Slashdot Mirror

← Back to Stories (view on slashdot.org)

Ransomware Infects a Hotel's Key System (dailymail.co.uk)

Posted by EditorDavid on from the room-service-not-available dept.

An anonymous reader writes: A luxury hotel "paid "thousands" in Bitcoin ransom to cybercriminals who hacked into their electronic key system. The "furious" hotel manager says it's the third time their electronic system has been attacked, though one local news site reports that "on the fourth attempt the hackers had no chance because the computers had been replaced and the latest security standards integrated, and some networks had been decoupled." The 111-year-old hotel is now planning to remove all their electronic locks, and return to old-fashioned door locks with real keys. But they're going public to warn other hotels -- some of which they say have also already been hit by ransomware.
UPDATE: The hotel's managing director has clarified today that despite press reports, "We were hacked, but nobody was locked in or out" of their rooms.

22 of 203 comments (clear)

  1. Yay, connectivity and IoT by Anonymous+Brave+Guy · · Score: 5, Insightful

    Who thought it was a good idea for essential systems like this to be online in the first place?!

    This is why the Internet of Things is such a horrible concept. Most things don't need to be online and connected to everything else, and the cost of trying to be trendy is huge increases in risks to the privacy, security and reliability of everyday items.

    Closed networks do just fine for these kinds of systems, don't actually need to cost that much more, and have none of the vulnerabilities.

    --
    If you disagree, post your argument. (-1, Overrated) isn't your personal censorship tool for views you don't like.
    1. Re:Yay, connectivity and IoT by NotInHere · · Score: 3, Interesting

      Probably the network the hotel was connected to was already reasonably firewalled or maybe even inside some virtual chain intranet. But such networks are still very easy to hack because of shitty update policies, microsoft windows, and attachment.zip.exe.

      It doesn't need to be "thing that talks with cloud and you talk with cloud to talk with thing" like IOT to be hackable.

    2. Re: Yay, connectivity and IoT by Anonymous+Brave+Guy · · Score: 3, Interesting

      The article doesn't specify the exact system or how it was compromised, so unless you have some other source to share, none of us know whether the devices that were compromised in this specific case were directly Internet-connected. Some modern hotel systems are. It could also be that the repeated hacks in this case accessed the room key system indirectly via some other system that was compromised first. The fundamental issues raised are the same either way.

      --
      If you disagree, post your argument. (-1, Overrated) isn't your personal censorship tool for views you don't like.
    3. Re:Yay, connectivity and IoT by Anonymous Coward · · Score: 4, Insightful

      That's not the failure here. The failure here is that there's no way of manually unlocking the door from the inside. That has to be some sort of firecode violation.

      The fact that the computer that ran that was also connected to the internet just compounds the problem. People should always be able to get out, no matter what's going on with the computer system.

    4. Re:Yay, connectivity and IoT by CaptainDork · · Score: 3, Interesting

      ... easy to hack because of shitty update policies, [...], and attachment.zip.exe.

      Agree, and it's because the hotel thinks the bottom line is accounts payable/accounts receivable where revenue exceeds expenses.

      Loss-prevention is a cost of doing business.

      Hotels can pay for that up front, or pay for it later.

      Delay is expensive.

      As discussed in TFS, they have to pay the ransom and then go back and pay to harden the system.

      --
      It little behooves the best of us to comment on the rest of us.
    5. Re: Yay, connectivity and IoT by geoskd · · Score: 3, Insightful

      This has nothing to do with IoT.

      This has everything to do with IoT. Its the same principles being used to design hardware and software that gets connected to the Internet. The root of the problem here is that the IoT is entirely unregulated. Anyone who wants to know what unregulated industry looks like: This is it. The free market simply will not correct this situation, because it has no mechanism to do so. Until the IoT is regulated, shit like this is just going to keep happening and escalating until something truly lethal happens, and then, *then* people will go "Oh my god, this needs some kind of regulation!".

      --
      I wish I had a good sig, but all the good ones are copyrighted
    6. Re: Yay, connectivity and IoT by ShanghaiBill · · Score: 4, Insightful

      The free market simply will not correct this situation, because it has no mechanism to do so.

      Yes it does: Civil law torts.

      Until the IoT is regulated, shit like this is just going to keep happening

      Regulation means that the spec is written by government bureaucrats, or (even worse) a congressional committee. That will lead to ossification and a focus on compliance checklists rather than real security.

      This hotel had their card system hacked THREE TIMES, yet still had it connected to the Internet. You can't regulate away that level of stupidity.

