Slashdot Mirror

← Back to Stories (view on slashdot.org)

Lock Out: the Austrian Hotel That Was Hacked Four Times (bbc.com)

Posted by msmash on from the who-would-have-thought dept.

AmiMoJo shares a BBC report: Christoph Brandstatter is managing director of the four-star Seehotel, Jagerwirt, in Austria's Alps. His hotel's electronic door locks and other systems were hacked for ransom four times, between December 2016 and January 2017. "We got a ransomware mail which was hidden in a bill from Telekom Austria." His hotel's door keys became unusable after he clicked on a link to his bill. So was his hard drive. "Actually, as a small business you do not really think that anybody's interested in you for hacking, so we had no plan what to do," he recalls. He paid a ransom of two bitcoins, saying "at that time it was about $1,882." He has now installed firewalls and new antivirus software, and has trained his staff to recognise phishing emails that may seem genuine but actually contain malware. And he's moved back to traditional metal keys.

30 of 53 comments (clear)

  1. get doors offline idiots! by sittingnut · · Score: 1

    all who want everything they have online, for no or trivial reasons, are asking for it. feel no sympathy for such idiots.

    1. Re:get doors offline idiots! by Moof123 · · Score: 1

      Agreed. Way too many things are becoming "smart" just for the same of it, but with almost no real increased utility.

      Why do I need my meat thermometer to be WiFi connected?!? Worse yet, why is it unusable without a connection. WTF?

    2. Re:get doors offline idiots! by phantomfive · · Score: 1

      The doors weren't online, the computer that was writing to the keys was online. That should have been offline too, but whatever.

      --
      "First they came for the slanderers and i said nothing."
    3. Re:get doors offline idiots! by JaredOfEuropa · · Score: 2

      It's not about the smartness... electronic locks probably don't make much sense in your home, but in a hotel they are a godsent compared to old fashioned locks. But you might want to run the key management software (along with climate control, bookkeeping software and so on) on a separate workstation that is isolated from the Internet.

      --
      If construction was anything like programming, an incorrectly fitted lock would bring down the entire building...
    4. Re:get doors offline idiots! by AuMatar · · Score: 1

      Because non-electronic doors are worse. With electronic door, you kill the key if it isn't turned in, and they can't get back into the room. With a physical key, you can trivially make a copy which will allow you access later- when someone else is renting the room. Electronic keys are safer for guests.

      --
      I still have more fans than freaks. WTF is wrong with you people?
    5. Re:get doors offline idiots! by wardrich86 · · Score: 1

      Just run a separate network for the doors that has no access to the computers hooked into the internet.

    6. Re:get doors offline idiots! by Nidi62 · · Score: 1

      The doors weren't online, the computer that was writing to the keys was online. That should have been offline too, but whatever.

      All the hotels I've been to lately have what seems to be a standalone machine that programs the keys. Or are those hooked up to computers as well?

      --
      The only thing necessary for evil to triumph is for it to be pitted against a slightly greater evil
    7. Re:get doors offline idiots! by Chan+Jav · · Score: 1

      Most systems are interfaced to the hotel's property management system. This is generally by serial, but now systems are IP based. The newer card encoders are also IP based. The workstations that are running the encoders and the key database should be dedicated workstations, but these are usually networked for support and management. Some vendors are better than others, the ones that don't let use join these to our domain cause the most issues because we loose the ability have have these centrally managed.

    8. Re:get doors offline idiots! by ctilsie242 · · Score: 1

      You are right on this. The simple concept of attack surface is the issue here. Offline, it takes physical access to a reader (which can be done), or physical access to the hotel network or the admin PC. Online, anyone in the world can attack it. Offline, police are relatively excellent at finding traces of a physical intruder and nailing them, while online, unless the person is extremely sloppy or they ticked off someone with enough money to hunt them down, they won't get caught.

      Physical security devices should never be allowed on the Internet, period. Firmware updates should be signed, downloaded through a SD card, and updated via a manual basis, with a way to undo the update should it foul things up. If Compaq Deskpros and ProLiant machines in 1995 could do this, then machines made 20 years later can be made to be far more secure. I like the idea of a deadbolt that can tell if it is open or not... perhaps with the ability to lock from remote (but never unlock), but even that can be a hazard, since a would-be thief who gets access can just set a poll and alert him/her when the door is unlocked for a certain period of time.

      I do agree for a hotel that keycards are a step above physical keying systems, but there can be a balance. Assa-Abloy has Abloy PROTEC2 locks with part of it being electronic (CLIQ). That way, there is both physical resistance to picking, as well as the ability to block a key from being used. This isn't cheap, but for a five star hotel, they can well afford a good locking system for their guests.

    9. Re:get doors offline idiots! by ctilsie242 · · Score: 1

      Both mechanical and electronic locks have good and bad points. A good mechanical system, if done by a locksmith who knows what they are doing with software to allow for proper keying, a lock mechanism that is reasonably high security [1] and allows a ton different keys, and quick responsiveness (if a guest leaves with a key, change the lock.) If this is done, the lock mechanism can be simple, yet very secure. I remember one place where when you closed the door, it threw the deadbolt, which was easily opened from the inside by the door knob. This lock couldn't be opened with a credit card.

