Beta
×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

After Hacker Exposes Hotel Lock Insecurity, Lock Firm Asks Hotels To Pay For Fix

Soulskill posted more than 2 years ago | from the we-are-so-sorry-give-us-money dept.

Security 244

Sparrowvsrevolution writes "In an update to an earlier story on Slashdot, hotel lock company Onity is now offering a hardware fix for the millions of hotel keycard locks that hacker Cody Brocious demonstrated at Black Hat were vulnerable to being opened by a sub-$50 Arduino device. Unfortunately, Onity wants the hotels who already bought the company's insecure product to pay for the fix. Onity is actually offering two different mitigations: The first is a plug that blocks the port that Brocious used to gain access to the locks' data, as well as more-obscure Torx screws to prevent intruders from opening the lock's case and removing the plug. That band-aid style fix is free. A second, more rigorous fix requires changing the locks' circuit boards manually. In that case, Onity is offering 'special pricing programs' for the new circuit boards customers need to secure their doors, and requiring them to also pay the shipping and labor costs."

cancel ×

244 comments

Sorry! There are no comments related to the filter you selected.

Something strump this way comes... (-1)

Anonymous Coward | more than 2 years ago | (#41078421)

I just farted directly out of my own asshole. That's quite correct: out of my very own asshole, and no one else's. I keep expelling flatulence right out of there even though it's such a strange occurrence.

Such a thing!

Is there any guarantee on the new circuit board? (4, Interesting)

Taco Cowboy (5327) | more than 2 years ago | (#41078573)

The real question is not whether the lock company should charge for fixing the bug

The real question is whether there is a guarantee that the new circuit board (the upgrade) that the lock company provides is hack proof

Or put it another way ---
Will any e-lock company dare to guarantee that their e-lock for hotel room will be hack-proof?
 

Re:Is there any guarantee on the new circuit board (-1, Flamebait)

TheRaven64 (641858) | more than 2 years ago | (#41078609)

No, the real question is what anything you said had to do with someone farting out of their own asshole. I suspect that the answer is nothing, but enquiring minds want to know...

Re:Is there any guarantee on the new circuit board (0)

Anonymous Coward | more than 2 years ago | (#41079579)

Torx screws? Shop class wins the day again! It would be a few minutes work to make a tool to unscrew them

Of course they won't be (3, Funny)

Rix (54095) | more than 2 years ago | (#41078763)

I can hack any hotel room door.

With an axe.

Re:Of course they won't be (-1, Troll)

crutchy (1949900) | more than 2 years ago | (#41078793)

dammit... keep to the topic will you... now i wonder how many different assholes one can possibly flatulate from?

Re:Of course they won't be (2)

fustakrakich (1673220) | more than 2 years ago | (#41078947)

Wendy, I'm home [youtube.com]

Re:Is there any guarantee on the new circuit board (4, Insightful)

forkazoo (138186) | more than 2 years ago | (#41078855)

Will any e-lock company dare to guarantee that their e-lock for hotel room will be hack-proof?

Of course not. Nobody has ever guaranteed such a thing, except for shady dealing liars with the worst security of all. Anybody who works in security knows that any system which protects something sufficiently valuable, or is sufficiently widely deployed will eventually come up against some lock pick or safe cracker who has enough intelligence, free time, and interest. it's just a question of how long it takes to happen, and how inconvenient it is when he shows up. Adding such a guarantee would just be a giant banner attracting more interest from such people.

Besides, this isn't software. If the guarantee is disproven, and you have to push out patches, you can't just put them on an FTP server. you have to build physical hardware, ship it out, etc. It would be unreasonable to expect any company to do all of that for free. In some cases a company will do a free, voluntary recall out of pocket for the sake of good PR. But, it's hardly something you can demand.

Re:Is there any guarantee on the new circuit board (0)

Anonymous Coward | more than 2 years ago | (#41079277)

They don't offer the same guarantee for real locks either. Just that it's very very very difficult. Some locks can be very quickly opened by a bump key, others claim to be virtually unpickable but nothing's 100%. At the worst you can just turn up with a drill and drill straight through the lock if you're really determined to gain entry.

All locks are only meant as a deterrent, or to slow down an intruder long enough that they draw attention to themselves so that they're either foiled or remembered.

Re:Is there any guarantee on the new circuit board (4, Insightful)

Firethorn (177587) | more than 2 years ago | (#41079349)

At the worst you can just turn up with a drill and drill straight through the lock if you're really determined to gain entry.

Really, for most locks, and most doors, it's about providing an approximately equal amount of protection from all points of entry. Allowing a subtle entry is considered worse than an obvious entry.

Locks are already generally to the point that you don't try to physically defeat them - you go after the door instead. If you want in and don't care about being obvious, a small sledge will get you into most hotel doors with one whack, ~5 seconds. If the pins are on the outside, you pop those out and remove the door ~30 seconds. Put the pins back in and you have a covert entry.

$50 worth of parts and technical knowledge required is actually a fairly high bar.

Re:Is there any guarantee on the new circuit board (2)

oobayly (1056050) | more than 2 years ago | (#41079471)

Immediately thought of this:

From Sneakers [youtu.be]

Re:Is there any guarantee on the new circuit board (4, Insightful)

erroneus (253617) | more than 2 years ago | (#41079505)

In you think about it, this is all common practice. Some bugs in hardware and software NEVER get fixed. Instead new versions are released for sale. That recall fixes happen from time to time is a careful balance of deciding whether the public outcry will result in loss of business.

That said, the locks aren't much more insecure than they were prior to the revelation. It requires tools and expertise to accomplish this feat. It's not like some dumb thief off the street will be any more of a threat than they were before.

