Beta

Slashdot: News for Nerds

×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

Hotel Keycard Lock Hack Gets Real In Texas

timothy posted about a year and a half ago | from the those-words-in-that-order dept.

Privacy 132

Sparrowvsrevolution writes "You may remember a vulnerability in four million keycard locks presented at the Black Hat conference in July. Hacker Cody Brocious showed he could insert a device he built for less than $50 into the port at the bottom of the common hotel lock, read a key out of its memory, and open it in seconds. Two months later, it turns out at least one burglar was already making use of that technique to rob a series of hotel rooms in Texas. The Hyatt House Galleria in Houston has revealed that in at least three September cases of theft from its rooms, the thief used that Onity vulnerability to effortlessly open rooms and steal valuables like laptops. Petra Risk Solutions, an insurance firm focus the hospitality industry also reports that at least two other hotels in Texas were hit with the attack. Onity has been criticized for its less-than-stellar response to a glaring vulnerability in its devices. The Hyatt says Onity didn't provide a fix until after its break-ins, forcing the hotel to plug its locks' ports with epoxy. And even now, Onity is asking its hotel customers to pay for the full fix, which involves replacing the locks' circuit boards."

cancel ×

132 comments

Not "rob", burglarize (1, Informative)

Anonymous Coward | about a year and a half ago | (#42105665)

...unless the victim was present.

Re:Not "rob", burglarize (0)

Anonymous Coward | about a year and a half ago | (#42106077)

Or burgled, for the rest of the world.

Re:Not "rob", burglarize (1)

X0563511 (793323) | about a year and a half ago | (#42106423)

verb tense, do you have it?

Re:Not "rob", burglarize (4, Informative)

History's Coming To (1059484) | about a year and a half ago | (#42106881)

To burgle. He burgled. They will burgle. I was burgled. I suffered a burglary. etc

Re:Not "rob", burglarize (1)

X0563511 (793323) | about a year and a half ago | (#42106939)

Tense mismatch was my point, not conjugation.

Re:Not "rob", burglarize (4, Informative)

clickclickdrone (964164) | about a year and a half ago | (#42106079)

Or just plain 'burgle' if you're English.

Re:Not "rob", burglarize (0)

Anonymous Coward | about a year and a half ago | (#42106241)

Thank you. Would mod up if I could.

Re:Not "rob", burglarize (1)

poofmeisterp (650750) | about a year and a half ago | (#42106463)

...unless the victim was present.

So you're saying the generalized term of "Rob Peter to pay Paul" cannot be used unless it's specifically analogue to robbing a person actively rather than just stealing property of theirs?

Would the following term apply to burglary better?: "He Burglarized Peter for a laptop computer in order to sell it and have money to pay Paul's rent as a favor."

/snark :-)

Re:Not "rob", burglarize (4, Funny)

Phreakiture (547094) | about a year and a half ago | (#42106517)

I bet you feel so embiggened for pointing out this incromulence.

Re:Not "rob", burglarize (1)

Dunbal (464142) | about a year and a half ago | (#42106911)

There is truthiness to what you said.

Re:Not "rob", burglarize (1)

mrbester (200927) | about a year and a half ago | (#42106541)

One would have to wonder if Paul was in any way involved in the insertion of the laptop into Peter. Were surgical instruments used in the removal? The plot thickens...

Re:Not "rob", burglarize (1)

poofmeisterp (650750) | about a year and a half ago | (#42106913)

One would have to wonder if Paul was in any way involved in the insertion of the laptop into Peter. Were surgical instruments used in the removal? The plot thickens...

I see where your definition of "favor" falls. LOL

Dictonaries are (0)

Anonymous Coward | about a year and a half ago | (#42108297)

. . . useful. Rob is correct, just not specific. Look it up yourself. Burgle would be more specific. Burglarize is a silly word that means burgled.

Sure I will pay.... (5, Funny)

Anonymous Coward | about a year and a half ago | (#42105671)

....for a broken product you gave me......who are your competitors?

Re:Sure I will pay.... (1)

h4rr4r (612664) | about a year and a half ago | (#42105923)

That would be even more expensive.
The replacement boards slide right into the existing locks, which the competitors product will not do.

Re:Sure I will pay.... (5, Insightful)

Applekid (993327) | about a year and a half ago | (#42106127)

If I were one of Onity's competitors, I would be fast-tracking a replacement system that uses the existing housings at least. Their lunch is right there, on the table, practically begging to get eaten.

