Slashdot Mirror

← Back to Stories (view on slashdot.org)

Lock Out: the Austrian Hotel That Was Hacked Four Times (bbc.com)

Posted by msmash on from the who-would-have-thought dept.

AmiMoJo shares a BBC report: Christoph Brandstatter is managing director of the four-star Seehotel, Jagerwirt, in Austria's Alps. His hotel's electronic door locks and other systems were hacked for ransom four times, between December 2016 and January 2017. "We got a ransomware mail which was hidden in a bill from Telekom Austria." His hotel's door keys became unusable after he clicked on a link to his bill. So was his hard drive. "Actually, as a small business you do not really think that anybody's interested in you for hacking, so we had no plan what to do," he recalls. He paid a ransom of two bitcoins, saying "at that time it was about $1,882." He has now installed firewalls and new antivirus software, and has trained his staff to recognise phishing emails that may seem genuine but actually contain malware. And he's moved back to traditional metal keys.

53 comments

  1. get doors offline idiots! by sittingnut · · Score: 1

    all who want everything they have online, for no or trivial reasons, are asking for it. feel no sympathy for such idiots.

    1. Re:get doors offline idiots! by Moof123 · · Score: 1

      Agreed. Way too many things are becoming "smart" just for the same of it, but with almost no real increased utility.

      Why do I need my meat thermometer to be WiFi connected?!? Worse yet, why is it unusable without a connection. WTF?

    2. Re:get doors offline idiots! by phantomfive · · Score: 1

      The doors weren't online, the computer that was writing to the keys was online. That should have been offline too, but whatever.

      --
      "First they came for the slanderers and i said nothing."
    3. Re:get doors offline idiots! by Anonymous Coward · · Score: 0

      His computer was hacked, one would presume that he had software installed so he could make new keycards for the customer. He would need to have some access to be able to do that.

    4. Re:get doors offline idiots! by JaredOfEuropa · · Score: 2

      It's not about the smartness... electronic locks probably don't make much sense in your home, but in a hotel they are a godsent compared to old fashioned locks. But you might want to run the key management software (along with climate control, bookkeeping software and so on) on a separate workstation that is isolated from the Internet.

      --
      If construction was anything like programming, an incorrectly fitted lock would bring down the entire building...
    5. Re:get doors offline idiots! by AuMatar · · Score: 1

      Because non-electronic doors are worse. With electronic door, you kill the key if it isn't turned in, and they can't get back into the room. With a physical key, you can trivially make a copy which will allow you access later- when someone else is renting the room. Electronic keys are safer for guests.

      --
      I still have more fans than freaks. WTF is wrong with you people?
    6. Re:get doors offline idiots! by wardrich86 · · Score: 1

      Just run a separate network for the doors that has no access to the computers hooked into the internet.

    7. Re:get doors offline idiots! by Anonymous Coward · · Score: 0

      Why do I need my meat thermometer to be WiFi connected?!? Worse yet, why is it unusable without a connection. WTF?

      Because you were stupid enough to buy it?

      I have a 100% firm "nothing which isn't a computer connects to the internet" policy. No toasters, no thermostats, no fridges, no TVs, no toilets, no door locks ... not a single fucking thing.

      All of these "smart" appliances are a stupid idea. The manufacturer doesn't care about security, they don't plan on giving you updates, and the EULA says "we don't warrant this isn't a piece of shit and won't be liable if you get hacked".

      The average home owner who says "zomg, teh door can be opened from teh app on the interwebs" ... well, I sincerely hope when they get robbed they realize this was a problem entirely of their own making.

      Ask yourself, would I entrust the security of my home or network to some douchebag from marketing who just cares about making a sale this quarter and then will promptly abandon me and my product?

      If the answer is yes, then you're a moron. If they answer is no, why the fuck did you buy it anyway?

      Most connected products serve no purpose except as shiny baubles for idiots. And I'm afraid I have zero sympathy for people who buy technology they don't understand.

    8. Re:get doors offline idiots! by Nidi62 · · Score: 1

      The doors weren't online, the computer that was writing to the keys was online. That should have been offline too, but whatever.

      All the hotels I've been to lately have what seems to be a standalone machine that programs the keys. Or are those hooked up to computers as well?

      --
      The only thing necessary for evil to triumph is for it to be pitted against a slightly greater evil
    9. Re:get doors offline idiots! by Chan+Jav · · Score: 1

      Most systems are interfaced to the hotel's property management system. This is generally by serial, but now systems are IP based. The newer card encoders are also IP based. The workstations that are running the encoders and the key database should be dedicated workstations, but these are usually networked for support and management. Some vendors are better than others, the ones that don't let use join these to our domain cause the most issues because we loose the ability have have these centrally managed.

