×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

Open Millions of Hotel Rooms With Arduino

Unknown Lamer posted about a year and a half ago | from the do-not-disturb-taken-as-challenge dept.

Security 268

MrSeb writes with an excerpt from Extreme Tech about a presentation at Black Hat: "Bad news: With an Arduino microcontroller and a little bit of programming, it's possible for a hacker to gain instant, untraceable access to millions of key card-protected hotel rooms. This hack was demonstrated by Cody Brocious, a Mozilla software developer, at the Black Hat security conference in Las Vegas. At risk are four million hotel rooms secured by Onity programmable key card locks. According to Brocious, who didn't disclose the hack to Onity before going public, there is no easy fix: There isn't a firmware upgrade — if hotels want to secure their guests, every single lock will have to be changed. I wish I could say that Brocious spent months on this hack, painstakingly reverse-engineering the Onity lock protocol, but the truth — as always, it seems — is far more depressing. 'With how stupidly simple this is, it wouldn't surprise me if a thousand other people have found this same vulnerability and sold it to other governments,' says Brocious. 'An intern at the NSA could find this in five minutes.'"

cancel ×
This is a preview of your comment

No Comment Title Entered

Anonymous Coward 1 minute ago

No Comment Entered

268 comments

Well, that's it! (5, Insightful)

camperdave (969942) | about a year and a half ago | (#40763781)

Bad news: With an Arduino microcontroller and a little bit of programming, it's possible for a hacker to gain instant, untraceable access to millions of key card-protected hotel rooms.

Well, that's it! There's only one thing we can do... outlaw Arduinos

As usual however (-1)

Anonymous Coward | about a year and a half ago | (#40764859)

Cody Brocious is now a criminal for pointing to this faulty lock. Whereas the snakeoil sellers (Arduino) are rich and can laugh at the thousands of hotels that have bought their silly key for millions of dollars...

If there were any justice, they would be trown in jail now, for selling that kind of false security. But alas, the United States of Dollarbills are not known for that kind of justice...

Re:As usual however (4, Funny)

gblackwo (1087063) | about a year and a half ago | (#40764921)

You have until the end of the day to gather your things and turn in your geek card.

Lock the door when inside (1)

Anonymous Coward | about a year and a half ago | (#40763783)

I always lock the door when I'm sleeping. Hopefully your hotel at least has a safe in the room to reduce your chances of property theft when you're away.

Re:Lock the door when inside (5, Funny)

Iniamyen (2440798) | about a year and a half ago | (#40763847)

Don't fret, most hotel rooms have safes secured by Onity programmable key card locks.

Re:Lock the door when inside (2, Insightful)

magarity (164372) | about a year and a half ago | (#40763927)

Obviously that person meant the chain lock that's separate from the key card lock. I hope not just the deadbolt; the ones built in to hotel key card lock mechanisms can be opened by the master key card. Not the ones the housekeepers carry but the one the chief maintenance guy keeps in his office. One assumes this hack can open the bolt as well as the regular latch.

Re:Lock the door when inside (1)

Anonymous Coward | about a year and a half ago | (#40764019)

Read it again. He mentioned safes, separate from the door lock.

Re:Lock the door when inside (2)

ChunderDownunder (709234) | about a year and a half ago | (#40764203)

I've stayed in â20/night hostels where key cards served dual purposes.

Shared dormitories had individual lockers for each inhabitant. Multiple key cards would open the room but each only a single locker.

In this situation, a 'housekeeper exploit' could possibly find the locker code compromised, even if the room code remained secure.

Re:Lock the door when inside (4, Funny)

specific (963862) | about a year and a half ago | (#40764423)

I've never hacked an Onity programmable key-card lock, but I did stay in a Holiday Inn Express last night.

Re:Lock the door when inside (4, Funny)

Critical Facilities (850111) | about a year and a half ago | (#40764743)

the chain lock that's separate from the key card lock

Or according to Jon Stewart - "I have a chain lock on my door that says to criminals 'you're not getting in here......unless you push....kind of hard....with your hand'."

Re:Lock the door when inside (5, Informative)

h4rr4r (612664) | about a year and a half ago | (#40763921)

Many of those safes have backup passwords, hotels generally do not change the default one.

Re:Lock the door when inside (5, Informative)

SilverJets (131916) | about a year and a half ago | (#40764425)

You mean those safes where hotel staff have a master code that unlocks them in case the guest forgets the code they set? Those safes?

I wouldn't have either (5, Insightful)

Anonymous Coward | about a year and a half ago | (#40763791)

When the guys share these hacks with the companies ahead of time, they tend to get sued or get their presentations cancelled by the vengeful corporations. They're better off not disclosing these things ahead of time.

Re:I wouldn't have either (2)

plover (150551) | about a year and a half ago | (#40764577)

Their presentations may or may not get suppressed, but this approach pretty much ensures he will get sued.

Worse, in his paper he uses an example of framing a hotel employee for murder! While dramatizing the vulnerability is not uncommon amongst hackers looking to draw media attention to the seriousness of their claims, suggesting a plan for murder is a really, really poor choice. The consequences of this could be even higher than the civil penalties of a lawsuit.

