Slashdot Mirror

← Back to Stories (view on slashdot.org)

Ransomware Infects a Hotel's Key System (dailymail.co.uk)

Posted by EditorDavid on from the room-service-not-available dept.

An anonymous reader writes: A luxury hotel "paid "thousands" in Bitcoin ransom to cybercriminals who hacked into their electronic key system. The "furious" hotel manager says it's the third time their electronic system has been attacked, though one local news site reports that "on the fourth attempt the hackers had no chance because the computers had been replaced and the latest security standards integrated, and some networks had been decoupled." The 111-year-old hotel is now planning to remove all their electronic locks, and return to old-fashioned door locks with real keys. But they're going public to warn other hotels -- some of which they say have also already been hit by ransomware.
UPDATE: The hotel's managing director has clarified today that despite press reports, "We were hacked, but nobody was locked in or out" of their rooms.

11 of 203 comments (clear)

  1. Yay, connectivity and IoT by Anonymous+Brave+Guy · · Score: 5, Insightful

    Who thought it was a good idea for essential systems like this to be online in the first place?!

    This is why the Internet of Things is such a horrible concept. Most things don't need to be online and connected to everything else, and the cost of trying to be trendy is huge increases in risks to the privacy, security and reliability of everyday items.

    Closed networks do just fine for these kinds of systems, don't actually need to cost that much more, and have none of the vulnerabilities.

    --
    If you disagree, post your argument. (-1, Overrated) isn't your personal censorship tool for views you don't like.
    1. Re:Yay, connectivity and IoT by Anonymous Coward · · Score: 4, Insightful

      That's not the failure here. The failure here is that there's no way of manually unlocking the door from the inside. That has to be some sort of firecode violation.

      The fact that the computer that ran that was also connected to the internet just compounds the problem. People should always be able to get out, no matter what's going on with the computer system.

    2. Re: Yay, connectivity and IoT by ShanghaiBill · · Score: 4, Insightful

      The free market simply will not correct this situation, because it has no mechanism to do so.

      Yes it does: Civil law torts.

      Until the IoT is regulated, shit like this is just going to keep happening

      Regulation means that the spec is written by government bureaucrats, or (even worse) a congressional committee. That will lead to ossification and a focus on compliance checklists rather than real security.

      This hotel had their card system hacked THREE TIMES, yet still had it connected to the Internet. You can't regulate away that level of stupidity.

    3. Re: Yay, connectivity and IoT by Kjella · · Score: 5, Insightful

      I know nothing about Austrian law, but in America this lock system would have been ILLEGAL, and I am astonished that something like this was ever designed and installed. It is a blatant violation of every fire code I have ever seen. Locking people out is fine, but you NEVER NEVER NEVER lock people IN, nor do you ever design something where human safety depends on software or electricity. Egress should always be possible using only mechanical means.

      EU law is rarely softer than US law when it comes to consumer safety, so I doubt they were actually trapped. The problem is probably that this was tied into breaking the glass and setting off the fire alarm with sirens and unlocking all the rooms. While you could silence the sirens, everything would be open to theft and also you wouldn't have a working alarm in case of an actual fire so they probably asked their guests to stay while they tried to resolve it some other way. There's no requirement that the emergency exit should be functional as a backup system.

      --
      Live today, because you never know what tomorrow brings
  2. Why don't people understand... by iCEBaLM · · Score: 5, Informative

    Critical infrastructure DOESN'T NEED ACCESS TO A PUBLIC INTERNET.

    Governments, utility providers, MILLITARIES! All of them have publicly accessible computers. WHY?

  3. Fire by Patent+Lover · · Score: 5, Insightful

    I can understand people being locked out of their rooms. But if they're being locked in they're in massive violation of fire safety laws.

  4. Daily Mail? Seriously? by szy · · Score: 4, Insightful

    Daily Mail? Seriously? Out of all the media that covered this story extensively over the past couple of days, you picked to link to the daily mail as the source? Also including the clickbait phrase of "paid thousands" to refer to 2 bitcoins? The only hope is that slashdot community does what it's best at: does not read the article.