    10. Re:get doors offline idiots! by Anonymous Coward · · Score: 0

      >And I'm afraid I have zero sympathy for people who buy technology they don't understand.
      Does this attitude extend to cars? It is slashdot after all.

    11. Re:get doors offline idiots! by ctilsie242 · · Score: 1

      You are right on this. The simple concept of attack surface is the issue here. Offline, it takes physical access to a reader (which can be done), or physical access to the hotel network or the admin PC. Online, anyone in the world can attack it. Offline, police are relatively excellent at finding traces of a physical intruder and nailing them, while online, unless the person is extremely sloppy or they ticked off someone with enough money to hunt them down, they won't get caught.

      Physical security devices should never be allowed on the Internet, period. Firmware updates should be signed, downloaded through a SD card, and updated via a manual basis, with a way to undo the update should it foul things up. If Compaq Deskpros and ProLiant machines in 1995 could do this, then machines made 20 years later can be made to be far more secure. I like the idea of a deadbolt that can tell if it is open or not... perhaps with the ability to lock from remote (but never unlock), but even that can be a hazard, since a would-be thief who gets access can just set a poll and alert him/her when the door is unlocked for a certain period of time.

      I do agree for a hotel that keycards are a step above physical keying systems, but there can be a balance. Assa-Abloy has Abloy PROTEC2 locks with part of it being electronic (CLIQ). That way, there is both physical resistance to picking, as well as the ability to block a key from being used. This isn't cheap, but for a five star hotel, they can well afford a good locking system for their guests.

    12. Re:get doors offline idiots! by ctilsie242 · · Score: 1

      Both mechanical and electronic locks have good and bad points. A good mechanical system, if done by a locksmith who knows what they are doing with software to allow for proper keying, a lock mechanism that is reasonably high security [1] and allows a ton different keys, and quick responsiveness (if a guest leaves with a key, change the lock.) If this is done, the lock mechanism can be simple, yet very secure. I remember one place where when you closed the door, it threw the deadbolt, which was easily opened from the inside by the door knob. This lock couldn't be opened with a credit card.

      Electronic locks may be easier to "rekey", but instead of picking, there is bypassing, and there tend to be as many ways to bypass a certain model of electronic lock (if not more) as there are for mechanical locks. For a smaller place that can't really have a locksmith on duty, electronic locks (with everything kept offline) are arguably the best option, but for a five star place, maybe having a high security key to hand to a guest would be a better option.

      [1]: Most US door locks are shit. Five tumblers, maybe six. It actually is astounding why something like Medeco, Abloy PROTEC, Mul-T-Lock M3+, Evva MCS, or some other high security brand is not used as a standard. Even China has gone wild with dimple locks with at least 10+ security pins. When I mean high security, even something like Medeco3 which can be opened by a good locksporter would suffice, but the ideal would be an Abloy PROTEC2 or EVVA MCS where there are no known tools (other than a drill) to open the lock.

    13. Re: get doors offline idiots! by Anonymous Coward · · Score: 0

      Because in US with houses made out of wood if you put a more secure lock, someone will just kick your wall in.

    14. Re: get doors offline idiots! by Anonymous Coward · · Score: 0

      "Offline, police are relatively excellent at finding traces of a physical intruder and nailing them"

      You must have dealt with different police than I do. In my area, it's basically up to the homeowner to gather all the evidence (security tape etc) and serve it to the police on a silver platter before anything substantial gets done.

    15. Re:get doors offline idiots! by AuMatar · · Score: 1

      The guest doesn't need to leave with the key, they just need to make a copy. Are you going to change the lock between every 2 customers? No? Then electronics are more secure, for hotels (homes/businesses are a different set of problems).

      --
      I still have more fans than freaks. WTF is wrong with you people?
    16. Re:get doors offline idiots! by Anonymous Coward · · Score: 0

      Yeah, it does. I don't expect people know how to change a camshaft or a clutch by themselves, but they should know what they are. And if they can't check the oil or brake pads themselves they shouldn't be fucking driving.

    17. Re:get doors offline idiots! by Opportunist · · Score: 1

      You think they have computers. No. They have computer. Singular. They have one computer handling the door keys, the room booking, the emails and most likely the bookkeeping, too.

      Why would you assume that a small hotel would have more than one computer?