Re:I wouldn't have either (4, Funny)

TheCarp (96830) | about a year and a half ago | (#40764817)

That is, unless he is planning to use the Basic Instinct Defense "What, do you think I am stupid enough to publish details of how a murder could be committed, by anyone, using these devices, and then do it myself?"

Though, if he tries it, I hope he remembers, the short white dress and no underwear is key to making it work.

Re:I wouldn't have either (3, Interesting)

rvw (755107) | about a year and a half ago | (#40764595)

When the guys share these hacks with the companies ahead of time, they tend to get sued or get their presentations cancelled by the vengeful corporations. They're better off not disclosing these things ahead of time.

Plus in this case, what could Onity have done? They cannot create an update that is automatically downloaded and installed over the next month onto those locks, like with Windows or Flash. If they knew about this before, and had a proper fix for it, then they would have to communicate it to thousands of hotels, and that would result in disclosure as well.

Re:I wouldn't have either (4, Insightful)

Yvanhoe (564877) | about a year and a half ago | (#40765083)

Onity sells fake security. They are the ones who should be sued by their thousands of clients. If you sell security, you have to be good at it.

Room Safe = Safe Room (0)

Anonymous Coward | about a year and a half ago | (#40763881)

No problem. When an arduino wielding intruder bursts in just take shelter in the programmable-code safe bolted to the closet floor. No way anyone could ever figure out how to reverse engineer the lock on that puppy.

Reliable? (4, Informative)

Slippery_Hank (2035136) | about a year and a half ago | (#40763923)

From TFA: He tested this hack on three randomly choosen hotel room doors, failed to open any. Had to stop to reprogram the device, and then managed to open one of the doors. I'll stick to being worried about corrupt security guards.

Re:Reliable? (5, Insightful)

Anonymous Coward | about a year and a half ago | (#40764057)

From TFA: He tested this hack on three randomly choosen hotel room doors, failed to open any. Had to stop to reprogram the device, and then managed to open one of the doors. I'll stick to being worried about corrupt security guards.

Proof of Concept != Final Version

Re:Reliable? (1)

garcia (6573) | about a year and a half ago | (#40764519)

I'll stick to being worried about corrupt security guards.

Or, as in my case on two different occasions, asking the cleaning personnel to open my door because I got locked out while going to get ice.

But seriously, who leaves shit in their rooms at hotels anyway? The hotel safes can be opened with 0000 or 9999 most often and with staff members making minimum wage, the chance of theft is high.

When I'm traveling, all of my items of any real value come with me (laptop, phone, wallet, money, prescriptions) and if they want to steal my shitty clothing and toiletries, so be it.

Re:Reliable? (1)

Dcnjoe60 (682885) | about a year and a half ago | (#40764741)

When I'm traveling, all of my items of any real value come with me (laptop, phone, wallet, money, prescriptions) and if they want to steal my shitty clothing and toiletries, so be it.

And when you are at Disney World, the pool, the fitness center or the bar, how does lugging that laptop around go?

Re:Reliable? (1)

garcia (6573) | about a year and a half ago | (#40765125)

I never had a single problem with it (and I did exactly all of those things when I was at WDW for a conference in April).

Re:Reliable? (1)

AvitarX (172628) | about a year and a half ago | (#40765291)

Good for you, when I travel for work my 2 items of any real value are my clothes and my work product.

I lug a copy of work product with me (on a 2.5 inch hard drive), and leave one at the room.

When I'm away for weeks at a time, I tend to have a few suits, these combined definitely are worth more than my laptop. And I can't exactly lug them around.

the laptop is easily replaceable, and the software install while busy would suck, but is only a few hours.

Re:Reliable? (2)

gwolf (26339) | about a year and a half ago | (#40765309)

My experience in the last hotel where I stayed:

Got out of the pool, wrapped in a towel, went to the desk.
– Oh, ma'am, I'm sorry, I guess I forgot my key in the room. Can somebody open the room for me? It's 104
– Don't worry, click-click-swipe. Here is a new key for you. Cheers!

How hard is this system to abuse?

A bit of hyperbole... (5, Insightful)

kaizendojo (956951) | about a year and a half ago | (#40763929)

When demonstrated for the reporter, the hack only worked on *one* out of *four* of the doors tested in a REAL hotel, and then only on the second attempt after Brocious fine tuned and tweaked his software. Also, this can be defeated by simply using any one of the mechanical locks on the door.

The bottom line is that if you aren't using the mechanical bolt or slide lock when staying at *any* hotel, you were vulnerable way before this hack. Keep in mind that there are plenty of AUTHORIZED users of master card keys on the hotel staff.

Re:A bit of hyperbole... (5, Insightful)

SkimTony (245337) | about a year and a half ago | (#40763955)

When a hotel staffer uses a master key card, it's logged (the security system notes which key was used when). Presumably with this hack, that isn't necessary. Also, the ability to open the doors on 25% of hotel rooms is still a concern.