The added protection; is it worth the effort? Even if it was free to put out the update is it worth the effort? Tough question. Is it worth the manufacturer updating the design to thwart the new hack? Surely. I think the right choices have been made in this case.

If, someone markets a hotel hacking kit with instructions to the public and they somehow get away with it, that might be another matter. But are traditional metal key locks out of style or use in light of lock picking kits? Nope...

Re:Is there any guarantee on the new circuit board (1)

mwvdlee (775178) | more than 2 years ago | (#41079549)

Will any e-lock company dare to guarantee that their e-lock for hotel room will be hack-proof?

And preferably do so a atleast few weeks before the next Black Hat convention.

lockgate=locksuit (0)

Anonymous Coward | more than 2 years ago | (#41078439)

just sayin'

Re:lockgate=locksuit (0)

Anonymous Coward | more than 2 years ago | (#41079541)

Anybody can sue. But the Hotel won't win in court without a purchase agreement that says the locks are uncrackable or that the locks will only open with a keycard.

You know what else can open a lock? A crowbar. (5, Insightful)

Rogerborg (306625) | more than 2 years ago | (#41078455)

Any hack that requires physical disassembly of the lock is just ePeen waving.

Given the choice between a $50 bit of magic juju that might work after 5 minutes of fiddling, and a $20 jimmy that will work 100% of the time in 10 seconds, I know which option 99% of "going equipped" criminals are going to go for.

So, no, I'm not blaming the lock manufacturer here. No security is absolute, it's a question of what's reasonable.

Re:You know what else can open a lock? A crowbar. (0)

Anonymous Coward | more than 2 years ago | (#41078477)

clearly you didn't RTFA or WTFV.

Re:You know what else can open a lock? A crowbar. (5, Informative)

Anonymous Coward | more than 2 years ago | (#41078493)

RTFA. No need to disassemble the lock - all you do is plug in a small gadget into a nokia-charger-style plug at the bottom of the lock and volià - open door.

Re:You know what else can open a lock? A crowbar. (5, Insightful)

ArsenneLupin (766289) | more than 2 years ago | (#41078721)

RTFA. No need to disassemble the lock - all you do is plug in a small gadget into a nokia-charger-style plug at the bottom of the lock and volià - open door.

Not after the "free" workaround (cap that covers connector, and requires lock disassembly to remove) is applied.

And I guess, if you already have disassembled the lock, you won't need the gadget to open it: a short applied directly at the actuator would do the trick too.

So, the "bandaid-style workaround" (cap) might actually make more sense than the improved circuit board (which may only protect against the current intrusion software, but not against enhancend versions that take into account the new memory layoyt).

Re:You know what else can open a lock? A crowbar. (4, Insightful)

adolf (21054) | more than 2 years ago | (#41079007)

Forget applying a "short" "directly at the actuator" (whatever that means): If you've already got the lockset disassembled, you just unlock it mechanically; no electronics needed.

That said, presumably (and I did R most of TFA), neat disassembly also requires access to the locked room, as is the case with most locks which are designed to be secure in only one direction.

But without more data, I'm led to wonder if the "free" workaround cap is actually all that physically secure, anyway: Being both a retrofit and (and again I presume) only having been designed within the past month or so, and then built down to a cost that can be distributed for free, it seems entirely likely that the cap itself might still be vulnerable to defeat from outside.

Re:You know what else can open a lock? A crowbar. (0)

Anonymous Coward | more than 2 years ago | (#41079365)

Forget applying a "short" "directly at the actuator" (whatever that means): If you've already got the lockset disassembled, you just unlock it mechanically; no electronics needed.

Electric locks will have a deadbolt that's moved by a solenoid. That probably has nothing to grip onto to slide it mechanically, but all you need to do is apply a AA battery to the wires going into the solenoid and it'll slide right back.

Re:You know what else can open a lock? A crowbar. (2, Informative)

Anonymous Coward | more than 2 years ago | (#41078495)

Isn't the point of the original hack that you can do it through the exposed programming port in seconds and leave no trace? Sounds superior to a crowbar, though my experience is limited.

Re:You know what else can open a lock? A crowbar. (1)

Anonymous Coward | more than 2 years ago | (#41079841)

A locksmith coworker of mine has told me more than once "All locks do is keep the honest people honest." Some of the tricks he's told me about are just plain simple and terrifying.

The cheap one is worthless (5, Informative)

gweihir (88907) | more than 2 years ago | (#41078511)

"Secure" screws are anything but. You can either print them (wax, photograph) and make matching bits pretty easily. You can even automatize this. Or you can force them with some pre-made approximations. (Yes, that may mean carrying around 50 possibles, and/or a file, but it is not hard.) There are other techniques as well, for example removal tools for broken screws or ice-spray and a hammer. Sawing a slit into the screw-head is also typically pretty easy.

Yes, I have done it a few times. Not for these locks, but I would be surprised if they were any different.

Re:The cheap one is worthless (2)

bloodhawk (813939) | more than 2 years ago | (#41078529)

or why bother with any of that when a small crowbar will bypass it all.

Re:The cheap one is worthless (1)

gweihir (88907) | more than 2 years ago | (#41078547)

or why bother with any of that when a small crowbar will bypass it all.

The damage is too visible, dramatically increasing attacker risk.

Re:The cheap one is worthless (1)

bloodhawk (813939) | more than 2 years ago | (#41078567)

you aren't breaking down the door, levering open a lock in many cases is unnoticeable except on closer inspection, especially if you close the door afterwards.

Re:The cheap one is worthless (1)

gweihir (88907) | more than 2 years ago | (#41078577)

Not likely on these. That was the whole point of the original hack. Otherwise Hotels would get burglarized this way all the time. They do not.

Anyways, your comment is irrelevant here. Attach it to the original story about the hack.