      --
      We used to have a Bill of Rights. Now, with the rights gone, all we have left is the bill.
    18. Re:get doors offline idiots! by Opportunist · · Score: 1

      If entering a hotel room that isn't the one you're renting is your goal, the average electronic lock is more dear to you than the average mechanical one. Mostly because you don't even have to remake a key. All you really need in most cases is a strong magnet and knowing a thing or two about the lock.

      --
      We used to have a Bill of Rights. Now, with the rights gone, all we have left is the bill.
    19. Re: get doors offline idiots! by Anonymous Coward · · Score: 0

      Iâ(TM)m fully with You. Not to mention that Hollywood would go bankrupt if breaking into houses wasnâ(TM)t m, so easy.

  2. Magnets! by HornWumpus · · Score: 1

    Many electronic locks contain an old school relay. These can almost all be opened by putting a good strong magnet it the right spot.

    Hotels should keep a supply of rare earth magnets, as backup keys.

    --
    John McAfee 'It was like that time I hired that Bangkok prostitute; to do my taxes, while I fucked my accountant'
    1. Re:Magnets! by Rockoon · · Score: 2

      I would think that these electronic locks have to "fail unlocked" if the power is cut.

      --
      "His name was James Damore."
    2. Re:Magnets! by DontBeAMoran · · Score: 3, Funny

      That's a good idea but... how do they fucking work?

      --
      #DeleteFacebook
    3. Re:Magnets! by Anonymous Coward · · Score: 0

      Most also have a physical master key that can open it regardless, no need to fail unlocked. They could easily have batteries inside too.

    4. Re: Magnets! by Anonymous Coward · · Score: 0

      No need to fail unlocked, the door can be opened from inside without key anyway.
      Outside, they may have a physical master key.

    5. Re:Magnets! by Anonymous Coward · · Score: 0

      I would think that these electronic locks have to "fail unlocked" if the power is cut.

      No, since in an emergency, you would be exiting the room, not entering it. So fail-safe mode (unlocked) is not required.

    6. Re:Magnets! by tlhIngan · · Score: 1

      I would think that these electronic locks have to "fail unlocked" if the power is cut.

      Most actually aren't powered - they've got a pack of AA batteries in the back (facing inside the room) that powers the whole unlock mechanism. Presumably they send a signal back to the key controller if the batteries start to run low so guests don't encounter a lock that doesn't work.

      That way the cable that runs to each door is just a low voltage signalling cable that's incapable of carrying enough power for all the door locks.

    7. Re:Magnets! by Anonymous Coward · · Score: 0

      No, since in an emergency, you would be exiting the room, not entering it.

      Tell that to the person inside the room suffering a diabetic coma.

      You are whats wrong with the world. You thought of a single thing... and then decided case closed, rather than continued to use your fucking brain.

    8. Re:Magnets! by TechyImmigrant · · Score: 2

      Many electronic locks contain an old school relay. These can almost all be opened by putting a good strong magnet it the right spot.

      Hotels should keep a supply of rare earth magnets, as backup keys.

      I once demonstrated this to a hotel staff member who couldn't get into the room next door. The irony was that I was staying at the hotel because there was a lock manufacturer's conference downstairs and half the people in the hotel were capable of bypassing the locks. I suspect the hotel member couldn't get in the door because the occupant had disabled the electronic lock. Spend a few hours with an electronic lock in a fixture on your desk and a screwdriver and you will learn how secure they are.

      --
      I should use this sig to advertise my book ISBN-13 : 978-1501515132.
    9. Re: Magnets! by Anonymous Coward · · Score: 0

      A diabetic coma during power outage? If s/he can call the manager or emergency services then help will come and they will open the door from outside with managers cooperation or just break it.

      Manager will not be entering room without first reponders, it's too much liability.

      If diabetic coma person cannot call for help s/he is screwed anyway, regardless of power outage mode of that lock.

      How about you think through your own contrived example a little before berating others?

  3. Perhaps he should try ... by ei4anb · · Score: 2

    not connecting his email reading Internet browsing PC to his hotel door lock system?

    1. Re:Perhaps he should try ... by Archangel+Michael · · Score: 1

      In all likelihood, he only has no extra computer to spare. The Lock system is also booking, and email, and ....

      Bet that 2 Bitcoin ransom was about the cost of a new system that he was trying to no buy.

      "Good IT is expensive, bad IT is costly"

      --
      Agent K: A *person* is smart. People are dumb, stupid, panicky animals, and you know it.
    2. Re:Perhaps he should try ... by freeze128 · · Score: 1

      "He has now installed firewalls and new antivirus software..."

      So, he didn't even have a firewall BEFORE?!?!?! That's your problem right there.