Re:A bit of hyperbole... (5, Interesting)

Anonymous Coward | about a year and a half ago | (#40764445)

Does Onity offer centrally logged door units?

99% of the shit I've worked with at hotels (from an installation POV) just checks that the mag card has a particular number in track 3. They're dumb as fuck.
Putting the word "ADM" in track 2 unlocks most of the doors in many hotels. Sad but true fact.

Auditing (4, Insightful)

nastav (2611511) | about a year and a half ago | (#40763995)

All locks can be defeated with enough effort. The goal often is make it obvious that a lock was defeated - by leaving an electronic trail or physical one (broken door for e.g.). Akin silent data-loss, silent compromise of a lock is much much worse.

Re:A bit of hyperbole... (1)

Anonymous Coward | about a year and a half ago | (#40763997)

You can get into 95% of hotel rooms (I'm familiar with Saflok) that are latched shut and deadbolted with nothing more than a simple tool (think coathanger & wire) to reach under the door and pull down the inside door handle; this will disengage the deadbolt. Saflok won't tell you this :) Security through obscurity.

Re:A bit of hyperbole... (5, Insightful)

Anonymous Coward | about a year and a half ago | (#40764009)

The bottom line is that if you aren't using the mechanical bolt or slide lock when staying at *any* hotel, you were vulnerable way before this hack.

That might work if you're *in* the room. What if you need to venture outside?

Re:A bit of hyperbole... (3, Insightful)

camperdave (969942) | about a year and a half ago | (#40764067)

The problem with using the mechanical bolt or slide lock is that they must be operated from *INSIDE* the room. I don't know about others, but when I'm staying at a hotel it is because I am attending a conference or something, so most of the time I am not inside the room. So the deadbolt or chain lock does nothing. If a bad guy wanted in while someone was inside, all he would have to do is knock on the door and say "Hotel security. Open the door, please".

Re:A bit of hyperbole... (1)

chrismcb (983081) | about a year and a half ago | (#40764491)

all he would have to do is knock on the door and say "Hotel security. Open the door, please".

The hotel has a voice activated door? Cause otherwise I don't quite understand how claiming to be hotel security causes the door to open.

Re:A bit of hyperbole... (1)

cpu6502 (1960974) | about a year and a half ago | (#40764795)

>>>Cause otherwise I don't quite understand how claiming to be hotel security causes the door to open.

Because you can't read.
If a bad guy wanted in while someone was inside, all he would have to do is knock on the door and say "Hotel security. Open the door, please". I had this happen to me one time except it was a cop. I refused to open the door, so the cop went across the aisle to the neighbor instead (the source of a marijuana smell).

Re:A bit of hyperbole... (1)

mr1911 (1942298) | about a year and a half ago | (#40764969)

Because you can't read.

Did you hear that loud "whoosh" noise?

The point is that someone knocking on the door and saying "Hotel security. Open the door, please" only works when the person in the room is a complete moron.

Re:A bit of hyperbole... (1)

Anonymous Coward | about a year and a half ago | (#40764075)

So.....when you stay in a hotel, you STAY IN THE HOTEL, am I right? Or do you sometimes leave your room to do whatever business or tourism brought you away from home in the first place? The slide bolt you mention only protects you while you are in the room. What's to stop a nasty person with this keyhack from waiting until you're out, and then accessing your room to steal stuff / plug a keylogger dongle on your laptop / install a spycam in your shower?

Posted AC for obvious reasons.

Re:A bit of hyperbole... (1)

alen (225700) | about a year and a half ago | (#40764255)

the only time to leave something valuable in the safe is jewelry when you go to the pool. otherwise you take your phone, wallet and other valuables with you

unless you're a secret agent and need to lock up your top secret spy info. laptops are cheap and any secret data should be encrypted anyway or stored in da cloud

Re:A bit of hyperbole... (0)

Anonymous Coward | about a year and a half ago | (#40764557)

Really? I travel for work a lot, and stay in chain hotels that use programmable key cards. I will take all my junk out to the customer's site during the day, then head back to the hotel, shower, change, then leave my work laptop and work phone charging in the room while I go out and find something to eat. I don't think this is particularly unusual behaviour.

Laptops might be "cheap" in your world, but I know I wouldn't like to have one stolen. Besides, if someone has physical access, they could install a hardware keylogger (i'm sure small devices that fit inside the laptop exist) and then come back the next day to pick it up again. Same with sneaky webcams: Position one in the room to either get video of me watching shitty hotel porn to upload to sadlonelyhotelroomdudevoyeur.com, or video of me typing in my passwords. Return next day to collect the spy hardware and its data. To brush off having physical access to a supposedly secure physical space is absurd.

Also, I don't like the idea of some creepy asshole rummaging through my stuff and masturbating into my used socks, thanks very much.

Posted AC for obvious reasons.

Re:A bit of hyperbole... (1)

Grundibular (2693025) | about a year and a half ago | (#40764851)

What's to stop a nasty person with this keyhack from waiting until you're out, and then accessing your room to steal stuff

or waiting for you to come back...