Re:Sure I will pay.... (3)

IndustrialComplex (975015) | about a year and a half ago | (#42106651)

Very likely there exists a patent which covers some aspect of the board design for fitting in that slot, or interfacing with the remaining mechanism, etc.

You probably could easily design a board to fit, but it would be seconds before Onity filed an infringement lawsuit, voided support contracts, etc. I'd be willing to bet some of the terminal equipment for programming the cards is leased as well.

Re:Sure I will pay.... (2, Insightful)

Anonymous Coward | about a year and a half ago | (#42106787)

> ... voided support contracts...

Does this still scare anyone?

Re:Sure I will pay.... (1)

frosty_tsm (933163) | about a year and a half ago | (#42107557)

> ... voided support contracts...

Does this still scare anyone?

Not when their product is enabling easy break-ins.

Re:Sure I will pay.... (0)

Anonymous Coward | about a year and a half ago | (#42107811)

Wouldn't the support contract cover fixing all of these broken locks? Or is it inherently part of the system to be hackable? Or are all the support dollars for nothing?

Re:Sure I will pay.... (1)

SeaFox (739806) | about a year and a half ago | (#42108943)

Wouldn't the support contract cover fixing all of these broken locks? Or is it inherently part of the system to be hackable? Or are all the support dollars for nothing?

They might be treating the situation as "the hardware is functioning correctly as it was designed" and therefore the fix is a new "higher security level" product. Kind of like how if someone figures out how to pick a 5-pin lock the maker isn't on the hook to give you a new 7-pin lock or a design that uses different arrangement of the pins to prevent the original method from working.

If this was a pure software venerability the picture might be different, but since replacing the board is requirement they could be framing this as "the lock is as good as we could make it for this product" and the hotel must be needing a "better" lock for their application.

Re:Sure I will pay.... (2)

Gordonjcp (186804) | about a year and a half ago | (#42107085)

voided support contracts

Voided the support contract that says they don't have to fix a lock that doesn't actually lock in any conventionally meaningful sense of the term?

Re:Sure I will pay.... (1)

SeaFox (739806) | about a year and a half ago | (#42108861)

Very likely there exists a patent which covers some aspect of the board design for fitting in that slot, or interfacing with the remaining mechanism, etc.

You probably could easily design a board to fit, but it would be seconds before Onity filed an infringement lawsuit, voided support contracts, etc.

Voiding support contracts on hardware we've replaced? O_o
If you mean other systems related to this, something tells me they wouldn't support it at that point anyway even if they weren't upset about a patent infringement on the board design.

Re:Sure I will pay.... (1)

Princeofcups (150855) | about a year and a half ago | (#42106929)

If I were one of Onity's competitors, I would be fast-tracking a replacement system that uses the existing housings at least. Their lunch is right there, on the table, practically begging to get eaten.

Do you really think that the housing design is not patented? That would be a remarkable oversight on Onity's part.

Re:Sure I will pay.... (3, Insightful)

plover (150551) | about a year and a half ago | (#42106145)

The replacement boards slide right into the existing locks, which the competitors product will not do.

Yet.

There seems to be a market opportunity here for a vendor who can provide a trustworthy replacement board at a reasonable price. Of course, that means replacing the programming station as well, but it would get a hotel to a potentially better engineered solution, especially if the system was Open Source and scrutinized by the public eye for vulnerabilities.

Re:Sure I will pay.... (1)

Anonymous Coward | about a year and a half ago | (#42106431)

"There seems to be a market opportunity here for a vendor who can provide a trustworthy replacement board at a reasonable price."

1. Offer
2. Burgle
3. Raise prices
4. Re-offer
5. Profit

Re:Sure I will pay.... (1)

Lumpy (12016) | about a year and a half ago | (#42106879)

"There seems to be a market opportunity here for a vendor who can provide a trustworthy replacement board at a reasonable price." Have you ever dealt with a hotel for selling them things or security? Their idea of "reasonable price" is about $3.00. The hotel industry is notorious for being Half assed cheapskates.

Re:Sure I will pay.... (1)

plover (150551) | about a year and a half ago | (#42108953)

Oh, I know they don't like to spend money. But if the choice is between being forced into an upgrade by a clearly untrustworthy vendor for $50/room, and an unknown but Open Source vendor for $40/room, I should think that the money would win out above all other factors. And yes, I hear you that the preferential option that will likely be chosen by the sleazier hotels (read: almost all of them) will be to do nothing for $0/room.

