unlocking all the rooms. While you could silence the sirens, everything would be open to theft and also you wouldn't have a working alarm in case of an actual fire so they probably asked their guests to stay while they tried to resolve it some other way. There's no requirement that the emergency exit should be functional as a backup system.

Re:Yay, connectivity and IoT

[im_thatoneguy]

Who thought it was a good idea for essential systems like this to be online in the first place?!

Someone who understands their most profitable customers: business customers. If your business customers can check-in online through the app and be assigned a room which they can unlock from their phone without ever interacting with the front desk.

"Thank you Samantha for picking Great Hotel again. Your room number is 352. Click here to unlock the door. If you have any problems or questions please dial ## or stop by the front desk."

Obviously the devil is in the details but NFC keycards aren't going anywhere (no changing locks and lost keys) and internet aware locks are the obvious next step of convenience and cost cutting.

Re:Yay, connectivity and IoT

[Anonymous+Brave+Guy]

Obviously the devil is in the details but NFC keycards aren't going anywhere (no changing locks and lost keys)

OK, I'm with you so far.

and internet aware locks are the obvious next step of convenience and cost cutting.

::boggle::

Even some of the cheaper hotel chains here in the UK now routinely have machines that let you check in without staff intervention, including coding your keycards for you. It takes a few moments. It is not at all obvious to me that Internet-enabling anything about this process would be either more convenient or cheaper for anyone.

Re: Yay, connectivity and IoT

Indeed, fire code, building code, you name it. I am yet to come across a hotel here in Europe where you would have to use your key card to go out of the room.
This story is clearly overstating what happened. Yes it sucks of you're a hotel owner, and your card system gets hacked but if your guests could potentially get trapped in case of some malfunction, you're in deep trouble.

Re: Yay, connectivity and IoT

[Hognoxious]

What *are* you on about with the breaking glass bullshit? Next time you're in a hotel room close the door and put the card in your pocket. Then slowly turn the handle. At about 30 or so degrees you'll feel a bit of resistance. That's the mechanical override (I assume it's a lever or cam[1]) engaging. Turn it some more and hey presto, the door unlocks.

[1] I'll take a set of screwdrivers on my next road trip.

Re: Yay, connectivity and IoT

[lgw]

That's not the normal English language use of the word "safe".

Let's check a dictionary

1: free from harm or risk
: unhurt
2 : secure from threat of danger, harm, or loss

It doesn't mean "absolutely, perfectly free of risk of harm". It's a relative term.

Your private definition of "safe" is not in common use, I'm afraid. I think you want "safer", which means what you want it to mean.

Re: Yay, connectivity and IoT

[houghi]

To me it has nothing to do with IoT. What I see has happened is that they hacked the computers of the hotel. One of these computers is the system that writes the cards. That system does the verification if the card is valid or not.

These types of system are many, many years old and pre-date the IoT by a large margin. It is basically the same as the badge you have in your wallet.

That does not mean IoT is a good or bad thing. It just means that this has nothing to do with IoT as these doors are not IoT.

Re: Yay, connectivity and IoT

[mlts]

Torts will do little to nothing. Every IoT device has a EULA or ToS with it forcing arbitration and absolving the device maker of all blame should something happen with the item. Even with torts, the IoT company likely has a good number of lawyers who will just steamroll over anyone bringing lawsuits, or just stall the lawsuit until the plaintiff has to drop it due to lack of funds.

For the little guy, the civil system only will bankrupt them, so it is no real check.

Because IoT makers view security as having no ROI, we will keep seeing this over and over. In fact, having devices that are unable to be updated brings more money, because it forces consumers to buy the 1.1 or 2.0 version of the same IoT device.

This is why government has to step in. There is no mechanism to make IoT makers give a rat's ass about security whatsoever. The same exact thing is why we have UL listings. Companies don't make money by spending extra to have appliances that don't electrocute the end user, so government mandates UL listings in order to have a safe standard. Perhaps the same should be done with regards to security, since security mandates will not be coming from the private sector, as it does not benefit them. "A lock makes no money for anyone other than the lock maker and the locksmith."