Re:A bit of hyperbole... (1)

alen (225700) | about a year and a half ago | (#40764097)

not only that but every hotel has cleaning people on every floor every day. there are cameras everywhere in common areas. a person loitering outside a door will not only be on camera but any maid can call it in to security.

security is the whole system, not like every individual piece has to be 100% secure

that's why stock iphones have never had a big security issue. iOS by itself is not 100% secure but combine it with the app store and the apple ecosystem and there has never been a big malware incident

Re:A bit of hyperbole... (1)

Dcnjoe60 (682885) | about a year and a half ago | (#40764775)

iOS by itself is not 100% secure but combine it with the app store and the apple ecosystem and there has never been a big malware incident

You mean other than iOS itself, right? :)

Re:A bit of hyperbole... (0)

Anonymous Coward | about a year and a half ago | (#40764903)

not only that but every hotel has cleaning people on every floor every day. there are cameras everywhere in common areas. a person loitering outside a door will not only be on camera but any maid can call it in to security.

security is the whole system, not like every individual piece has to be 100% secure

So Cody should've dressed up as a maid during the demo?

Re:A bit of hyperbole... (1)

h4rr4r (612664) | about a year and a half ago | (#40764105)

How do I use this slide lock when I leave my things in the room but I wish to leave?

Should I hire someone to operate that for me?

Re:A bit of hyperbole... (1)

mblase (200735) | about a year and a half ago | (#40764239)

Also, this can be defeated by simply using any one of the mechanical locks on the door.

...which you can only employ if you're actually in the room, which thwarts most burglars anyway.

Re:A bit of hyperbole... (0)

Anonymous Coward | about a year and a half ago | (#40765439)

I don't think the point of this was to get the hotels in trouble, I think the point was to make lock manufacturers have to face higher standards.

swedish supermodels beware (5, Funny)

tekrat (242117) | about a year and a half ago | (#40763941)

Geeks now have the ability to get into your hotel room while changing into your bikini...

But why would a geek be changing into your bikini?

Re:swedish supermodels beware (3, Funny)

Chas (5144) | about a year and a half ago | (#40763991)

Basically it's the perfect armor.

Some 500 pound guy in a thong is so horrific that you simply can't look at it long enough to aim and shoot.

That and the whole Cthulu-esque "I stared into madness and madness stared back" aspect.

Re:swedish supermodels beware (0)

Anonymous Coward | about a year and a half ago | (#40765299)

I don't know about that. That might cause some people to shoot and keep shooting... And the judge and jury might agree that it was not such an unreasonable thing to do given the circumstances...

Re:swedish supermodels beware (1)

rvw (755107) | about a year and a half ago | (#40764653)

Geeks now have the ability to get into your hotel room while changing into your bikini...

But why would a geek be changing into your bikini?

Hey! I don't have a bikini! Let's be clear about that!!!

(And think of this: a geek who is changing into the bikini of another geek?!?! Or are we talking about two female geeks here?)

Re:swedish supermodels beware (1)

camperdave (969942) | about a year and a half ago | (#40765295)

Hey! I don't have a bikini! Let's be clear about that!!!

You mean... those are tan lines?

What happened to responsible disclosure? (5, Insightful)

nastav (2611511) | about a year and a half ago | (#40763951)

It's easily and effectively argued that security through obscurity does no one any good, but responsible disclosure is still widely considered to be a good practice. Supposing a vendor is willing to fix their serious bugs, it really helps in preventing large scale attacks between the time of disclosure and reaction (by the vendor). If Onity had been willing to replace all it's locks over a short period of time (say, 6 months) at massive cost to itself - but nevertheless done it to protect it's long term reputation, it makes a lot of sense to give Onity that opportunity without outing the flaw. It's unlikely that such a large-scale replacement of locks would have been pursued, but giving Onity an opportunity to consider that option would have been responsible. It helps Onity, but it also helps customers of Onity (like Hotels who might have chosen to replace their locks, or individuals who might ask questions before going to a particular hotel). Now everybody knows it can be done, and many will try. Sure, an NSA intern could have figured it out, but the fact remains that it was not being massively exploited for large-scale robberies, for e.g.. Targeted exploits are bad - no doubt - and I'm sure some of this was already going on, but there isn't much doubt that the sum total of targeted exploits does less bad than what might happen now - namely large scale exploits. I suppose I'm arguing that security-through-obscurity does work - but in a targeted and limited fashion - as to provide cover for short durations when real security is pursued. It may not work, but it's worth a try - and by going public before giving Onity a chance to pursue a 'fix', this researcher has, in my books, acted against public good.

Re:What happened to responsible disclosure? (4, Insightful)

epine (68316) | about a year and a half ago | (#40764441)

If Onity had been willing to replace all it's locks over a short period of time (say, 6 months) at massive cost to itself - but nevertheless done it to protect it's long term reputation, it makes a lot of sense to give Onity that opportunity without outing the flaw.