    7. Re: Yay, connectivity and IoT by Kjella · · Score: 5, Insightful

      I know nothing about Austrian law, but in America this lock system would have been ILLEGAL, and I am astonished that something like this was ever designed and installed. It is a blatant violation of every fire code I have ever seen. Locking people out is fine, but you NEVER NEVER NEVER lock people IN, nor do you ever design something where human safety depends on software or electricity. Egress should always be possible using only mechanical means.

      EU law is rarely softer than US law when it comes to consumer safety, so I doubt they were actually trapped. The problem is probably that this was tied into breaking the glass and setting off the fire alarm with sirens and unlocking all the rooms. While you could silence the sirens, everything would be open to theft and also you wouldn't have a working alarm in case of an actual fire so they probably asked their guests to stay while they tried to resolve it some other way. There's no requirement that the emergency exit should be functional as a backup system.

      --
      Live today, because you never know what tomorrow brings
    8. Re:Yay, connectivity and IoT by im_thatoneguy · · Score: 3, Interesting

      Who thought it was a good idea for essential systems like this to be online in the first place?!

      Someone who understands their most profitable customers: business customers. If your business customers can check-in online through the app and be assigned a room which they can unlock from their phone without ever interacting with the front desk.

      "Thank you Samantha for picking Great Hotel again. Your room number is 352. Click here to unlock the door. If you have any problems or questions please dial ## or stop by the front desk."

      Obviously the devil is in the details but NFC keycards aren't going anywhere (no changing locks and lost keys) and internet aware locks are the obvious next step of convenience and cost cutting.

    9. Re: Yay, connectivity and IoT by Anonymous Coward · · Score: 3, Insightful

      Indeed, fire code, building code, you name it. I am yet to come across a hotel here in Europe where you would have to use your key card to go out of the room.
      This story is clearly overstating what happened. Yes it sucks of you're a hotel owner, and your card system gets hacked but if your guests could potentially get trapped in case of some malfunction, you're in deep trouble.

    10. Re: Yay, connectivity and IoT by Hognoxious · · Score: 3, Informative

      What *are* you on about with the breaking glass bullshit? Next time you're in a hotel room close the door and put the card in your pocket. Then slowly turn the handle. At about 30 or so degrees you'll feel a bit of resistance. That's the mechanical override (I assume it's a lever or cam[1]) engaging. Turn it some more and hey presto, the door unlocks.

      [1] I'll take a set of screwdrivers on my next road trip.

      --
      Confucius say, "Find worm in apple - bad. Find half a worm - worse."
  2. Why don't people understand... by iCEBaLM · · Score: 5, Informative

    Critical infrastructure DOESN'T NEED ACCESS TO A PUBLIC INTERNET.

    Governments, utility providers, MILLITARIES! All of them have publicly accessible computers. WHY?

  3. Common Sense At Work by Notabadguy · · Score: 3, Funny

    Welp folks, since we're not willing to use common sense in deploying our electronic systems to ensure their security and integrity, we're going to abandon digital and go back to mechanical.

    With this challenge out of the way, we're looking at resolving the parking lot conundrum by bringing back horse buggies. To prevent our central heating and air from being hacked, we're uninstalling it and putting fireplaces and fans in all the rooms.

    1. Re:Common Sense At Work by torqer · · Score: 3, Insightful

      I think you're trying to condemn their decision, but personally, that sounds great to me. Horses, fireplaces, and physical security... not much to complain about... Given that your alternatives are cheap automobiles, dependence on fossil fuels for heating, and a security system that can track your every moment, and still get hacked and end up locked in (or out) of your room.

      I'll take a wired home phone instead of a cell phone and eat food that was harvested locally as well.

    2. Re:Common Sense At Work by AthanasiusKircher · · Score: 5, Informative

      Welp folks, since we're not willing to use common sense in deploying our electronic systems to ensure their security and integrity, we're going to abandon digital and go back to mechanical.

      "Common sense" is not very "common" at all when it comes to electronic systems, and it's even less common when it comes to computer security. The vast majority of people -- even those running big businesses -- simply have no clue how computers or networks or whatever work in any detail. So how can they have "common sense" about them?

      And I think it's only getting worse. Interfaces on computers and electronics keep getting "simpler" with more information hidden from the end user. These changes are often pushed by companies that have a strong interest in keeping their users ignorant of things like security, because it allows them to continuously steal their users' data and information. So, a normal "user" who encounters technology on an everyday basis is going to get dumber about security if trends of the past couple decades continue. "Common sense" about such things will get even more rare.

      Seriously -- obviously an air-gapped system is a easy solution here, but do you realize that most people don't even understand what that means? I've had lots of conversations with people who still can't even tell the difference between local applications/data and the internet... and cloud interactions are further blurring such distinctions all the time, so there's little benefit for most people in trying to understand such distinctions. All the people working at the hotel are going to say is, "Huh? Why can't I check my email on this computer?? It's broken!"