Re:The cheap one is worthless (1)

ArsenneLupin (766289) | more than 2 years ago | (#41078765)

Otherwise Hotels would get burglarized this way all the time.

There's personnel (or other guests) walking around all the time. The risk of getting caught is probably too big for most thieves.

Discounting the risk of getting caught, there's a very low tech attack against hotels with old-fashioned mechanical keys. Just walk by the reception desk while the receptionist is temporarily out, and grab a key...

Re:The cheap one is worthless (-1)

Anonymous Coward | more than 2 years ago | (#41078791)

I will never understand why people are so keen to add extra letters to the word "burgled". If there was any consistency in the way people use the english language, "burglarized" would mean the process of becoming a burglar.

Re:The cheap one is worthless (0)

Anonymous Coward | more than 2 years ago | (#41079179)

E.g.: transport (noun) --verbify--> transportate (rarely used) --nounify--> transportation (noun again)

Re:The cheap one is worthless (0)

Anonymous Coward | more than 2 years ago | (#41079319)

transport is already the verb from 14th century, the 'means of transportation' noun sense wasn't until 17th century. So no need for transportate, which isn't in the dictionary.

Re:The cheap one is worthless (3, Interesting)

Tastecicles (1153671) | more than 2 years ago | (#41078633)

tech overkill.

I use a Gator Grip [endeavorproducts.com] and have done for fifteen years. Yes, they work, no I don't work for them. Yes they're fantastic value and no, they don't charge for replacement in case of bad workmanship, act of Dog, act of Idiot, or jamming. I've only ever had to replace the small one because I managed to break it trying to loosen a disc brake caliper.

Re:The cheap one is worthless (2)

adolf (21054) | more than 2 years ago | (#41079131)

How well does your Gator Grip work on small socket-cap Torx screws, such as those discussed in TFA?

It looks like a lovely tool for removing things that have external facets (common hexagonal nuts and bolts), but from what I see it is a picture of failure and frustration for anything else -- especially if it is very small (which lockset screws typically are).

Re:The cheap one is worthless (1)

Tastecicles (1153671) | more than 2 years ago | (#41079397)

as far as I can make out, if the tool can lock more than three pins around the head or in features then it will certainly grip enough to turn. I've seen (but not played with) finework versions of the Gator, and can only assume that they work on the same principle. If you can find one with fine enough pins for the job (I would say generally not to use a socket more than twice the size of the head to ensure proper grip) then sure: if a Gator will grip a rusted screw head (it will) enough to loosen it (if there's enough of a slot left for the pins to engage then generally this will happen), then it'll deal with a Torx head.

Re:The cheap one is worthless (1)

ArsenneLupin (766289) | more than 2 years ago | (#41078741)

Most of these methods, except photographing, will mar or stain the screw heads, i.e. not suitable for undetected entry.

And if undetected is not a goal, a small crowbar will do the job easyer.

Re:The cheap one is worthless (1)

jimicus (737525) | more than 2 years ago | (#41079329)

How often do you think hotels have someone examine the underside of their locks?

Re:The cheap one is worthless (4, Informative)

TubeSteak (669689) | more than 2 years ago | (#41078755)

Secure screw bits are a $20 bucks for an entire set (Made in China) of all the designs.

The only "secure" screw head is one that is custom made for you.
Otherwise, you should be using breakaway heads or one-way screws.

Re:The cheap one is worthless (1)

crutchy (1949900) | more than 2 years ago | (#41078807)

or blind structural rivets (cherrymax)

Re:The cheap one is worthless (1)

adolf (21054) | more than 2 years ago | (#41079149)

I've defeated many "one-way" pan-head screws with force-multiplying pliers. Just grab and turn.

Re:The cheap one is worthless (1)

thegarbz (1787294) | more than 2 years ago | (#41079659)

The only "secure" screw head is one that is custom made for you.

Until someone comes with a tiny cordless Dremel and a screw extracting bit attached to the end.

Re:The cheap one is worthless (1)

Kalten (20368) | more than 2 years ago | (#41079815)

The only "secure" screw head is one that is custom made for you.

What makes you think that? I work for a company that could not only make the screws for you, but also the bits to remove them for someone else.

(Okay, it'd be a heck of a lot more expensive than some of the other solutions, but...)

Re:The cheap one is worthless (1)

fustakrakich (1673220) | more than 2 years ago | (#41079015)

Some locks can be screwed on from the inside of the door. Just steal a card from one of the maids if you want in.

Re:The cheap one is worthless (5, Informative)

adolf (21054) | more than 2 years ago | (#41079097)

I had to defeat some stainless steel T10 Security Torx [google.com] screws in the process of doing my job, recently, as I was moving old hardware from one place to another.

Normally, I carry a large assortment of cheap "security" driver bits with me, but alas they were not with me at the time (indeed, they were 40 miles away).

Solution: I used a regular-old Klein T10 driver. I smashed it into the head of the screw a few times with the palm of my hand (no hammer needed), and the protruding post neatly bent over and squished itself into the valley of the Torx socket. This left plenty of surface area to neatly grab the fastener in the conventional way (with the same, and now proper driver), and remove it.

I was fairly amused that this worked the first time. And then I repeated it 7 more times for the other screws with similar success. (The Klein screwdriver was unfazed.)

(For the uninitiated: Torx screws intentionally require very little engagement depth to properly mate a driver to the fastener, by design. It is perhaps the singular thing they're very good at, and also the one thing that allowed them to be so easily circumvented in this case of them being modified for "security.")

Re:The cheap one is worthless (1)

Ellis D. Tripp (755736) | more than 2 years ago | (#41079655)

The fact that you were dealing with stainless steel screws worked to your advantage here. Stainless is soft enough to deform under the hammer blows, but a proper hardened steel screw wouldn't do so.