Responsible disclosure is a fair response to a responsible failure. Few of these that make the news are responsible failures. Chisellers dressed up in security theatre profiting from their faux contrivances while playing this stupid game of harassing the bearer of bad news, as if the bearer of bad news is an indentured, unpaid employee.

I understand the source of this faux reverence for charlatans much better after reading God is not Great. Scientology was a crock from day one, but now that so many gentle and naive souls have absorbed this crockery and imbued it with deep personal meaning, those of us who are deeply offended by the shitbag Hubbard are supposed to subside into polite silence. I asked myself after reading Hitchens: Why do I sit around keeping a respectfully stiff upper lip about xemufascism? To hell with that.

Banks should not be bailed out of bad loans, and security professionals should not be bailed out for chrome-plating obscurity. When the mistake is subtle enough to make a patent examiner's head explode, I'm all for responsible disclosure. Either pass the bar, or don't let the door hit you on the way out.

Re:What happened to responsible disclosure? (1)

Lithdren (605362) | about a year and a half ago | (#40764461)

I'm fine with this point of view if it can be assured the person going to the company first wont then get sued for what they've exposed as a flaw.

The way things are now, you're more likely to get sued and shut up by a court order before you could tell anyone else. Atleast this way, the public is aware of the issue before they get sued. If anything, this assures the public is served important information and does more for public good then going to the company directly.

I'm not saying this company would act this way, but since there's nothing protecting you there's no way to know beforehand. So might as well go with the lesser of two evils, rather than hoping for the best.

Re:What happened to responsible disclosure? (3, Interesting)

plover (150551) | about a year and a half ago | (#40764925)

In this case he took it upon himself to decide that "there is no possible fix therefore responsible disclosure won't help." But we don't know for sure that the company can't fix the problem with some kind of software update - that's simply his claim. If there is a way to update the EEPROM, any way at all, then a software update could have fixed the problem. Sure, it would be a breaking change to the existing card key systems, but it might not entail a hardware fix to millions of hotel room doors. This guy never gave them that chance.

Notification would have enabled the company to create an update plan, to order a million new circuit boards, to redesign the protocols, to schedule repair crews, to do whatever it took to fix the problem, and to have all that stuff prepared before his disclosure. No matter who they are and how badly they want to fix the problem, this is a year long process at least. Now, during that entire year, bad guys with Arduinos will have full access to unoccupied hotel rooms.

And he's going to get sued into the next millennium. Not only are the plaintiffs going to use arguments like the above, but they're also going to drag his business dealings into it. They're going to make claims like "he's disgruntled because his business venture failed, and he did this out of spiteful retaliation." They're going to throw so much trash at him that I'm not sure even Johnny Cochran would have been able to get him out of trouble.

Re:What happened to responsible disclosure? (3, Informative)

icebike (68054) | about a year and a half ago | (#40764573)

He didn't reveal the actual hack, he only demonstrated that one exists.

Further, there are already several instances of people being sued into silence after responsible disclosure.

Further the problem can not be fixed, and replacement of all locks world wide would be so experience and time consuming that it would never be done in response to responsible disclosure.

The probable outcome here is that the lock maker buys more insurance and sends a memo to customers offering a discount on new and improved locks. Which will be ignored by virtually all hotels.

Responsible disclosure would serve no purpose in this instance.

Re:What happened to responsible disclosure? (1)

wvmarle (1070040) | about a year and a half ago | (#40764955)

The hacker has announced that the complete hack will be revealed, source code and all, on his web site soon.

Re:What happened to responsible disclosure? (0)

Anonymous Coward | about a year and a half ago | (#40764597)

This is not a vulnerability, this is intentional insecure design. Onity deserves to be punished as hard as possible for defrauding its customers. I think that in this case releasing early was the most responsible thing to do.

Re:What happened to responsible disclosure? (0)

Anonymous Coward | about a year and a half ago | (#40764637)

Why should I give you [the company responsible] notice of my work. You aren't paying me to provide you with security consultation. I have not obligation to provide you with that information.

-Sparksis

Re:What happened to responsible disclosure? (2)

Hatta (162192) | about a year and a half ago | (#40764999)

responsible disclosure is still widely considered to be a good practice.

Responsible disclosure will inform those vulnerable as soon as possible, so they can take steps to mitigate. There's nothing responsible about keeping a security flaw secret.

Re:What happened to responsible disclosure? (2, Insightful)

Anonymous Coward | about a year and a half ago | (#40765395)

responsible disclosure is still widely considered to be a good practice.

As another poster has mentioned, responsible disclosure has been punished in the past, by the original disclosee using the courts to prevent the later presentation.

When the courts did not punish these parties for

  1. abusing the court system to prevent presentations
  2. shooting messengers
  3. undermining responsible disclosure

the court system effectively took an anti-responsible-disclosure position. This guy is just going along with the government's opinion that responsible disclosure is bad idea and force should be used to discourage people from doing it, because it's better to surprise an industry and userbase with a sudden security threat. As mentioned, a very credible and lvikely alternative is that he could have been sued by the vendor for telling them about the problem prior to the presentation.