      Electronic locks may be easier to "rekey", but instead of picking, there is bypassing, and there tend to be as many ways to bypass a certain model of electronic lock (if not more) as there are for mechanical locks. For a smaller place that can't really have a locksmith on duty, electronic locks (with everything kept offline) are arguably the best option, but for a five star place, maybe having a high security key to hand to a guest would be a better option.

      [1]: Most US door locks are shit. Five tumblers, maybe six. It actually is astounding why something like Medeco, Abloy PROTEC, Mul-T-Lock M3+, Evva MCS, or some other high security brand is not used as a standard. Even China has gone wild with dimple locks with at least 10+ security pins. When I mean high security, even something like Medeco3 which can be opened by a good locksporter would suffice, but the ideal would be an Abloy PROTEC2 or EVVA MCS where there are no known tools (other than a drill) to open the lock.

    10. Re:get doors offline idiots! by AuMatar · · Score: 1

      The guest doesn't need to leave with the key, they just need to make a copy. Are you going to change the lock between every 2 customers? No? Then electronics are more secure, for hotels (homes/businesses are a different set of problems).

      --
      I still have more fans than freaks. WTF is wrong with you people?
    11. Re:get doors offline idiots! by Opportunist · · Score: 1

      You think they have computers. No. They have computer. Singular. They have one computer handling the door keys, the room booking, the emails and most likely the bookkeeping, too.

      Why would you assume that a small hotel would have more than one computer?

      --
      We used to have a Bill of Rights. Now, with the rights gone, all we have left is the bill.
    12. Re:get doors offline idiots! by Opportunist · · Score: 1

      If entering a hotel room that isn't the one you're renting is your goal, the average electronic lock is more dear to you than the average mechanical one. Mostly because you don't even have to remake a key. All you really need in most cases is a strong magnet and knowing a thing or two about the lock.

      --
      We used to have a Bill of Rights. Now, with the rights gone, all we have left is the bill.
  2. Magnets! by HornWumpus · · Score: 1

    Many electronic locks contain an old school relay. These can almost all be opened by putting a good strong magnet it the right spot.

    Hotels should keep a supply of rare earth magnets, as backup keys.

    --
    John McAfee 'It was like that time I hired that Bangkok prostitute; to do my taxes, while I fucked my accountant'
    1. Re:Magnets! by Rockoon · · Score: 2

      I would think that these electronic locks have to "fail unlocked" if the power is cut.

      --
      "His name was James Damore."
    2. Re:Magnets! by DontBeAMoran · · Score: 3, Funny

      That's a good idea but... how do they fucking work?

      --
      #DeleteFacebook
    3. Re:Magnets! by tlhIngan · · Score: 1

      I would think that these electronic locks have to "fail unlocked" if the power is cut.

      Most actually aren't powered - they've got a pack of AA batteries in the back (facing inside the room) that powers the whole unlock mechanism. Presumably they send a signal back to the key controller if the batteries start to run low so guests don't encounter a lock that doesn't work.

      That way the cable that runs to each door is just a low voltage signalling cable that's incapable of carrying enough power for all the door locks.

    4. Re:Magnets! by TechyImmigrant · · Score: 2

      Many electronic locks contain an old school relay. These can almost all be opened by putting a good strong magnet it the right spot.

      Hotels should keep a supply of rare earth magnets, as backup keys.

      I once demonstrated this to a hotel staff member who couldn't get into the room next door. The irony was that I was staying at the hotel because there was a lock manufacturer's conference downstairs and half the people in the hotel were capable of bypassing the locks. I suspect the hotel member couldn't get in the door because the occupant had disabled the electronic lock. Spend a few hours with an electronic lock in a fixture on your desk and a screwdriver and you will learn how secure they are.

      --
      I should use this sig to advertise my book ISBN-13 : 978-1501515132.
  3. Perhaps he should try ... by ei4anb · · Score: 2

    not connecting his email reading Internet browsing PC to his hotel door lock system?

    1. Re:Perhaps he should try ... by Archangel+Michael · · Score: 1

      In all likelihood, he only has no extra computer to spare. The Lock system is also booking, and email, and ....

      Bet that 2 Bitcoin ransom was about the cost of a new system that he was trying to no buy.

      "Good IT is expensive, bad IT is costly"

      --
      Agent K: A *person* is smart. People are dumb, stupid, panicky animals, and you know it.
    2. Re:Perhaps he should try ... by freeze128 · · Score: 1

      "He has now installed firewalls and new antivirus software..."

      So, he didn't even have a firewall BEFORE?!?!?! That's your problem right there.

    3. Re:Perhaps he should try ... by Anonymous Coward · · Score: 1

      He should have brought the two Raspberry Pi Zero Ws instead. Maybe there could be a small business technology user association of sorts that would collaborative create solutions for problems, architectures and use cases for the "real-world" users like farmers, hotel and shop owners and the like.

    4. Re:Perhaps he should try ... by Opportunist · · Score: 1

      And you will go and make a system that the average computer illiterate can use? Because that's what you're dealing with here.