Re:The cheap one is worthless (0)

Anonymous Coward | more than 2 years ago | (#41079857)

The fact that you were dealing with stainless steel screws worked to your advantage here. Stainless is soft enough to deform under the hammer blows, but a proper hardened steel screw wouldn't do so.

Depending on the hardness, either it would deform, or it would break -- same effect. You might need a hammer in lieu of GP's hand, but it would work.

Re:The cheap one is worthless (1)

JDG1980 (2438906) | more than 2 years ago | (#41079869)

Well, there's also the fact that Torx screws aren't really that obscure to begin with.

Double standard (5, Insightful)

Anonymous Coward | more than 2 years ago | (#41078517)

Hmmm, we take umbrage that a company charges for a hardware upgrade to a flawed physical device, but we have gotten used to having to pay for software upgrades to get our bugs fixed. It is the second of these that is the real scandal.

Re:Double standard (0)

RabidTimmy (1415817) | more than 2 years ago | (#41078701)

I don't really see a double standard here. The summary implied that the sellers of the lock are obligated to provide a software upgrade to fix the vulnerability. For there to be a double standard, that means that we must expect a hardware lock to be replaced. The only way I see either company (the hardware or software lock companies) is obligated to fix the lock for free is if they somehow implied that they would provide upgrade services or made some guarantee to being hack-proof. I don't know what the terms of the hotels' locks were, but if they were sold as is, as a device to reduce the chance of breakin, I see no obligation.

Re:Double standard (0)

Anonymous Coward | more than 2 years ago | (#41078931)

I wonder what the law in the US is...
Over here, a supplier has the responsibility to deliver a good product and to repair it when it appears to be flawed.
When repair is not possible, the goods can be returned and money has to be refunded.

Considering this, I always wonder how companies like Cisco can deliver equipment and give access to bug-fixing firmware updates
only to customers who pay extra for a maintenance contract. I think this practice is illegal. But maybe it isn't in the US?

Re:Double standard (1)

ratbag (65209) | more than 2 years ago | (#41079375)

IANAL. But I've been corrected on this issue by someone who is, and who happened to be my boss at the time.

If you're talking about the UK (my version of "over here") most of the stuff to do with refunds and longer-term fitness for purpose only apply to individual consumers. As long as the Cisco device is supplied in a fit state at purchase time then a purchasing company has no come-back if bugs are revealed later and require a paid fix. And in general, a Cisco router, for example, will route packets as advertised. It may have edge cases and rarely-exercised bugs that are only revealed in the field, but Cisco sold it as a router, in good faith.

An individual consumer could expend some effort talking to Cisco about "reasonable" fitness for purpose for up to six years after purchase, but the probable end result would be that Cisco suggest you accept a refund for returning the item.

Have a look (if you've got a lot of time) at the Sale of Goods Act 1979 (and later modifications, etc.) for the basis of all this. There may be European law overlaid on this as well, but so far as I know, no-one's ever tried to use "the law" to resist paying for ongoing maintenance fees on computer hardware, or at least nobody's succeeded in such a venture. And again - IANAL.

Re:Double standard (3, Insightful)

FireFury03 (653718) | more than 2 years ago | (#41079837)

IANAL. But I've been corrected on this issue by someone who is, and who happened to be my boss at the time.

If you're talking about the UK (my version of "over here") most of the stuff to do with refunds and longer-term fitness for purpose only apply to individual consumers.

The Sale of Goods Act requires the retailer (*not* the manufacturer) to warrant a product for its "reasonable" life expectancy to be free of manufacturing and design defects and fit for purpose. Within the first 6 months the burden of proof is upon the retailer (if they don't want to refund/fix then within the first 6 months they have to prove that there was no defect or that its "reasonable" life expectancy has been exceeded). After the first 6 months the burden of proof is upon the consumer (you prove that there was a defect and that it is within its life expectancy).

No one sane expects a lock to be completely secure, but this sounds like gross negligence (sticking what is effectively a JTAG port on the outside of the door - that isn't an obscure mistake, anyone involved with security who looked at the design and thought it was ok to make a programming port accessible to the outside with no kind of hardware or software security and didn't spot a problem is incompetent), which would fall into the "not fit for purpose" category. And since this defect was clearly there at the of manufacture, rather than having developed over months/years of use, the case looks quite winnable.

I have often wondered how this applies to software... I think someone once informed me that software was explicitly excluded from the act, although I haven't checked myself. This seems a bit wrong - defects in software are easier to fix than defects in hardware (at least, on a large scale), so it seems more reasonable to ensure they are fixed rather than giving software vendors a free pass.

so far as I know, no-one's ever tried to use "the law" to resist paying for ongoing maintenance fees on computer hardware, or at least nobody's succeeded in such a venture. And again - IANAL.

Maintenance fees usually get you something over and above the law. For example, it might get you an no-questions-asked same-day engineer callout to replace whatever hardware has failed, rather than requiring you to prove that a failure was caused by a defect (possibly involving the courts). Yes, without a maintenance contract, you could probably get that failed motherboard replaced by the retailer, but would it be done immediately and without any hassle, or would you be left without a server for weeks? (This isn't just a case of the vendor being difficult when there is no maintenance contract in place - the vendor may genuinely believe that the problem wasnt caused by a defect, but having a maintenance contract is likley to make them sweing the benefit of doubt in your favour).

Re:Double standard (1)

Zeromous (668365) | more than 2 years ago | (#41079409)

There's a difference between bug fix and feature fix. I didn't realize vendors were charging me for bugfixes probably because they aren't.

Re:Double standard (3, Funny)

RaceProUK (1137575) | more than 2 years ago | (#41079497)

Hmmm, we take umbrage that a company charges for a hardware upgrade to a flawed physical device, but we have gotten used to having to pay for software upgrades to get our bugs fixed. It is the second of these that is the real scandal.