  5. Re:Common Sense At Work by AthanasiusKircher · · Score: 5, Informative

    Welp folks, since we're not willing to use common sense in deploying our electronic systems to ensure their security and integrity, we're going to abandon digital and go back to mechanical.

    "Common sense" is not very "common" at all when it comes to electronic systems, and it's even less common when it comes to computer security. The vast majority of people -- even those running big businesses -- simply have no clue how computers or networks or whatever work in any detail. So how can they have "common sense" about them?

    And I think it's only getting worse. Interfaces on computers and electronics keep getting "simpler" with more information hidden from the end user. These changes are often pushed by companies that have a strong interest in keeping their users ignorant of things like security, because it allows them to continuously steal their users' data and information. So, a normal "user" who encounters technology on an everyday basis is going to get dumber about security if trends of the past couple decades continue. "Common sense" about such things will get even more rare.

    Seriously -- obviously an air-gapped system is a easy solution here, but do you realize that most people don't even understand what that means? I've had lots of conversations with people who still can't even tell the difference between local applications/data and the internet... and cloud interactions are further blurring such distinctions all the time, so there's little benefit for most people in trying to understand such distinctions. All the people working at the hotel are going to say is, "Huh? Why can't I check my email on this computer?? It's broken!"

  6. Re:Common Sense At Work by Solandri · · Score: 5, Informative

    The problem wasn't the electronic key system. The problem was the hotel stupidly made their electronic key system (or at least the server) accessible from the public Internet.

    I used to work at a hotel and helped select one of these key card systems for purchase (I wasn't around for the installation). You're supposed to keep it on a separate and isolated network specifically to prevent problems like this. The system is completely self-contained and internal. Nothing else needs access to it, and you don't need to have access to anything else from it. The person using the key card server doesn't need to be able to browse their Facebook page on it. The only data being entered into it should be the front desk staff keying in the guest's name and dates of stay so that a new key card can be generated and the lock for that room reprogrammed.

    Physical keys at hotels were/are a huge problem because anyone can make a copy of the key. Theoretically a guest could make a copy to access the room at a later date. But more commonly, one of the maids (who have master keys so they can access all rooms) makes a copy, gives it to someone else, who then goes into the rooms and steals stuff when the maid is off-duty (so as not to arouse suspicion as to who copied their key). Changing the locks is expensive and doesn't help, because the corrupt maid simply makes a copy of the new key. It's cheaper to make a copy of a physical key than it is to change all the physical locks. OTOH, it's cheaper to change all the electronic lock keys than it is to make a copy of the newer RFID key cards. Switching back to physical keys is huge step backwards in security.

  7. Article wrong, not locks by phantomfive · · Score: 5, Informative
    According to this article, it was not the locks that were encrypted. The computers they used to make new card keys got encrypted. I'd bet that it was just a bog-standard Windows box with a dongle attached, maybe running Windows XP if the drivers couldn't be updated. Here is a quote from the hotel manager:

    "We were hacked, but nobody was locked in or out," said the hotel's Managing Director Christopher Brandstaetter. "For one day we were not able to make new keycards." "Since the locking system must work even in the event of power failure, the guests in the hotel almost did not notice the incident," the manager also added. "We simply could not issue new keycards because the computers were encrypted."

    --
    "First they came for the slanderers and i said nothing."
  8. Re:Because they're constantly generating new keys. by magarity · · Score: 4, Interesting

    If, and yes, I mean "if", this were a key card only system then the lock doesn't need to communicate with the key making system at all. It just needs a token that increments with each next guest's card. When the token increments, the key cards from the prior guest stop working. When I worked at a hotel this is how the system worked. The key-making system was completely isolated. The desk person poked the room number on a key pad and the key programming box spit out a key. All it did was open that room's door.
     
    The system in the article is what happens when you want to use your key card for all the other stuff in a hotel, like the restaurant, gift shop, etc, to be charged using the key. All the comments about key card systems not needing to be connected miss this detail. The hotel in question was almost certainly using an integrated billing-via-key card system, not just a key card system. The integrated system needs to communicate outside to approve credit cards, email a copy of your receipt, etc, etc, and thus the security weakness.