But all of that has to be weighed against the potential for lawsuits filed by burglary victims, or worse, by people who are assaulted on your property due in part to a failure of security. Upgrading all the locks in an entire building wing is likely cheaper than fighting a lawsuit that you are almost certain to lose if you knew about the problem but didn't upgrade.

Re:Sure I will pay.... (0)

Anonymous Coward | about a year and a half ago | (#42107117)

The replacement boards slide right into the existing locks, which the competitors product will not do.

Yet.

There seems to be a market opportunity here for a vendor who can provide a trustworthy replacement board at a reasonable price. Of course, that means replacing the programming station as well, but it would get a hotel to a potentially better engineered solution, especially if the system was Open Source and scrutinized by the public eye for vulnerabilities.

The alternative would be to fit a state of the art modern mechanical lock. It can probably be picked but not inside any timeframe that would work for a hotel thief. That require the their to force the locks which would be way more quickly noticed than a digital hack or scam his/her way in. I suppose he could try stealing master keys but that's all of those are already harder and more risky than just plugging in a netbook and downloading an encryption key. If you have separate masters for different sections of the hotel and keep a single set in the safe in the security cheif's office and another in a bank in a safety deposit box and set up a proper security/surveillance system it would still give you more security than these digital locks. If something like this happens with digital locks you might as well leave every room in the hotel unlocked.

Re:Sure I will pay.... (0)

Anonymous Coward | about a year and a half ago | (#42107939)

Then you have to pay a locksmith to change the lock every time a customer walks off with one of your keys, or several locks in the case of housekeeping loosing/walking off with one of the zone mater keys.

The point behind digital locks is not to make rooms harder to break into, it's to make it easier to revoke lost/stolen keys, which in the case of a sizable hotel where literally hundreds of issue/revoke cycles can happen in a day will make the hotel as a whole more secure.

Re:Sure I will pay.... (4, Informative)

Vellmont (569020) | about a year and a half ago | (#42107133)

You assume hotels think that security is some sort of top priority. It's not. You think that there aren't hundreds of people that could open your hotel room?

If push comes to shove, I guarantee you the preferred solution for 99% of hotels will be simply securing the physical port, and not monkeying around with circuit boards or replacing the whole system entirely. It's just too expensive for too little benefit. Hotel rooms aren't meant to be Fort Knox.

Re:Sure I will pay.... (1)

Ravaldy (2621787) | about a year and a half ago | (#42107969)

When a manufacturer screws up, they will normally agree to eat a portion of the cost but not all if it's going to bankrupt them. It's in the best interest of the hotel to agree to a reasonnable price as the cost to replace the system is probably much more. This again depends on if the system as a whole is a failure or not.

The way I see it, a bankrupted company will give you nothing so you're better off working with them...

And a normal locksmith will also charge (3, Insightful)

Gr33nJ3ll0 (1367543) | about a year and a half ago | (#42105683)

Normal key locks are vulnerable to various cheap lock picks as well, and, shock of shocks, a locksmith will charge you to upgrade those locks as well. So.... where's the story? I don't see anything on slashdot about normal burglars breaking into house with zipguns and the like, why is THIS news?

Re:And a normal locksmith will also charge (5, Informative)

dav1dc (2662425) | about a year and a half ago | (#42105723)

I believe its geek appeal is derived from the fact that a software hack utilized to break the locks, rather than a physical set of lock picks.

There is also a sub-text about the social responsibility and obligation that manufacturers have to patch security holes found in their devices in a timely manner I suspect as well.

Re:And a normal locksmith will also charge (0)

Anonymous Coward | about a year and a half ago | (#42106693)

It's entirely irrelevant because using a simple plastic cars you can shim any hotel door open instantly.

Source: I worked for a hotel and when the batteries died in a door that a guest needed into in a hurry we did exactly this, often to the amusement or horror of the guest to which we strongly recommended using the flip lock and taking valuables with you when you go out.

Re:And a normal locksmith will also charge (2)

Richy_T (111409) | about a year and a half ago | (#42107749)

You must have worked in a shitty hotel with equally shitty locks. I don't think I've stayed in a hotel where that would work that I've noticed.

Re:And a normal locksmith will also charge (2)

Zero__Kelvin (151819) | about a year and a half ago | (#42105737)

Because we didn't know about it two hours ago, and now we do. It is news for the same reason that I'm certain it appeared on the local news stations in the area. True, their perspective and spin on it certainly differed, but the events happened and then those events were reported. We call that news in the English language.