How much did you pay for a Windows Service Pack? Personally, I spent $0.00, consisting of a $0.00 deposit, 35 easy monthly payments of $0.00, and a final payment of $0.00 to keep it for life.

Re:Double standard (1)

Anonymous Coward | more than 2 years ago | (#41079937)

So you received a DVD in the mail or via courier?

Otherwise, you paid $9.95+/month for your internet connection and ~$8+/hr for your time to download it from Microsoft.

Really a story? (4, Insightful)

FaxeTheCat (1394763) | more than 2 years ago | (#41078539)

Is this really a story? The conditions for repairs and upgrades are most likely regulated in the contract between the hotels and the supplier/manufacturer. Big deal.

Re:Really a story? (1)

Anonymous Coward | more than 2 years ago | (#41078737)

The locks may not meet the expectation of being reasonably secure in the first place and that way all expense would fall upon the company that provided the locks. When you make a purchase you do have the reasonable expectation that the product is fit for sale. It would be one thing if the hack was provided by a large governmental hacker group but if one or two guys working in a basement were able to hack the product I would tend to believe that the product was unfit for sale and the purchase should be recoverable. After all if you went and brought a spanking new car that looked great but couldn't be started to leave the lot there would be a void sale. Selling locks means that the lock must secure and liability should attach if the lock fails to secure.

They should act like Kryptonite. (5, Insightful)

Anonymous Coward | more than 2 years ago | (#41078543)

Many slashdotters and/or cyclists remember the whole Kryptonite debacle where their locks could be opened with a Bic pen. Kryptonite offered free replacements, with free shipping, without requiring the receipt. They ate a huge cost but saved their company's reputation. People still buy their locks.

This company is making its customers pay for their poor design. They are done.

Re:They should act like Kryptonite. (3, Informative)

Isaac-1 (233099) | more than 2 years ago | (#41078627)

I suspect Kryptonite had a bit more markup built into their business model, this sort of recall would likely bankrupt the lock company if they offered it for free which would leave the hotels without replacement parts, or locks for new constuction, etc. Remember hotels love standarization and these locks must offer remote programming from the front desk, etc.

Re:They should act like Kryptonite. (1)

norpy (1277318) | more than 2 years ago | (#41079325)

There is a difference here:

Kryptonite: Large number of customers with little knowledge of the issues protecting something cheap with something cheap, this warranty will likely not be taken up enmasse assuming the locks aren't already lost or rusting in a shed.

Onity: Relatively small number of customers with large numbers of locks and highly likely to find out about the flaw who also likely pay for maintenance contracts.

What? (0)

Anonymous Coward | more than 2 years ago | (#41078555)

I don't see a story here.

My foot can also open any locked door..

And in a hotel. Nobody will care so long as the noise stops quickly.

You know what? (1)

Tastecicles (1153671) | more than 2 years ago | (#41078617)

Fuck your company, I'll go someplace else for my locks. Maybe to a company that knows the LAW when it comes to selling hardware that is FIT FOR PURPOSE!

Re:You know what? (1)

MysteriousPreacher (702266) | more than 2 years ago | (#41078735)

Maybe to a company that knows the LAW when it comes to selling hardware that is FIT FOR PURPOSE!

Maybe they are perfectly within the law. In the UK, consumers cannot waive protections given by the Sales of Goods Act, but businesses can. It's not as black and white for businesses as it is with consumers. Exactly which law do you think the lock company should know, and how do you know they're breaking it?

I do agree though - go elsewhere for locks. Even if not contractually or legally obliged to do so, with such a sloppy and blatant design issue, Onity should be picking up the tab. Hopefully the bigger chains will walk away from Onity.

Re:You know what? (4, Informative)

Tastecicles (1153671) | more than 2 years ago | (#41078841)

1979 (c. 54) provides:

14 Implied terms about quality or fitness.

(1)Except as provided by this section and section 15 below and subject to any other enactment, there is no implied term about the quality or fitness for any particular purpose of goods supplied under a contract of sale.
(2)Where the seller sells goods in the course of a business, there is an implied term that the goods supplied under the contract are of satisfactory quality.
(2A)For the purposes of this Act, goods are of satisfactory quality if they meet the standard that a reasonable person would regard as satisfactory, taking account of any description of the goods, the price (if relevant) and all the other relevant circumstances.
(2B)For the purposes of this Act, the quality of goods includes their state and condition and the following (among others) are in appropriate cases aspects of the quality of goods—
(a)fitness for all the purposes for which goods of the kind in question are commonly supplied,
(b)appearance and finish,
(c)freedom from minor defects,
(d)safety, and
(e)durability.
(2C)The term implied by subsection (2) above does not extend to any matter making the quality of goods unsatisfactory—
(a)which is specifically drawn to the buyer’s attention before the contract is made,
(b)where the buyer examines the goods before the contract is made, which that examination ought to reveal, or
(c)in the case of a contract for sale by sample, which would have been apparent on a reasonable examination of the sample.

emphases mine.

If a lock is described as a lock, and looks like a lock, is it unreasonable to expect it to perform as such? I don't think so.
If a device is described as a lock and does not in fact perform that function, to the point where intervention is required, then is it unreasonable to assume that the defect is by design? I would say not.

Therefore, the effect of the failure of the product to perform *as advertised* constitutes a material breach of contract, one which should be pursued for restitution and remedy.

DISCLAIMER: IAAL.

Re:You know what? (4, Insightful)

adolf (21054) | more than 2 years ago | (#41079195)

If a device is described as a lock and does not in fact perform that function, to the point where intervention is required, then is it unreasonable to assume that the defect is by design? I would say not.

It is common knowledge that locks only keep out honest people.

Corollarily, a lock which allows entry by dishonest people is still a lock.