    3. Re:Perhaps he should try ... by Anonymous Coward · · Score: 1

      He should have brought the two Raspberry Pi Zero Ws instead. Maybe there could be a small business technology user association of sorts that would collaborative create solutions for problems, architectures and use cases for the "real-world" users like farmers, hotel and shop owners and the like.

    4. Re:Perhaps he should try ... by Opportunist · · Score: 1

      And you will go and make a system that the average computer illiterate can use? Because that's what you're dealing with here.

      You can rest assured that some clever markedroid sold him this system for lots of Euros and he bought it because it was one of the few where he actually understood at least the basic concept of how it works. Unless you have some neatly designed plastic boxes that house those RasPis so they don't look like scary computer stuff, he won't touch them.

      --
      We used to have a Bill of Rights. Now, with the rights gone, all we have left is the bill.
  4. Uh, go with another Telecom company then? by wardrich86 · · Score: 0

    "We got a ransomware mail which was hidden in a bill from Telekom Austria."

    If the telecom company is so incompetent that they managed to send out bills with viruses, it's probably time to find another telecom company... OR if you are too incompetent to tell the difference between a legitimate telecom bill and a virus, you probably shouldn't have doors on the internet.

    1. Re:Uh, go with another Telecom company then? by DontBeAMoran · · Score: 1

      If it seems to be coming from the same email address as usual, the text of the email is the same as usual, the filename of the PDF is the same as usual... why would he be incompetent?

      Do you check the raw email log of EVERY SINGLE EMAIL that is sent to you?

      --
      #DeleteFacebook
    2. Re: Uh, go with another Telecom company then? by Anonymous Coward · · Score: 0

      I check every single mailed link i click on, yes. Hardly ever click on mailed links.

      Still, windows viruses can't harm a linux machine...

    3. Re:Uh, go with another Telecom company then? by Anonymous Coward · · Score: 0

      Use google mail or linux. I don't have any windows mail client.
      And i don't have any adobe pdf viewer either, chrome opens them nicely. I wanna see these pdf mails break out of chromium on linux :)

      Chances are this guy just started some .exe maquerading as pdf. Most likely he had to click at least twice to confirm, yes, he is a moron who wants to run an .exe from alien source.

  5. i love it by phanluchauhoang · · Score: 0

    https://teambaphai.com/

  6. Because you paid the ransom by twebb72 · · Score: 2

    He paid a ransom of two bitcoins, saying "at that time it was about $1,882."

    There's your mistake. Once your hack results in profit, it's easier to keep a 'customer' than find new ones

    1. Re:Because you paid the ransom by Anonymous Coward · · Score: 0

      I also don't understand why he didn't just called up the lock company to repair their crappy locks.

  7. just wait for some to copy the metal key and some by Joe_Dragon · · Score: 1

    just wait for some to copy the metal key and some bad to happen.

  8. Javascript to the rescue again! by Anonymous Coward · · Score: 0

    His hotel's door keys became unusable after he clicked on a link to his bill.

    So once again, we see another addition to the endless list of security clusterfucks enabled by running javascript by default from any source.

    Clicking on a link does not infect your PC if you are using plain web pages. It only does that if you allow the other side to execute things in your browser, which it can then break out of.

    You have to be a massive idiot to let any site you connect to do that.

    Once again, WHITELIST a few sites you trust. Do not execute javascript by default. This is basic web security 101.

    1. Re:Javascript to the rescue again! by FeelGood314 · · Score: 3

      I am endlessly frustrated by security companies and banks who's webs don't work without javascript enabled. I want to browse the web with javascript disabled but the companies that should be offering the most security are working against me. Why the hell are dark net sites run by just a few individuals more secure than my multi billion dollar bank?

    2. Re:Javascript to the rescue again! by Anonymous Coward · · Score: 0

      Unfortunately, you, a thoughtful person, are suffering for the lack of thought of the majority. Most people do not give a barest thought to security.

      If it's your bank, that's probably one of the safer sources to whitelist. The big problem with javascript comes when it's enabled by default, so any misclick, any embedded JS banner ad, any fishing link can use that as an attack surface.

      In some cases you don't have much choice, like your bank, but you can still minimize the risks. I agree with you though, a lot of pages don't need javascript, they are just built to depend on it because the web browsing masses will happily leave it enabled... and then wonder why their home PC or their company network just got hijacked.