Re:And a normal locksmith will also charge (3, Informative)

wvmarle (1070040) | about a year and a half ago | (#42105803)

Those locks are not sold as highly secure or so. While I'm quite positive Onity will have used "high security" as one of their sales pitches - part of the reason to use such expensive locks is that a guest not returning a key is not an issue any more, and that the keys are not so easy to copy.

Re:And a normal locksmith will also charge (2, Interesting)

h4rr4r (612664) | about a year and a half ago | (#42105959)

Not so easy to copy?
A cheap card encoder can be had for under $100.

Re:And a normal locksmith will also charge (4, Interesting)

wvmarle (1070040) | about a year and a half ago | (#42106099)

Cards have a built-in expiry date; usually the date you're supposed to leave the hotel. When extending your stay, they will update your card. So while you may be able to copy them, it's not exactly useful.

Re:And a normal locksmith will also charge (1)

Lumpy (12016) | about a year and a half ago | (#42106895)

REally? I can get my hands on a maids key far easier than a room key. and those dont expire. Oh and they let me in EVERY room.

Re:And a normal locksmith will also charge (3, Informative)

kootsoop (809311) | about a year and a half ago | (#42107595)

Actually, housekeeping staff keys are often set to expire on a daily basis. The first thing a housekeeper needs to do in the morning is to revalidate their card. If the card isn't revalidated in time, it needs to human intervention (other than the housekeeper) to be reactivates. Source: I used to work for Onity's parent company (UTC Fire & Security, as it was then), and I worked requirements for some of Onity's newer products.

Re:And a normal locksmith will also charge (1)

Lumpy (12016) | about a year and a half ago | (#42108621)

Even in that case, one swipe and I have at least 8 hours to ransack as many rooms as I need to.

This is the biggest problem, The door locks are so cheap they dont report suspicious behavioral patterns like keycard 44372 is being used over and over rapidly across the facility or at two places at once., heck they dont even keep a log.

Re:And a normal locksmith will also charge (1)

markxz (669696) | about a year and a half ago | (#42109167)

To spot suspicious activity the locks would need to be networked. For retrofitting into an existing hotel this would not have been practical so a stand-alone system was developed.

Some systems do keep logs (the Ving Classic lock claims to store 600 events) so it would be possible to see which cards have opened the lock.

Re:And a normal locksmith will also charge (1)

Applekid (993327) | about a year and a half ago | (#42106141)

Only if you can get a copy of a maintenance or master key.

Re:And a normal locksmith will also charge (1)

Rob the Bold (788862) | about a year and a half ago | (#42106265)

Only if you can get a copy of a maintenance or master key.

Thieves have done it with traditional keys. I think they could use the same practices and skill set to get the keycard version, too.

Re:And a normal locksmith will also charge (0)

Anonymous Coward | about a year and a half ago | (#42107785)

Traditional, physical lock/keys combinations are much more difficult to change when someone checks out of the room. This means that a would-be burglar could make an imprint and subsequent copy of the traditional key and burgle that room at their leisure. Additionally, most locks which can be opened by a 'master key' can have that master key reverse engineered simply by comparing 2-4 non-master keys for that lock set. This means that someone could, potentially, get the master key by staying somewhere every few weekends for a month or two. (So long as they got a different room each time.) This would then leave them in possession of a master key which would enable them to burgle every room in the hotel at will.

Magnetic stripe key cards and their locks can be reprogrammed with a new code on a moment's notice, so even if someone *does* leave the hotel without turning in their card, that card will no longer function as a key. Additionally, there doesn't have to *be* a permanent master key, as a given lock can be programmed to accept multiple cards, or a duplicate key can be created based on the lock's currently assigned code.

These factors, combined with the fact that mag-stripe cards are significantly cheaper and easier to replace than a traditional key are the biggest draws of these lock systems.

Re:And a normal locksmith will also charge (0)

Anonymous Coward | about a year and a half ago | (#42106497)

...and how much are mechanical lock picking tools?

(...not to mention the technical learning curve for BOTH comparatively, and proficiency to necessary to employ them during a real live break-in during a well-timed scenario)

Re:And a normal locksmith will also charge (1)

mcgrew (92797) | about a year and a half ago | (#42107437)

I think he meant a physical key isn't as easy to copy, and for a hotel room you'd have to change the lock or whoever had the key last could break right in. With key cards, it takes seconds to reprogram the lock and key.

Re:And a normal locksmith will also charge (1)

Rob the Bold (788862) | about a year and a half ago | (#42106197)

. . . the keys are not so easy to copy.