If it were a mechanical lock with pins and tumblers, it would be defeatable by dishonest people. This lock happens to be electronic, and is also defeatable by dishonest people.

I don't see the difference in the context that you specify.

Re:You know what? (1)

Neil_Brown (1568845) | more than 2 years ago | (#41079235)

Therefore, the effect of the failure of the product to perform *as advertised* constitutes a material breach of contract, one which should be pursued for restitution and remedy.

Absolutely — provided that this term is actually incorporated into the contract, which is the key issue here. (Let's assume that English law applies here.)

Although the term is an "implied term," and thus can exist even if it is not written into a contract (if there is a written contract) or expressly stated as part of the agreement, there's no general principle of law which says that implied terms cannot be excluded. Instead, we have to look to specific laws on this.

For this particular term, section 6 of the Unfair Contract Terms Act 1977 [legislation.gov.uk] provides that:

(2) As against a person dealing as consumer, liability for breach of the obligations arising from— (a) section 13, 14, or 15 of the 1979 Act (sellers’s implied undertakings as to conformity of goods with description or sample, or as to their quality or fitness for a particular purpose); ... cannot be excluded or restricted by reference to any contract term.

As such, in a contract where one party deals as a consumer, the section you reference cannot be excluded — but there is no such prohibition in contracts between businesses. There is debate as to what it means to "deal as a consumer," though — could a business deal as a consumer for a particular transaction? It would be a question of fact in each case, but there's an argument that, yes, it could.

So whilst there's no definite prohibition on excluding this term in a business to business transaction, businesses are not entirely out of luck, although by virtue of s6(3), there is a variable at play, which makes the position less certain:

(3) As against a person dealing otherwise than as consumer, the liability specified in subsection (2) above can be excluded or restricted by reference to a contract term, but only in so far as the term satisfies the requirement of reasonableness.

The business would need to look and see whether liability was excluded under the contract. If there's nothing saying that the term is excluded, brilliant. If the contract does attempt to exclude liability, the business would need to argue that this exclusion was unreasonable:

... the requirement of reasonableness ... is that the term shall have been a fair and reasonable one to be included having regard to the circumstances which were, or ought reasonably to have been, known to or in the contemplation of the parties when the contract was made. (s11(1))

This would be a question of fact, highly dependent on the circumstances. If the exclusion clause is unreasonable, the implied term as to fitness for purpose stands. If it is reasonable, it falls.

I can only speak from my experience, but getting a general "fitness for purpose" clause in a business contract is rare — it's a very broad warranty to give. More likely, I would have thought, is that the seller will have excluded the term, and the hotel will either need to make an argument about reasonableness of the exclusion, or else dig through its agreement to see whether the product failed to comply with an agreed specification or to a particular performance level, or anything like that.

Just my musings, could be wrong, not your lawyer, hate that one might argue I need to exclude the possibility that someone might consider this legal advice etc.

Re:You know what? (1)

thegarbz (1787294) | more than 2 years ago | (#41079699)

DISCLAIMER: IAAL.

Of course you are. This is blatantly an advertisement for your services against lock makers of the world given how every house in America can be broken into with a lockpick. Does that make it defective by design?

I smell a class action.

Re:You know what? (1)

wvmarle (1070040) | more than 2 years ago | (#41078825)

Shopping around may be a good idea for a new set-up, but this has to do with existing hotels.

Replacing the lock means purchasing a complete new set of locks, purchasing a complete new set of key cards and programming equipment, labour cost of replacing all these locks plus probably adaptations to the existing doors and door frames, possibly even the need to replace all the doors because there is no way to fit the new lock in the existing space in a good looking way.

Going with the upgrade option on offer sounds cheaper and more practical/less intrusive to me.

Then there is the legal question of whether the existing locks are "fit for purpose" or not. Being able to hack a lock does not necessarily mean they're not good enough, as given enough time/effort any lock can be broken. That it can be broken this easily, doesn't necessarily mean the company selling them has the legal obligation to fix this. It's definitely not as easy or as black/white as you and many others here would like to believe. Affected hotels will have to sue the company to get back their costs for replacement.

Re:You know what? (1)

Dr_Barnowl (709838) | more than 2 years ago | (#41079009)

Security is all about raising the cost of intrusion beyond the value of intrusion ; the cost of intrusion for these locks will decrease rapidly as the knowledge of how to build the lock-cracker spreads. At first it will only be people with the time to reproduce the hack ; then when one of these is unscrupulous enough to spread this information, it will be enough to be merely proficient with a computer and a soldering iron. Then people will start selling them and anyone who just knows it's possible will be able to acquire the means to do it, and the rate of it actually being used to steal from hotel rooms will skyrocket.

Say what? (4, Insightful)

Ignacio (1465) | more than 2 years ago | (#41078649)

Torx? Obscure? What decade do they think this is?

Re:Say what? (1)

wvmarle (1070040) | more than 2 years ago | (#41078829)

Well, insofar, it's not one that I have in my toolbox. That's how obscure and uncommonly used they are.

It's also not one that I couldn't buy at the local hardware shop, if I'd need one.

Re:Say what? (0)

Anonymous Coward | more than 2 years ago | (#41078891)

who cares for torx. Nothing a flat head can resolve quicker.

Re:Say what? (0)

Anonymous Coward | more than 2 years ago | (#41078951)

Really? Lowes and Home Depot both carry Torx head sets...

Re:Say what? (1)

isorox (205688) | more than 2 years ago | (#41078971)

Well, insofar, it's not one that I have in my toolbox. That's how obscure and uncommonly used they are.

It's also not one that I couldn't buy at the local hardware shop, if I'd need one.