    3. Re:Javascript to the rescue again! by AmiMoJo · · Score: 1

      Some banks seem to see JavaScript as a security enhancement. My banks both use the same off the shelf web interface, and it asks you for numbers from a secret code when you log in. That page maxes your CPU and responds very slowly to input, because of some JavaScript that is trying to break key loggers and browser exploits.

      Fortunately it works with JavaScript disabled.

      --
      const int one = 65536; (Silvermoon, Texture.cs)
      SJW, n: "Someone I don't like, and by the way I'm a fuckwit" - AC
    4. Re:Javascript to the rescue again! by Anonymous Coward · · Score: 0

      They are sacrificing security for usability. If things on the internets don't work like amazon or facebook, people can't use them, and if people aren't using them, they're not making money off them.

      They have insurance anyway.

      Try getting insurance for anything darknet-related. They cannot trade security for anything - it's too valuable.

    5. Re:Javascript to the rescue again! by Anonymous Coward · · Score: 0

      >Most people do not give a barest thought to security.
      >...web browsing masses will happily leave it enabled

      BINGO but also may I add those two are not necessarily related. People are concerned about security but they (especially employees) will consider their computer secure because 'employer's company responsibility'. Or their personal computer they'll just leave everything and I mean EVERYTHING at defaults.

  9. Just in case I'm the only one keeping track . . . by sgt_doom · · Score: 2

    . . . . to date, since 2012, the US gov't and private sector has been hacked over 3,270,000,000 (> 3 billion 270 million) times - - - and note, I typed OVER! So the exact number is still unknown.

  10. Are we done now berating him? by Opportunist · · Score: 4, Interesting

    I happen to know this case. And I happen to know security in hotels in general, and even in some in Austria in particular. Here's the problem, you're cordially invited to provide a solution.

    You're dealing with people that are total computer illiterates. And I mean total. They maybe learned a thing or two about using them, they might even have managed to navigate an ECDL course which is basically a glorified way of saying "I can turn on a computer without it instantly exploding", but their expertise and actual training is in something completely different. Many of them actually do not like computers AT ALL. They much prefer dealing with people, else they would not have chosen that occupation.

    These people are now chronically understaffed, overworked and stressed. They're supposed to greet people, hand them their keys, do bills, handle the phone and of course email. And no, simply hiring more people isn't possible, there are no more people you could hire. We're talking about a highly seasonal business where there are either too many or too few people available, hence no more want to go into the profession while at the same time during season you can't get anyone. Not even for obscene amounts of money.

    On top of all this, you're dealing with ... how do I put this nicely... a rather mafia-like system in place that keeps the number of companies that could actually offer solutions low. Most hotel software is crap. And most hotels would gladly choose something else, if they could. But for some odd reason those systems that are offered can be offered surprisingly cheap (it MIGHT have to do with some semi-public agencies (an Austrian concept, don't ask) that curiously prefer to fund and subsidize those products), while you would certainly not qualify for such subsidies. The cynic in me would add "at least 'til you find the right politician to pay the kickback to", but no, there is no corruption in Europe. None at all. Maybe in Italy, Spain and Greece, but certainly not in the "good" states in central Europe.

    So, now you have the basics in, let the rest sink in too. Like a fluctuation that's CRAZY. Average tenure of your workers is measured in weeks. Months if you're lucky. Training them is money you throw into the chimney, for the benefit of whoever they work for next. So if you think that you could raise awareness and give your workers an idea what to look for, ponder whether you'll still have that receptionist after the season is over. There is zero security awareness among your workers.

    Then the fact that you pretty much HAVE TO open every email you get, and that crappy spelling is something that doesn't faze you anymore because you're dealing with people from all over the planet, many of them wanting to boast just how well they speak your language when they actually don't. Some of them required to actually send you attachments for legal reasons, with the oddest formats you will ever encounter. In other words, the chance that some viewer for an esoteric format is installed and WAY out of date because nobody had a minute of time to update it in the past 3 months is likely.

    The situation is not easy and I was actually involved in a similar case where pretty much every solution we came up with ended up being shot down for one of these reasons (and some more, but I don't want to bore you more than necessary). Hotels are rather complicated beasts to secure. Twice so in Austria with its very ... special circumstances, legal oddities and seasonal requirements.

    --
    We used to have a Bill of Rights. Now, with the rights gone, all we have left is the bill.
    1. Re:Are we done now berating him? by Anonymous Coward · · Score: 0

      Very well written & informative, thank you.

  11. DIY Cryptocurrency Mining... by Anonymous Coward · · Score: 0

    If you want mine your own crypto currency, you need a motherboard with 19 PCIe 1X slots to plug in 19 GPUs and a couple of 1200W PSUs.