That made me wonder a little. Enough to do a little googling around . . . Looks like you can get a magstripe reader/writer or an automatic keycutter machine in about the same price range: $500 or so for a basic models. The keycutter looks harder to use to me, just from a quick glance at the instruction manual -- maybe someone into machine shop-type tools and not computers would feel the other way. The card writer would be a more subtle thing to carry around since you'd just stuff it in your laptop bag. The 30lb+ cutter would be a lot less convenient (and a lot noisier). I'm assuming the the "get the key copied at the hardware store" option is out, that they would respect the "do not duplicate" stamp, but that's not necessarily true.

Re:And a normal locksmith will also charge (1)

Anrego (830717) | about a year and a half ago | (#42106465)

The real difference is that the cards are usually invalidated when the guest leaves, so copying the card is mostly useless, unlike a traditional key where they are unlikely to change the lockset after every stay incase the previous guest made a copy of his key.

Re:And a normal locksmith will also charge (3, Insightful)

PlusFiveTroll (754249) | about a year and a half ago | (#42105843)

It depends on how the locks are sold, If they cost 10x as much as a regular lock and advertized to protect against this kind of attack, then yes the lock selling company might have an issue. If I sell you a zipgun proof lock and it's not, it become an issue of product misrepresentation.

Also, up till recently, most people thought of these lock devices as secure, or at least the level of attack that would have to occur would be difficult and rare. Now it's less noticeable to hack these locks then a regular door.

Re:And a normal locksmith will also charge (1)

travisco_nabisco (817002) | about a year and a half ago | (#42106691)

This whole fiasco reminds me of a few years ago when it was determined that you could open one of the Kryptonite bike locks with the end of a Bic pen. These were the locks with the circular keys. In the end, I think it was due to a class action suite, you could get a replacement lock for free that used a different key type.

If every hotel chain that that uses these locks sues, then they will get a replacement deal of some kind.

Re:And a normal locksmith will also charge (1)

Culture20 (968837) | about a year and a half ago | (#42105853)

A zipgun leaves obvious clues, and can draw attention. Lock picks take time, and you don't look like you're using an ordinary key while using them. With this method, presumably it takes little time to cycle through numbers, and if someone sees you in the hallway, it looks no different than a keycard (with a cable running up your jacket sleeve that few would notice). The ease of use combined with the lessened chance of getting caught makes this a story. Of course it's less effective than using a maid's key.

Re:And a normal locksmith will also charge (4, Informative)

Anonymous Coward | about a year and a half ago | (#42106019)

Lock picks take time

Google 'bump key'. They can open a lot of rotary yale-type locks in under 5 seconds.

https://www.youtube.com/watch?v=hr23tpWX8lM (skip to 1:00)

Needless to say I never leave the house without locking a deadbolt too.

Re:And a normal locksmith will also charge (1)

green1 (322787) | about a year and a half ago | (#42108031)

Needless to say I never leave the house without locking a deadbolt too.

Considering that the clip you link to specifically shows using a bump key in a deadbolt... what exactly are you accomplishing?

Now to be fair, I'm sure it's still a good idea to lock your doors with a good deadbolt despite bump keys, but maybe the better option is to get a higher security lock (The clip you link to recommends Medeco, but I was under the impression that they too can be bumped, I believe Abloy locks are one of the few that can't) or get an alarm or a dog (The dog is probably the absolute best security you can have for your house, but it's also the most expensive in terms of ongoing maintenance...)

Re:And a normal locksmith will also charge (3, Interesting)

Runaway1956 (1322357) | about a year and a half ago | (#42106703)

AC's reply deserves your attention - as it's the same thing I was thinking.

Not to mention - I have a huge pile of keys. I have keys that I haven't thrown away since my Navy days, more than thirty years ago. I just don't throw keys away, no matter how "useless" they might seem.

From time to time, I need to open a lock. I examine the lock, think a bit, poke through my big pile of keys, and usually come up with a match. There are three keys that I carry on my key chain that don't fit anything - specific. They just seem to fit a lot of things that need to be opened. There are, after all, only so many combinations that can be cut into a blank key.

I'll admit, though, that I have few keys that are likely to fit motel room doors.

Re:And a normal locksmith will also charge (1)

Culture20 (968837) | about a year and a half ago | (#42106985)

Bumping a lock is a little noisy too, even if you use a rubber mallet. If you try to bump several doors in a hotel hallway, someone's going to notice.

From time to time, I need to open a lock. I examine the lock, think a bit, poke through my big pile of keys, and usually come up with a match.