And of course, there's the other point, which is that most people who would take advantage of this hole, probably already knew about it.

Here's how it can be fixed. Some people still do still use responsible disclosure. It's not dead; it's just risky and didn't happen in this case. I want to see the Right Thing happen when a vendor mis-handles it. If they sue the bad-news-bearer or sue to prevent a presentation, and the court responds with serious sanctions, so that the suing company's equity holders lose all their equity (and maybe some personal assets as well) as a direct result of their legal aggression, then responsible disclosure will become a viable practice.

Telling your lawyer to write a nasty letter, needs to become a risky thing to do, only done when someone is sure they're right. People who do that in bad faith, knowing they will cause expense or inconvenience for the innocent party that the nasty letter is aimed at, need to lose. We need to enact policies which cause them to lose. And you can't have responsible disclosure be a widely-used strategy, without these new policies.

Stop physical access (1)

Anonymous Coward | about a year and a half ago | (#40763979)

Just like paranoid IT departments physically blocking USB ports, you can fill that DC port with glue if you're a concerned guest. Not a popular move with the hotel though, I'm sure.

I'm sure the government has easier ways (1)

AC-x (735297) | about a year and a half ago | (#40763981)

If true it's a pretty poor show by Onity, but I'm sure governments have had plenty of success simply forcing, tricking or bribing the hotel desk or cleaning staff into opening the rooms for them. I'm pretty sure that all the US government would have to do is turn up with a warrant and be given access to any room they like regardless of the type of lock used.

Re:I'm sure the government has easier ways (5, Insightful)

Maximum Prophet (716608) | about a year and a half ago | (#40764139)

Silly Reader, warrants are so 20th century. These days, they just show a letter, that you can't discuss with anyone, citing a "secret" law. Yes, it's unconstitutional, but if you're a $12/hour clerk, and the guy with the gun is asking, are you going to make a fuss?

Re:I'm sure the government has easier ways (4, Insightful)

gstoddart (321705) | about a year and a half ago | (#40764349)

I'm pretty sure that all the US government would have to do is turn up with a warrant and be given access to any room they like regardless of the type of lock used.

With a warrant, you can do practically anything, because a judge has signed off on it.

It's what they can do without warrants that scares me.

Re:I'm sure the government has easier ways (1)

SkimTony (245337) | about a year and a half ago | (#40764417)

The key is silent access, as another poster mentioned. If hotel staff use the master key-card, that's logged to the security system. If police show up with a warrant, that warrant is part of the public record (in most cases) and shows up in the police logs. In any of those cases, there's a way to know about the breach nearly as soon as it happened. With this crack, there's no record that the security system was defeated, which makes recovery even more difficult. Consider the following:
          a) Something was taken from your hotel room. You're insured (or the hotel is). If there were physical or digital evidence of a break-in, the insurance paperwork is probably a lot simpler.
          b) Someone is being tricky. They decide to use your room to store some drugs (for example). Signs of forced entry? You have a case. No sign of any entry besides yours? You're going to prison.

Wrong (3, Insightful)

Belial6 (794905) | about a year and a half ago | (#40764109)

Every single lock will not have to be changed. There are several ways to fix this without replacing the entire lock. Fill the hole. Cover the whole with an exterior lock. Put a more secure circuit between the exterior plug and the lock's main board. That more secure circuit only need to handle NOT letting you read the memory. Given that the article is completely wrong about having to change the locks, I would question whether there really isn't a way to fix it via firmware. Either way though, the fix does not require a new lock, and it is a task that the hotel's regular handyman can perform.

Re:Wrong (0)

Anonymous Coward | about a year and a half ago | (#40764837)

You might want to take a look at the paper or presentation. The crypto used by these locks is also a problem.

Re:Wrong (3, Informative)

wvmarle (1070040) | about a year and a half ago | (#40765061)

Every single lock will not have to be changed. There are several ways to fix this without replacing the entire lock. Fill the hole.

And you can't recharge the battery any more - so sooner or later your lock is going to be out of service.

Cover the whole with an exterior lock.

Probably impossible as the current casing has not been designed for that; and anyway they all will end up with a single physical key: copy that and you're good. And anyway this requires a physical modification to the lock, likely the whole outer casing, not much less work than replacing the whole lock.

Put a more secure circuit between the exterior plug and the lock's main board. That more secure circuit only need to handle NOT letting you read the memory.

That is equivalent to changing out the main board of the lock. Which is probably more practical: it is not likely this lock has any space inside to install an extra board inside. Besides considering how modern devices are designed, replacing the lock is probably easier to do than replacing or adding a circuit board. Which is definitely not something your run-of-the-mill handyman can do.

Re:Wrong (0)

Anonymous Coward | about a year and a half ago | (#40765117)

There are several ways to fix this without replacing the entire lock. Fill the hole.

Sigh..

The 'hole' is used for charging the lock's battery.