      You can rest assured that some clever markedroid sold him this system for lots of Euros and he bought it because it was one of the few where he actually understood at least the basic concept of how it works. Unless you have some neatly designed plastic boxes that house those RasPis so they don't look like scary computer stuff, he won't touch them.

      --
      We used to have a Bill of Rights. Now, with the rights gone, all we have left is the bill.
  4. Because you paid the ransom by twebb72 · · Score: 2

    He paid a ransom of two bitcoins, saying "at that time it was about $1,882."

    There's your mistake. Once your hack results in profit, it's easier to keep a 'customer' than find new ones

  5. Re:Uh, go with another Telecom company then? by DontBeAMoran · · Score: 1

    If it seems to be coming from the same email address as usual, the text of the email is the same as usual, the filename of the PDF is the same as usual... why would he be incompetent?

    Do you check the raw email log of EVERY SINGLE EMAIL that is sent to you?

    --
    #DeleteFacebook
  6. just wait for some to copy the metal key and some by Joe_Dragon · · Score: 1

    just wait for some to copy the metal key and some bad to happen.

  7. Re:Javascript to the rescue again! by FeelGood314 · · Score: 3

    I am endlessly frustrated by security companies and banks who's webs don't work without javascript enabled. I want to browse the web with javascript disabled but the companies that should be offering the most security are working against me. Why the hell are dark net sites run by just a few individuals more secure than my multi billion dollar bank?

  8. Just in case I'm the only one keeping track . . . by sgt_doom · · Score: 2

    . . . . to date, since 2012, the US gov't and private sector has been hacked over 3,270,000,000 (> 3 billion 270 million) times - - - and note, I typed OVER! So the exact number is still unknown.

  9. Re:Javascript to the rescue again! by AmiMoJo · · Score: 1

    Some banks seem to see JavaScript as a security enhancement. My banks both use the same off the shelf web interface, and it asks you for numbers from a secret code when you log in. That page maxes your CPU and responds very slowly to input, because of some JavaScript that is trying to break key loggers and browser exploits.

    Fortunately it works with JavaScript disabled.

    --
    const int one = 65536; (Silvermoon, Texture.cs)
    SJW, n: "Someone I don't like, and by the way I'm a fuckwit" - AC
  10. Are we done now berating him? by Opportunist · · Score: 4, Interesting

    I happen to know this case. And I happen to know security in hotels in general, and even in some in Austria in particular. Here's the problem, you're cordially invited to provide a solution.

    You're dealing with people that are total computer illiterates. And I mean total. They maybe learned a thing or two about using them, they might even have managed to navigate an ECDL course which is basically a glorified way of saying "I can turn on a computer without it instantly exploding", but their expertise and actual training is in something completely different. Many of them actually do not like computers AT ALL. They much prefer dealing with people, else they would not have chosen that occupation.

    These people are now chronically understaffed, overworked and stressed. They're supposed to greet people, hand them their keys, do bills, handle the phone and of course email. And no, simply hiring more people isn't possible, there are no more people you could hire. We're talking about a highly seasonal business where there are either too many or too few people available, hence no more want to go into the profession while at the same time during season you can't get anyone. Not even for obscene amounts of money.

    On top of all this, you're dealing with ... how do I put this nicely... a rather mafia-like system in place that keeps the number of companies that could actually offer solutions low. Most hotel software is crap. And most hotels would gladly choose something else, if they could. But for some odd reason those systems that are offered can be offered surprisingly cheap (it MIGHT have to do with some semi-public agencies (an Austrian concept, don't ask) that curiously prefer to fund and subsidize those products), while you would certainly not qualify for such subsidies. The cynic in me would add "at least 'til you find the right politician to pay the kickback to", but no, there is no corruption in Europe. None at all. Maybe in Italy, Spain and Greece, but certainly not in the "good" states in central Europe.

    So, now you have the basics in, let the rest sink in too. Like a fluctuation that's CRAZY. Average tenure of your workers is measured in weeks. Months if you're lucky. Training them is money you throw into the chimney, for the benefit of whoever they work for next. So if you think that you could raise awareness and give your workers an idea what to look for, ponder whether you'll still have that receptionist after the season is over. There is zero security awareness among your workers.

    Then the fact that you pretty much HAVE TO open every email you get, and that crappy spelling is something that doesn't faze you anymore because you're dealing with people from all over the planet, many of them wanting to boast just how well they speak your language when they actually don't. Some of them required to actually send you attachments for legal reasons, with the oddest formats you will ever encounter. In other words, the chance that some viewer for an esoteric format is installed and WAY out of date because nobody had a minute of time to update it in the past 3 months is likely.

    The situation is not easy and I was actually involved in a similar case where pretty much every solution we came up with ended up being shot down for one of these reasons (and some more, but I don't want to bore you more than necessary). Hotels are rather complicated beasts to secure. Twice so in Austria with its very ... special circumstances, legal oddities and seasonal requirements.

    --
    We used to have a Bill of Rights. Now, with the rights gone, all we have left is the bill.