That is not going to be a fast process like with these keycards. In fact, picking the lock is faster than your method.

Re:And a normal locksmith will also charge (1)

Mr. Freeman (933986) | about a year and a half ago | (#42105957)

It takes much longer for physical methods to work. This system takes almost no time at all.

Re:And a normal locksmith will also charge (1)

mcgrew (92797) | about a year and a half ago | (#42106021)

Normal key locks are vulnerable to various cheap lock picks as well

How fast can you pick an industrial-strength lock? This method takes no longer to get in than using a real card. If you're burglarizing people, you want to get in and out as quick as possible. Plus, how many people know how to pick a lock? This is as easy as using a legit key; anyone can do it, unlike picking a lock.

Re:And a normal locksmith will also charge (2)

Onymous Coward (97719) | about a year and a half ago | (#42106755)

Do folks really use the term "zip gun" for lock pick guns? I thought zip guns were just improvised firearms [wikipedia.org] .

Re:And a normal locksmith will also charge (2)

bdwebb (985489) | about a year and a half ago | (#42107149)

A locksmith may charge you to upgrade those locks but 99% of the time that locksmith is not the creator of the locks he installed and is therefore not responsible for the vulnerabilities therein. In this case, Onity is the manufacturer of these locks and they hold the patents for design and build of the locks. I think as a responsible, forward-thinking company they should be responsible for fixing the vulnerability that caused the loss even though it represents a significant loss...ultimately they are not requried to do so, though.

Onity did offer two fixes to the problem - 1) use a plug for the port to make it inaccessible and utilize torx screws to secure the housing or 2) ship the board back to them for replacement at the customer's expense. While rudimentary tools can make option number 1 useless (a pen casing and a lighter can break through this easily), it would be interesting to see if Onity offers continued warranty support on these products if the customer uses a more permanent solution such as epoxy to plug the hole and block access to the maintenance port. If they do, I would say that while that is still a bit janky, the company is at least willing to meet customers 1/4 of the way if not half the way. Ultimately IMO Onity should replace these at their expense because it is their junk equipment - since they have effectively given the finger to their customers, though, it would be interesting to see what percentage of their keycard lock business goes to competitors over the next few years.

Re:And a normal locksmith will also charge (2)

Capt.Albatross (1301561) | about a year and a half ago | (#42108155)

So.... where's the story? I don't see anything on slashdot about normal burglars breaking into house with zipguns and the like, why is THIS news?

Security, and in particular the continuing use of amateurs to develop software and systems that should be secure, is a topic that definitely belongs here (as would new developments in lock-picking, in my opinion).

This lock was very badly designed, and Onity acted irresponsibly in not taking security seriously (and for a lock, no less). It will send a valuable message to the marketplace if they go out of business as a result.

Re:And a normal locksmith will also charge (1)

Bryansix (761547) | about a year and a half ago | (#42108595)

A locksmith is not analogous to a manufacturer. Yes, you pay the locksmith to replace your locks but that doesn't mean you forget about the problem. You can also complain to the manufacturer for making such junk locks. The method for preventing picking in locks has been well known for a long time now. In fact there are many methods. This company was negligent. They should have made the port to reprogram the lock, only accessible if the lock was unlocked or removed from the door.

Re:And a normal locksmith will also charge (0)

Anonymous Coward | about a year and a half ago | (#42108663)

Someone always asks that question. At least in this story it was a bit of an update on the article mentioned in the summery. We knew it was going to happen, and here it is.

A Fix? They're On It, Sort Of (5, Funny)

guttentag (313541) | about a year and a half ago | (#42105707)

Chocolatey = Chocolate, Sort of...
Onity = On It, Sort of...

Ö or Õ? (0)

Anonymous Coward | about a year and a half ago | (#42106469)

I thought it was "oh-nity", like "chocolatey" = "you got chocolate", and "onity" = "you got owned"

Re:Ö or Õ? (0)

Anonymous Coward | about a year and a half ago | (#42106675)

"Ownity".

Re:A Fix? They're On It, Sort Of (1)

wwalker (159341) | about a year and a half ago | (#42106579)

Irony, as opposed to wrinkly (saw it on a t-shirt).

Re:A Fix? They're On It, Sort Of (0)

Anonymous Coward | about a year and a half ago | (#42106747)

I do believe it was a Woot shirt [woot.com] .

Well handled (4, Funny)

slashmydots (2189826) | about a year and a half ago | (#42105757)

The Hyatt says Onity didn't provide a fix until after its break-ins, forcing the hotel to plug its locks' ports with epoxy

Well, at least they issued a patch.