Re:Wrong (3, Insightful)

pepty (1976012) | about a year and a half ago | (#40765181)

Every single lock will not have to be changed. There are several ways to fix this without replacing the entire lock. Fill the hole. Cover the whole with an exterior lock.

That port is used to recharge the battery in the lock.

Put a more secure circuit between the exterior plug and the lock's main board. That more secure circuit only need to handle NOT letting you read the memory. Given that the article is completely wrong about having to change the locks, I would question whether there really isn't a way to fix it via firmware. Either way though, the fix does not require a new lock, and it is a task that the hotel's regular handyman can perform.

The board itself is probably cheap, removing the port from the board and soldering in a new daughter board/port would be expensive. I don't see any advantage to that over replacing the whole board, which is what the article ("New circuitboards will have to be installed in every affected lock,") actually suggests.

Given that the article is completely wrong about having to change the locks, I would question whether there really isn't a way to fix it via firmware.

Brocious's full time job was to reverse engineer Onity's locks and front desk systems for a startup; he probably knows whether the lock has upgradable firmware.

Image (5, Interesting)

firewrought (36952) | about a year and a half ago | (#40764143)

The hacker has (in his picture for the Forbes article) unkempt hair and a T-shirt that says "It's Fun To Use Learning For Evil!". I realize Black Hat has this whole counterculture thing going guys, but would it kill you to put on the veneer of respectability? Geez... this guy looks like a cliche movie hacker lackey.

You know that your intentions are honorable, that you wouldn't (for instance) rob a hotel room, and that maybe you are part of the process by which society gets stronger over the long run, but the audience of Forbes is predisposed to see you as a shady menace (or cost multiplier). And the audience of Forbes has more real influence to pass laws that restrict or limit access to your favorite toys (prior examples being some telephony tools, radio electronics, lockpicks, encryption software, etc.).

It sounds silly, but a clean shave and a button-down is how you say "I'm one of the good guys" to this crowd (or the general public, actually).

Re:Image (0, Funny)

Anonymous Coward | about a year and a half ago | (#40764319)

How is your lawn coming along granddad?

Re:Image (0)

Anonymous Coward | about a year and a half ago | (#40764489)

Being that the "proper" people determine "laws" and the "counter culture" folks are the people getting things done, I generally try to appeal to: neither.

(I feel sorry for you if you think that someone sitting in a congressional seat in your "wonderful" country holds any real power. It's a pretty good facade they've pulled over that entire culture's eyes!)

"Good for economic policy" and "what other people want to hear" are no ways to live your life. If you so choose to follow in the footsteps of the bat-shit-insane: be my guest. Don't try and convince others they should follow you though.

Re:Image (0)

Anonymous Coward | about a year and a half ago | (#40764935)

Not quite. If you choose to present this information looking like one of the suits, they'll subconsciously think you're one of them and assume the answer is "pay him off to sweep the problem under the rug (after a few months of meetings, of course), it's cheaper than fixing things".

Looking like that, the message is more accurately "get to work, since the next one might not go public like this, kthnxbye".

Re:Image (1)

Hatta (162192) | about a year and a half ago | (#40765053)

would it kill you to put on the veneer of respectability?

Would it kill you to judge people based on their acts and not their appearances?

Not just hotel rooms (0)

Anonymous Coward | about a year and a half ago | (#40764159)

At my university, they use Onity door locks for the dorm rooms. While the unreliability may make this inefficient for hotel burgling, targeted thefts in the dorm may be an issue...

Re:Not just hotel rooms (0)

Anonymous Coward | about a year and a half ago | (#40764639)

My old university uses the same Onity system. I worked for the Housing department and had to work with the very non-tech-savvy Facilities employee who oversaw the whole keycard operation. The technical experience of the person managing their system makes me much more nervous than the thought of someone being able to open any door on a whim.

Although, Onity is only used for the dorm room doors. All the external doors use HID Andover so a non-resident can't just walk in and start robbing.

Re:Not just hotel rooms (0)

Anonymous Coward | about a year and a half ago | (#40764943)

Although, Onity is only used for the dorm room doors. All the external doors use HID Andover so a non-resident can't just walk in and start robbing.

What a relief. I was worried any moron off the street could get to your Onity door. I'm glad to hear only CS majors in your building can get to it. That should cut down on the risk.

Re:Not just hotel rooms (2)

PPH (736903) | about a year and a half ago | (#40765311)

That just means some hot female coed will have her room broken into and her MacBook stolen while she is asleep. And she'll never be woken up.

One in three doors (1)

Jim Hall (2985) | about a year and a half ago | (#40764253)

I read about this on BBC News [bbc.com] this morning, and two things struck me:

1. "In tests Mr Brocious conducted with Forbes news site, the system did not prove entirely successful - only one of the three doors, at three hotels in New York, opened." So it doesn't work everywhere, but it's a good proof of concept. From the above ExtremeTech article: "Brocious found that he could simply read this 32-bit key out of the lock’s memory. No authentication is required ... By playing this 32-bit code back to the lock ... it opens." While Brocious seems to have taken this only to the demonstration stage, I'm sure others (CIA? MI5?) have made this method more reliable. It just seemed to me that Brocious is assuming this method applies everywhere, and possibly oversold it.