    3. Re:Common Sense At Work by Solandri · · Score: 5, Informative

      The problem wasn't the electronic key system. The problem was the hotel stupidly made their electronic key system (or at least the server) accessible from the public Internet.

      I used to work at a hotel and helped select one of these key card systems for purchase (I wasn't around for the installation). You're supposed to keep it on a separate and isolated network specifically to prevent problems like this. The system is completely self-contained and internal. Nothing else needs access to it, and you don't need to have access to anything else from it. The person using the key card server doesn't need to be able to browse their Facebook page on it. The only data being entered into it should be the front desk staff keying in the guest's name and dates of stay so that a new key card can be generated and the lock for that room reprogrammed.

      Physical keys at hotels were/are a huge problem because anyone can make a copy of the key. Theoretically a guest could make a copy to access the room at a later date. But more commonly, one of the maids (who have master keys so they can access all rooms) makes a copy, gives it to someone else, who then goes into the rooms and steals stuff when the maid is off-duty (so as not to arouse suspicion as to who copied their key). Changing the locks is expensive and doesn't help, because the corrupt maid simply makes a copy of the new key. It's cheaper to make a copy of a physical key than it is to change all the physical locks. OTOH, it's cheaper to change all the electronic lock keys than it is to make a copy of the newer RFID key cards. Switching back to physical keys is huge step backwards in security.

  4. Ransomware locks hotel guests out of their Rooms by khz6955 · · Score: 3, Insightful

    What was the name of the ransomware, what was the name of the company that designed the locks, what OS did the reservation system run on, what OS did the cash desk system run on?

    "Unless this is all just a big publicity stunt to advertise their new door locks."

    Yea, that's it, a hotel would try and drum up business by advertising that its electronic door locks can be compromised.

  5. Fire by Patent+Lover · · Score: 5, Insightful

    I can understand people being locked out of their rooms. But if they're being locked in they're in massive violation of fire safety laws.

  6. Daily Mail? Seriously? by szy · · Score: 4, Insightful

    Daily Mail? Seriously? Out of all the media that covered this story extensively over the past couple of days, you picked to link to the daily mail as the source? Also including the clickbait phrase of "paid thousands" to refer to 2 bitcoins? The only hope is that slashdot community does what it's best at: does not read the article.

  7. Article wrong, not locks by phantomfive · · Score: 5, Informative
    According to this article, it was not the locks that were encrypted. The computers they used to make new card keys got encrypted. I'd bet that it was just a bog-standard Windows box with a dongle attached, maybe running Windows XP if the drivers couldn't be updated. Here is a quote from the hotel manager:

    "We were hacked, but nobody was locked in or out," said the hotel's Managing Director Christopher Brandstaetter. "For one day we were not able to make new keycards." "Since the locking system must work even in the event of power failure, the guests in the hotel almost did not notice the incident," the manager also added. "We simply could not issue new keycards because the computers were encrypted."

    --
    "First they came for the slanderers and i said nothing."
  8. Re:Because they're constantly generating new keys. by magarity · · Score: 4, Interesting

    If, and yes, I mean "if", this were a key card only system then the lock doesn't need to communicate with the key making system at all. It just needs a token that increments with each next guest's card. When the token increments, the key cards from the prior guest stop working. When I worked at a hotel this is how the system worked. The key-making system was completely isolated. The desk person poked the room number on a key pad and the key programming box spit out a key. All it did was open that room's door.
     
    The system in the article is what happens when you want to use your key card for all the other stuff in a hotel, like the restaurant, gift shop, etc, to be charged using the key. All the comments about key card systems not needing to be connected miss this detail. The hotel in question was almost certainly using an integrated billing-via-key card system, not just a key card system. The integrated system needs to communicate outside to approve credit cards, email a copy of your receipt, etc, etc, and thus the security weakness.

  9. No kidding by Sycraft-fu · · Score: 3, Informative

    We have electronic locks at work, and they are on the Internet. They are VLAN'd and firewalled off but they are still on the Internet because the company that administers them is remote. You can argue we should do it our self and I'd agree, but that is the arrangement. However every single one can be overridden on the inside the the handle. The locking mechanism is just that it basically unlocks the door frame so you can push it open from the outside with the electronic lock. Inside, you can always use the handle to override.

    The reason is, as you say, fire code. All our doors always open towards the outside, no matter what. Old lock and key doors are the same. You will find a door with a Medeco lock on the outside that can't be permanently unlocked, only turned to move the bolt, but on the inside ti is just a bar you push to open it up. No matter where you are in the building, you can always get out just by following the doors that will open manually with no key/code. The locks are for locking people out, not in.