Took them two months?! (4, Interesting)

wvmarle (1070040) | about a year and a half ago | (#42105769)

Surprised it took thieves two months before starting to use this exploit. Even more surprising that the summary says "already".

The exploit was very well documented, and rather simple to copy. It took mere days for YouTube videos showing off the same hack to appear.

It is more likely that other hotels were hit with the issue already, but didn't disclose it to the public for fear of attracting more thieves to their hotels, and/or for the bad publicity and the risk of guests staying away from their insecure rooms.

Re:Took them two months?! (4, Insightful)

rsmith84 (2540216) | about a year and a half ago | (#42105955)

You have to let the chatter about the exploit die down enough so that you can pull the heist off with better success. Going out and attempting it immediately after Black Hat is too risky and the sign of foolish thief.

Re:Took them two months?! (0)

Anonymous Coward | about a year and a half ago | (#42106037)

It must have taken some effort for the hotels to determine that this particular hack was being used in the break-ins, and that fact is not something that can be determined by every hotel security manager out there.

Re:Took them two months?! (4, Insightful)

Rob the Bold (788862) | about a year and a half ago | (#42106411)

Surprised it took thieves two months before starting to use this exploit. Even more surprising that the summary says "already".

Maybe it's only after the exploit was revealed that anyone thought to suspect this was the way some hotel burglaries were happening. We don't necessarily know that Brocious was the first to discover the attack mode -- only that he was the first to publicize it.

Re:Took them two months?! (0)

Anonymous Coward | about a year and a half ago | (#42106545)

Surprised it took thieves two months before starting to use this exploit. Even more surprising that the summary says "already".

The exploit was very well documented, and rather simple to copy. It took mere days for YouTube videos showing off the same hack to appear.

It is more likely that other hotels were hit with the issue already, but didn't disclose it to the public for fear of attracting more thieves to their hotels, and/or for the bad publicity and the risk of guests staying away from their insecure rooms.

Correction: it took two months for a hotel:

1. Figure it out
2. Admit it.
3. Be picked up as a story by a news media organization

Paying for a fix that should have in place? (0)

grumpyman (849537) | about a year and a half ago | (#42105829)

Now who's the robber/thief?

Re:Paying for a fix that should have in place? (2)

Lieutenant_Dan (583843) | about a year and a half ago | (#42106005)

Easy now; don't blame something on stupidity that you assign to sheer incompetence. Or a third variation, towards a quest of more profit!

I can design a super-secure lock. It will cost more to develop, and then it will cost more to produce, which will raise its price. Which in turn will lower my potential customers (90% of folks just want a lock that can be easily managed and is simple for their users). The accounting people said, "Do the simpler version, it will be good enough and return us 87% more profit. BTW, we already printed the brochures so your comments are moot."

If Onity comes up with a more secure model then it could well be that there is a cost associated. Mind you, this is a PR nightmare, so some companies would just eat the cost.

The hotels bought a lock for a specific purpose. It provides a decent detterent. Someone motivated will always find a way in.

Car analogy: You bought the BMW 325 to impress your friends while driving with the collar of your polo shirt up. It turns out that thieves can steal your muffler for the precious precious platinum in the catalyctic converted. The brand new M3 model developed after the news broke out has the muffler protected by the body. Do you expect a free upgrade from BMW?

Re:Paying for a fix that should have in place? (1)

rockiams (12481) | about a year and a half ago | (#42106181)

I don't think your car analogy is accurate. In this case I bought the BMW(and really a 325 impresses my friends? I need better friends!) to impress my friends, not to protect the platinum in my muffler. If someone steals my muffler, my friends should still be impressed by my status symbol, so long as it isn't running. (Unless my friends are Joe Dirt, and then that loud roar is badass, yeeehaawww!)

A lock on the other hand, was purchased for the sole purpose of denying entry to unauthorized people. It failed to do so.

So I guess a better car analogy would be I bought a BMW 750i to impress my friends, but since they are all hippie GNU users who shun material things, it failed to do so. I would have been better off buying a Tesla Motors car to appeal to their green side.

Oh wait, the car didn't fail, my friends failed to appreciate the Ultimate Driving Machine. Sorry, my car-analogy-fu is weak today.

Re:Paying for a fix that should have in place? (1)

Lieutenant_Dan (583843) | about a year and a half ago | (#42106291)

Well done. Yeah, I suck at car analogies. The thing is, the muffler is an important ingredient in the overall product.