Yet the standard screwdriver set I keep in one of our overseas offices cost under USD10 and contains 4 different sizes

Re:Say what? (1)

rjr162 (69736) | more than 2 years ago | (#41079191)

Really? Every German car made uses torx to take apart (even to mount an after market radio into a new Beatle).

Same with secure torx.. They aren't secure as you can get sets with the bits about anywhere.

Even the extremely odd screw Nissan uses in some of their altimas and other models to hold the bcm into the car (and I'm talking odd) can be found online (which some installers must purchase to do remote starts in those cars since they require connections at the bcm but the bcm is in a very tight spot)

So, like others have said... Torx is anything but obscure.

Re:Say what? (1)

dissy (172727) | more than 2 years ago | (#41079459)

Torx? Obscure? What decade do they think this is?

Exactly what I was thinking! I picked up one of these nice "100 piece security bit" sets from a local store for $10. Even at Amazon it's only $13 plus shipping.

http://www.amazon.com/Neiko-100-Piece-Security-Bits-Storage/dp/B000O5XDOG [amazon.com]

Product Description
100 pc. Security Bits Set Security bits set contains many of the most common tamper proof type security bit sizes, including tri-wing bits, torx bits, spanner bits, and hex bits. Security bits set contains: 1 - wing nut driver. 1 - magnetic bit holder. 1 - socket bit holder. 1 - 1/4" sq. x 1/4" hex x 1" extension. 1 - 1/4" sq. x 1/4" hex x 2" extension. 3 - clutch bits (# 1, 2 & 3). 3 - torq bits (# 6, 8 & 10). 3 - spline bits (M-5, 6 & 8). 4 - tri-wing bits (# 1, 2, 3 & 4). 4 - square recess bits (# 0, 1, 2 & 3). 4 - spanner bits (# 4, 6, 8 & 10). 6 - metric hex tamper proof bits (2, 2.5, 3, 4, 5 & 6). 6 - SAE hex tamper proof bits (5/64, 3/32, 7/64, 1/8, 9/64 & 5/32). 8 - phillips bits (0, 1, 2{5} & 3). 8 - pozi drive bits (0, 1, 2{5} & 3). 9 - slotted bits (3, 4, 4.5, 5, 5.5, 6, 6.5, 7 & 8). 9 - metric hex bits (1.5, 2, 2.5, 3, 4, 5, 5.5, 6 & 8). 9 - torx bits (T-8, 10, 15, 20, 25, 27, 30, 35 & 40). 9 - torx tamper proof bits (T-8, 10, 15, 20, 25, 27, 30, 35 & 40). 10 - SAE hex bits (1/16, 5/64, 3/32, 7/64, 1/8, 9/64, 5/32, 3/16, 7/32 & 1/4). Set includes plastic storage / carry case.

Re:Say what? (0)

Anonymous Coward | more than 2 years ago | (#41079635)

Containing both regular and tamper-resistant ("pinout") torx bits is redundant. Pinout torx drivers are backwards-compatible with regular torx screws. I only bother to keep the pinout versions of the drivers around for this reason.

Torx? Secure? (1)

tconnors (91126) | more than 2 years ago | (#41078711)

Torx? Secure? Is this some kind of security through obscurity that this company are obviously so good at?

I've lost count at the number of torx screwdriver sets I have.

Sweet. (5, Funny)

Impy the Impiuos Imp (442658) | more than 2 years ago | (#41078747)

> "as well as more-obscure Torx screws to prevent intruders from
> opening the lock's case and removing the plug"

Because nobody capable and determined enough to rig up the electronic interface for $50 can handle the mental and financial stresses of a $10 Torx set from the hardware store.

"Well, we got the device. Open it up."

"Whoa! What kind of screws are these?"

"Lemme look -- MY GOD, IT'S FULL OF STARS!"

Master key systems can be hacked too (3, Interesting)

twosat (1414337) | more than 2 years ago | (#41078811)

I remember reading years ago about Matt Blaze, a security researcher at AT&T Labs-Research who discovered how to create a master key from a key and a lock which is opened by it. His method was a trade secret used by many locksmiths, which pissed them off when he publicised it.

http://it.slashdot.org/story/03/01/23/0359230/att-identifies-widespread-security-hole---in-locks [slashdot.org]

http://www.nytimes.com/2003/01/23/business/many-locks-all-too-easy-to-get-past.html [nytimes.com]

Hotel In room "safe" (5, Informative)

trout007 (975317) | more than 2 years ago | (#41078827)

I was staying in Marriott and they have a small in room safe. Its the kind with a digital keypad where you select your own code. I put stuff in there while we went to the pool.

When we got back I guess one of the kids was playing with it and it stopped responding because they pressed too many buttons. So I looked it up online. All I had to do was press "lock" twice to enter supervisor mode then 999999 and it opened the safe bypassing my code.

So don't use those safes for anything real valuable. Next time I have to play around with supervisor mode to see if I can change that password.

Now that's what I call... (5, Funny)

srussia (884021) | more than 2 years ago | (#41078897)

All I had to do was press "lock" twice to enter supervisor mode then 999999 and it opened the safe bypassing my code.

"six-nines" availability!

Re:Now that's what I call... (1)

adolf (21054) | more than 2 years ago | (#41079211)

*5*

Re:Hotel In room "safe" (2)

isorox (205688) | more than 2 years ago | (#41078979)

I was staying in Marriott and they have a small in room safe. Its the kind with a digital keypad where you select your own code. I put stuff in there while we went to the pool.

When we got back I guess one of the kids was playing with it and it stopped responding because they pressed too many buttons. So I looked it up online. All I had to do was press "lock" twice to enter supervisor mode then 999999 and it opened the safe bypassing my code.

So don't use those safes for anything real valuable. Next time I have to play around with supervisor mode to see if I can change that password.