I applaud the hotel for moving back to keys. Ideally, the system for the card readers should be a closed, air-gapped system that has zero network connectivity (almost all hotels had exactly this in the 80s and early 90s so it isn't a must have for door locks to be connected to the Internet), but moving back to a completely mechanical system isn't a bad thing either. Even with a high security locks like Abloy or Evva MKS, the cost of cutting a new key and repinning a hotel cylinder can likely far cheaper than having to maintain/update/replace a keycard system anyway.

Why don't people understand...

[iCEBaLM]

Critical infrastructure DOESN'T NEED ACCESS TO A PUBLIC INTERNET.

Governments, utility providers, MILLITARIES! All of them have publicly accessible computers. WHY?

Re:Why don't people understand...

[NotInHere]

Because its more convenient and it "works" until cases like these, but they are very exceptional. Most people only want computers to work, "security" is a strange and unknown concept to them.

But yeah, its trivial to get rid of this vulnerability by simply having two computers, one for the door locking management system, NOT CONNECTED, and the second one to write emails with, etc.

Re:Why don't people understand...

[Bite+The+Pillow]

Because you don't hire a programmer nor security consultant to install these systems. You buy the system, and an installer gets the job done with a minimum of extra work.

You're buying a modernization package, not a security solution. And it will stay this way until people mark up the contract and send it back signed, with additions. But the sale will be voided, the security won't be enforced, until the business has enough customers demanding security.

The military aspect is kinda vague, I'm not going to address each scenario, but there is an answer, and rarely is it just incompetence, ignorance, or some other magic word to wave away the details.

Problems have solutions, and as long as we identify both specifically they can be fixed. Rhetorical questions never solved anything, it is far more effective to identity and resolve.

Common Sense At Work

[Notabadguy]

Welp folks, since we're not willing to use common sense in deploying our electronic systems to ensure their security and integrity, we're going to abandon digital and go back to mechanical.

With this challenge out of the way, we're looking at resolving the parking lot conundrum by bringing back horse buggies. To prevent our central heating and air from being hacked, we're uninstalling it and putting fireplaces and fans in all the rooms.

Re:Common Sense At Work

[torqer]

I think you're trying to condemn their decision, but personally, that sounds great to me. Horses, fireplaces, and physical security... not much to complain about... Given that your alternatives are cheap automobiles, dependence on fossil fuels for heating, and a security system that can track your every moment, and still get hacked and end up locked in (or out) of your room.

I'll take a wired home phone instead of a cell phone and eat food that was harvested locally as well.

Re:Common Sense At Work

[AthanasiusKircher]

Welp folks, since we're not willing to use common sense in deploying our electronic systems to ensure their security and integrity, we're going to abandon digital and go back to mechanical.

"Common sense" is not very "common" at all when it comes to electronic systems, and it's even less common when it comes to computer security. The vast majority of people -- even those running big businesses -- simply have no clue how computers or networks or whatever work in any detail. So how can they have "common sense" about them?

And I think it's only getting worse. Interfaces on computers and electronics keep getting "simpler" with more information hidden from the end user. These changes are often pushed by companies that have a strong interest in keeping their users ignorant of things like security, because it allows them to continuously steal their users' data and information. So, a normal "user" who encounters technology on an everyday basis is going to get dumber about security if trends of the past couple decades continue. "Common sense" about such things will get even more rare.

Seriously -- obviously an air-gapped system is a easy solution here, but do you realize that most people don't even understand what that means? I've had lots of conversations with people who still can't even tell the difference between local applications/data and the internet... and cloud interactions are further blurring such distinctions all the time, so there's little benefit for most people in trying to understand such distinctions. All the people working at the hotel are going to say is, "Huh? Why can't I check my email on this computer?? It's broken!"

Re:Common Sense At Work

[Solandri]

The problem wasn't the electronic key system. The problem was the hotel stupidly made their electronic key system (or at least the server) accessible from the public Internet.