2. He didn't share this with the hotel lock vendor, Onity. While he's certainly not required to share that info with Onity, it seems a bit shady to only release the information publicly at a blackhat conference, and force the vendor to respond to it after the hack is "in the wild." I wonder if he was worried that if he shared the vulnerability with Onity beforehand that it would take away some of the "thunder" from his presentation. Or maybe it's simply less cool to say to a blackhat convention "I shared this with the vendor, and they're working on it."

Re:One in three doors (0)

Anonymous Coward | about a year and a half ago | (#40764841)

2. He didn't share this with the hotel lock vendor, Onity. While he's certainly not required to share that info with Onity, it seems a bit shady to only release the information publicly at a blackhat conference, and force the vendor to respond to it after the hack is "in the wild." I wonder if he was worried that if he shared the vulnerability with Onity beforehand that it would take away some of the "thunder" from his presentation. Or maybe it's simply less cool to say to a blackhat convention "I shared this with the vendor, and they're working on it."

Understandable, and I really wish he did do it that way, but there's also the fact that there's been a history of those companies coming down on people like that with an army of lawyers to silence them via lawsuits before this information can go public (therefore allowing the company to save face and/or just hope to sweep it under the rug). Since Onity's entire business is now at risk thanks to this data (and it's apparently very very widespread in hotels), the chance they would've tried to silence the guy and destroy his life via litigation is phenomenally high.

Locks only keep honest people out. (2)

cgfsd (1238866) | about a year and a half ago | (#40764311)

Like the old saying goes, locks only keep honest people out. If someone wants to get into something, given enough time and resources there is nothing that will keep them out.

Most Gov't are Aware Already (1)

Anonymous Coward | about a year and a half ago | (#40764321)

When you look at something like the Mosad Assassination of Mahmoud Al-Mabhouh in Dubai it seems clear that gov't agencies around the world are already well versed in hacking these locks. The hacks seem no more sophisticated than ATM skimming and hacking. I'm surprised there isn't more of these devices available for sale already.

Surprise! (0)

Anonymous Coward | about a year and a half ago | (#40764531)

who didn't disclose the hack to Onity before going public

Excellent. I am sick and tired of the bad guys trying to use legal muscle to prevent talks from occurring. How many Black Hat talks have been cancelled this way already? This is what you get. People will not tell you and just do their talk.

Like the opening scene in a movie (1)

mattr (78516) | about a year and a half ago | (#40764609)

If he is always itching to disclose, who would ever hire him?
Answer: the wrong people. Not that it sounds like his skills are so great.
I'd be worried about his safety, next time.

Legacy robberies (1)

Grundibular (2693025) | about a year and a half ago | (#40764703)

There may be quite a number of people who have had items stolen from rooms "secured" by these locks now wondering what really happened. I also wonder whether there are any fired hotel staff who have been wronged in this. As Brocious points out, the hack is rather trivial and he's unlikely to have been the first/only person to have figured it out. Brocious > Onity : Oops I accidentally your whole business.

The standard lock response (0)

Anonymous Coward | about a year and a half ago | (#40764727)

“One percent of people will always be honest and never steal. Another 1% will always be dishonest and always try to pick your lock and steal your television; locks won't do much to protect you from the hardened thieves, who can get into your house if they really want to. The purpose of locksis to protect you from the 98% of mostly honest people who might be tempted to try your door if it had no lock.”

unintentional? (0)

Anonymous Coward | about a year and a half ago | (#40764931)

Brocious was hired to reverse engineer hotel locks, and Onity was his first target. The discovery of Onityâ(TM)s security vulnerabilities was entirely unintentional, he says.

How can he be trying to reverse engineer the lock and unintentionally break it?

Onity should have been audited for security of the (0)

Anonymous Coward | about a year and a half ago | (#40765183)

My feeling is that Onity should have undertaken a security audit on their product. Hire a bureau/hacker/lab to evaluate the product and the security issues. It turns out that many hotel guests over the world risk compromise of their rooms/belongings. That has been going on for a long time already. If Onity would go bust due to this, they get what they deserve. The saying goes on: It is not difficult to develop something that always gives the right answer, it is _very_ difficult to develop something that _never_ gives the wrong answer. For security applications the latter is valid.

Load More Comments
Slashdot Account

Need an Account?

Forgot your password?

Don't worry, we never post anything without your permission.

Submission Text Formatting Tips

We support a small subset of HTML, namely these tags:

  • b
  • i
  • p
  • br
  • a
  • ol
  • ul
  • li
  • dl
  • dt
  • dd
  • em
  • strong
  • tt
  • blockquote
  • div
  • quote
  • ecode

"ecode" can be used for code snippets, for example:

<ecode>    while(1) { do_something(); } </ecode>
Sign up for Slashdot Newsletters
Create a Slashdot Account

Loading...