If I'm staying in a dodgy city for a period of time, I spread the risk. £100 and passport copy in the safe, normal wallet and passport on me, and I always keep a credit card in my dirty laundry in the suitcase just in case.

Re:Hotel In room "safe" (2)

trout007 (975317) | more than 2 years ago | (#41079201)

I forgot. I took a video of it. It's a Safemark safe.

http://youtu.be/UYjJuE7l7VM [youtu.be]

Isn't the problem offering access to the outside? (1)

91degrees (207121) | more than 2 years ago | (#41078833)

So, how about cutting wires to the port, and wiring a new port on the other side of the door. Presumably this could be done fairy neatly.

Seems to fundamental flaw is that the access port is on the outside of the door.

It's a moot point though. Hotel rooms aren't secure. Dozens of people have access. My suggestion is to use the safe to store valuables.

Re:Isn't the problem offering access to the outsid (1)

gl4ss (559668) | more than 2 years ago | (#41078849)

the lock to the safe is usually equally worthless, too bad. better to just stash the stuff under the drawers.

Re:Isn't the problem offering access to the outsid (0)

Anonymous Coward | more than 2 years ago | (#41079701)

Or the safe is bolted in a cupboard to a removable shelf and can easily fit complete with shelf into a normal sized suitcase, as was the case in the last hotel I stayed at.

Re:Isn't the problem offering access to the outsid (2)

drinkypoo (153816) | more than 2 years ago | (#41079493)

So, how about cutting wires to the port, and wiring a new port on the other side of the door. Presumably this could be done fairy neatly.

Seems to fundamental flaw is that the access port is on the outside of the door.

The fundamental flaw in your comment is that the port needs to be on the outside of the door so that it can be used in cases where the door cannot otherwise be opened.

Re:Isn't the problem offering access to the outsid (1)

leonardluen (211265) | more than 2 years ago | (#41079953)

that is why most electronic locks still have physical keys. otherwise how would you open the door when the battery goes dead on the lock? most hotel locks operate off a battery. also what happens if the solenoid that engages the lock breaks? without a physical key, it would be impossible to open the door without breaking the door down.

They really should put the programming ports on the inside.

note: i work with various kinds of electronic locks. however i do not work for a hotel.

Re:Isn't the problem offering access to the outsid (0)

Anonymous Coward | more than 2 years ago | (#41079543)

I believe the access port is provided so that they can reset the key for a lock when they're locked out of the room without having to breakdown and damage the door - pretty useless if the port's only inside the room.

Not exactly Inconspicuous (1)

damn_registrars (1103043) | more than 2 years ago | (#41079343)

If the hack requires someone to physically open up the lock with a screwdriver and pull a plug out from the mechanism, it's not really something that can be done quickly and easily without likely attracting attention. Sure, a screwdriver is a lot less noticeable than say a blowtorch or a hacksaw, but most people would notice it if they were walking down the hallway and wonder what is going on.

In other words I doubt many people would find this to be a practical hack to employ. They'd likely me more successful with a little bit of social engineering at the front desk instead.

Re:Not exactly Inconspicuous (1)

drinkypoo (153816) | more than 2 years ago | (#41079485)

I can remove two security torx screws in five seconds or less with some practice and the right screwdriver. That is a non-fix.

This isn't necessarily the end of the world (1)

jimicus (737525) | more than 2 years ago | (#41079403)

The thing about any security issue is you've got to weigh up the cost versus the benefit.

First off: The hotel doesn't really care about the fact your digital camera might have holiday snaps from your once-in-a-lifetime holiday on there. Nor do they care that you brought your laptop (complete with the only photographs you have of your recently-deceased granny) and haven't backed it up lately.

All they care about is "How much is failing to fix this going to cost us? Will it be more than the cost of fixing it?". And given that most hotel rooms aren't exactly impregnable anyway, I don't think it's that much of a big deal - it's considerably easier and cheaper for an outsider to buy a set of overalls and a toolkit and force their way in that way. If questioned, simply produce a mocked-up job sheet that shows there's a fault with the lock and you're fixing it.

Doesn't matter (1)

Dunbal (464142) | more than 2 years ago | (#41079415)

This doesn't affect me because I keep all my valuables in the hotel safe [youtube.com] !

Perfectly Fair (0)

Anonymous Coward | more than 2 years ago | (#41079707)

The lock company is being perfectly fair in this case. More so than I had expected. They are offering a free fix that will work quite well, despite the poster's glib insinuations. They are also offering a more comprehensive fix that requires replacing a significant portion(cost wise) of the lock, which they are charging for to cover the extensive parts and labor involved.

Most lock companies would have simply offered to sell them new "improved" locks, that they can install for an additional charge.

Hardware, meet software. (1)

miffo.swe (547642) | more than 2 years ago | (#41079737)

Welcome to the software world, where you pay for the product, support of the product and anything that needs to be done to make the product work as advertised.

I don't remember seeing anything in the reports (3, Insightful)

kaizendojo (956951) | more than 2 years ago | (#41079907)

that Onity gauranteed the locks to be unhackable. A researcher discovered a flaw, they are offering two solutions to correct it; one free and one (better) for a reduced price. What's the issue? Maybe I'm missing something, but they seem to be acting fairly and responsibly.

easy fix (0)

Anonymous Coward | more than 2 years ago | (#41079917)

Fill port with epoxy!

Load More Comments
Slashdot Login

Need an Account?

Forgot your password?

Submission Text Formatting Tips

We support a small subset of HTML, namely these tags:

  • b
  • i
  • p
  • br
  • a
  • ol
  • ul
  • li
  • dl
  • dt
  • dd
  • em
  • strong
  • tt
  • blockquote
  • div
  • quote
  • ecode

"ecode" can be used for code snippets, for example:

<ecode>    while(1) { do_something(); } </ecode>