I used to work at a hotel and helped select one of these key card systems for purchase (I wasn't around for the installation). You're supposed to keep it on a separate and isolated network specifically to prevent problems like this. The system is completely self-contained and internal. Nothing else needs access to it, and you don't need to have access to anything else from it. The person using the key card server doesn't need to be able to browse their Facebook page on it. The only data being entered into it should be the front desk staff keying in the guest's name and dates of stay so that a new key card can be generated and the lock for that room reprogrammed.

Physical keys at hotels were/are a huge problem because anyone can make a copy of the key. Theoretically a guest could make a copy to access the room at a later date. But more commonly, one of the maids (who have master keys so they can access all rooms) makes a copy, gives it to someone else, who then goes into the rooms and steals stuff when the maid is off-duty (so as not to arouse suspicion as to who copied their key). Changing the locks is expensive and doesn't help, because the corrupt maid simply makes a copy of the new key. It's cheaper to make a copy of a physical key than it is to change all the physical locks. OTOH, it's cheaper to change all the electronic lock keys than it is to make a copy of the newer RFID key cards. Switching back to physical keys is huge step backwards in security.

Ransomware locks hotel guests out of their Rooms

[khz6955]

What was the name of the ransomware, what was the name of the company that designed the locks, what OS did the reservation system run on, what OS did the cash desk system run on?

"Unless this is all just a big publicity stunt to advertise their new door locks."

Yea, that's it, a hotel would try and drum up business by advertising that its electronic door locks can be compromised.

Fire

[Patent+Lover]

I can understand people being locked out of their rooms. But if they're being locked in they're in massive violation of fire safety laws.

Re:Fire

[AthanasiusKircher]

They probably weren't physically trapped, but without being able to re-enter they couldn't leave if they wanted to keep their belongings.

First off, if that were true, then all the reporting is erroneous, since that's "locked out" of rooms, NOT "locked in."

Second... well, we can just RTFA:

Hotel management said that they have now been hit three times by cybercriminals who this time managed to take down the entire key system. The guests could no longer get in or out of the hotel rooms and new key cards could not be programmed.

Or read the other article:

Mr Brandstaetter said they had been hit three times by the cybercriminals, who managed to lock all the doors, trapping many guests inside and some outside their rooms.

One doesn't usually use the word "trapping" when someone can just walk out a door voluntarily. Obviously if your scenario were true, guests could simply pick up all their belongings and check out. Or they could prop the door open or something. Both of the linked stories imply this was NOT the case. (One even says explicitly that their only choice if they didn't pay the ransom was to go around the hotel and start breaking down doors.)

In which case, I have to agree with GP that there's a bigger story here -- which is that they had a system installed that could trap people in their rooms, PERIOD. Whether fire or whatever other emergency, there should ALWAYS be a manual override.

Daily Mail? Seriously?

[szy]

Daily Mail? Seriously? Out of all the media that covered this story extensively over the past couple of days, you picked to link to the daily mail as the source? Also including the clickbait phrase of "paid thousands" to refer to 2 bitcoins? The only hope is that slashdot community does what it's best at: does not read the article.

in some systems power lost = doors unlock

[Joe_Dragon]

in some systems power lost = doors unlock (the ones that have the push to exit button) as the power is needed to hold them locked. Also the fire system can trigger the unlock.

Wait, did they say locked *IN*?

[mark-t]

What kind of fucking stupid design is that where that is even physically possible? It should run afoul of absolutely every kind of fire regulation imaginable that a door lock can even *POSSIBLY* lock a person in their unit.

The mechanism to unlatch the door should be *PHYSICALLY* tied to the turning of the handle or knob on the inside of the unit such that the only way to potentially lock someone in would be to physically damage the latch first... either by welding it into position or otherwise gutting the innards so that it did not work.

Re:People are morons

[hey!]

The thing is, smart people are no exception to the rule that "people are morons".

A friend of mine who's a management consultant puts it this way: Every action you take has both intended and unintended consequences. Once a group of people become committed to a certain course of action, the intended consequences seem much more real to them and the unintended consequences seem unreal.

It's emotional involvement that makes you blind to unintended consequences, even if you're very smart. That's why the old Stoic philosophers taught their students to consider things like wealth and reputation as "indifferent". It's not that these things are bad or shouldn't be pursued, but feeling you can't live without them leads to irrationality.

Re:LOL! ... IOT is big steaming pile of doo-doo.

[Viol8]

"Did anyone of you guys see this coming? I certainly did."

EVERYONE with a clue saw this coming. Unfortunately that excludes the marketdroids trying to sell IoT and the Oooh Shiny! idiots who buy it.

Re:Tenacious and bargain-priced!

[munch117]

And they only demanded 1,500 EUR? Hell, the hotel should pay them more than that for security auditing services.

I'm going to throw a brick through your window. And then charge you 1500 EUR for auditing the physical security of your home. I presume that's okay with you.

Yeah, high security mechanical locks have been around for at least two hundred years.

How does this "high security" lock prevent a previous guest from having made a copy of the key? It doesn't, mechanical keys are the wrong tool for the job. Keycards are the right tool, although of course you have to implement it correctly and not connect it to the internet.

Article wrong, not locks

[phantomfive]

According to this article, it was not the locks that were encrypted. The computers they used to make new card keys got encrypted. I'd bet that it was just a bog-standard Windows box with a dongle attached, maybe running Windows XP if the drivers couldn't be updated. Here is a quote from the hotel manager:

"We were hacked, but nobody was locked in or out," said the hotel's Managing Director Christopher Brandstaetter. "For one day we were not able to make new keycards." "Since the locking system must work even in the event of power failure, the guests in the hotel almost did not notice the incident," the manager also added. "We simply could not issue new keycards because the computers were encrypted."

Re:Because they're constantly generating new keys.

[magarity]

If, and yes, I mean "if", this were a key card only system then the lock doesn't need to communicate with the key making system at all. It just needs a token that increments with each next guest's card. When the token increments, the key cards from the prior guest stop working. When I worked at a hotel this is how the system worked. The key-making system was completely isolated. The desk person poked the room number on a key pad and the key programming box spit out a key. All it did was open that room's door.
 
The system in the article is what happens when you want to use your key card for all the other stuff in a hotel, like the restaurant, gift shop, etc, to be charged using the key. All the comments about key card systems not needing to be connected miss this detail. The hotel in question was almost certainly using an integrated billing-via-key card system, not just a key card system. The integrated system needs to communicate outside to approve credit cards, email a copy of your receipt, etc, etc, and thus the security weakness.

really?

[markdavis]

>""on the fourth attempt the hackers had no chance because the computers had been replaced and the latest security standards integrated, and some networks had been decoupled." The 111-year-old hotel is now planning to remove all their electronic locks, "

Yeesh. If you decide to not go back to physical keys, at least consider these next time:

1) Don't connect your door/key system to the Internet, at all.
2) Isolate the machine on your network to just the needed functionality.
3) Isolate the machine physically- nobody but specialized staff should have physical access.
4) Restrict root/admin access to the machine.
5) If possible, get a system not run by any MS-Windows machines.
6) Make, test, and retain good, redundant, and incremental backups.
7) Perhaps hire or contract with I.T. staff that can set up and maintain your systems properly.

Computer systems are not like ice makers or or other appliances at a hotel. They need to be designed, setup, and maintained properly to work well. And, unfortunately, they are rarely a one-time expense. This, more than anything, is what gets companies into trouble. These types of failures being reported are more about management failure than failures of technology.

No kidding

[Sycraft-fu]

We have electronic locks at work, and they are on the Internet. They are VLAN'd and firewalled off but they are still on the Internet because the company that administers them is remote. You can argue we should do it our self and I'd agree, but that is the arrangement. However every single one can be overridden on the inside the the handle. The locking mechanism is just that it basically unlocks the door frame so you can push it open from the outside with the electronic lock. Inside, you can always use the handle to override.

The reason is, as you say, fire code. All our doors always open towards the outside, no matter what. Old lock and key doors are the same. You will find a door with a Medeco lock on the outside that can't be permanently unlocked, only turned to move the bolt, but on the inside ti is just a bar you push to open it up. No matter where you are in the building, you can always get out just by following the doors that will open manually with no key/code. The locks are for locking people out, not in.