One could argue that the only "key" (pun partly intended) feature is the security of the room protected by the lock as you rightly stated, and yes, it failed to do so. The other pieces would be the management of the cards, auditing of entry to the rooms and the wow factor to the clientele.
Could also the argument not be made that it would deter 99.99% of unauthorized access? In most circles, that would be pretty good. This is not a trivial exploit either.

Your analogy has more potential than mine: maybe you expect BMW to get you a Tesla or a new set of country-club friends?

Re:Paying for a fix that should have in place? (2)

rockiams (12481) | about a year and a half ago | (#42106699)

I would argue that the muffler is not as important, more akin to the management of cards or the 'wow factor.' A car's main function is transportation, so if it fails that it almost can't impress anyone. So a lock can have several ancillary features but if it is easily defeated, it gets a fail in my book.

And I am not sure how you would measure a lock to get the 99.99% and if that number is even possible for a lock(Google 'myth 5 9s')

And I am happy with my hippie GNU friends...and I let MUNI drive me around, so I'm probably not impressing anyone who would be impressed by a car. I would love to drive a Tesla for a couple of days though.

Re:Paying for a fix that should have in place? (1)

stabiesoft (733417) | about a year and a half ago | (#42107049)

The car analogy is simple. The uber secure keyless systems in cars turned out to be insecure like the hotel rooms. Maybe a tad more difficult to break, but still very breakable. BMW is one of the lucky ones to be hacked. Just one example http://www.geekosystem.com/keyless-bmw-hacked-3-minutes/ [geekosystem.com]

Re:Paying for a fix that should have in place? (1)

plover (150551) | about a year and a half ago | (#42106257)

Car analogy: You bought the BMW 325 to impress your friends while driving with the collar of your polo shirt up. It turns out that thieves can steal your muffler for the precious precious platinum in the catalyctic converted. The brand new M3 model developed after the news broke out has the muffler protected by the body. Do you expect a free upgrade from BMW?

+1 for the car analogy. And as far as my ancient Ford truck goes, I don't think they'd issue a recall for anything other than a safety issue. But a BMW? I would indeed expect a product recall from BMW, where they would freely install some "catalytic converter locks" that would be nearly as effective as the body redesign solution you hypothesized.

Re:Paying for a fix that should have in place? (0)

Anonymous Coward | about a year and a half ago | (#42106319)

Easy now; don't blame something on stupidity that you assign to sheer incompetence.

*sigh* All right, all right, I'll take one for the team and ask. What, pray tell, IS the difference between stupidity and incompetence in this context?

Re:Paying for a fix that should have in place? (2)

Lieutenant_Dan (583843) | about a year and a half ago | (#42106421)

Nicely caught. I meant to say "malice" instead of "stupidity". I'm stuck in a two-hour meeting with the project management team at work, so my subsconscious let out a small cry for help in my post.

Re:Paying for a fix that should have in place? (0)

Anonymous Coward | about a year and a half ago | (#42106539)

The car analogy failed. The hotels needed a lock and were sold something that lets the baddies open it easily enough.
A more apt car analogy: you buy your BMW, later some hackers discover that the car speed can be remotely limited to 2kmh, do you expect a free upgrade from BMW? hell yes, i wanted a car, not a semovent piece of furniture.

Where is the next story? (1)

paiute (550198) | about a year and a half ago | (#42106031)

I am waiting for the story about Cody Brocious being sued by Onity for enabling this crime.

Re:Where is the next story? (1)

Lieutenant_Dan (583843) | about a year and a half ago | (#42106119)

Considering that he went for glory by not providing some professional courtesy (your mileage may vary) and disclosing this to Onity before his Black Hat presentation, he may get suffer potentially a bit by "enabling crimininals to circumvent the protection offered by the lock". It is a Black Hat conference after all, so the motivations and the spirit is a tad different other "community" InfoSec conferences. I won't argue what the right approach is. At the end of the day, the vulnerability probably shouldn't exist, so the fault lies entirely with Onity there.

As well, Onity is asleep at the wheel. It was July when the problem surfaced. In September the thefts happened. It's now November.

Someone in PR and Media Relations at Onity isn't doing their job. R&D is probably working overtime and Legal Affairs is probably writing up something nice to make an example of Cody.

Onity provides a fix .... for a fee. (5, Informative)

140Mandak262Jamuna (970587) | about a year and a half ago | (#42106055)

Onity has announced two step solution. The first one is making it difficult to access the port. There is a cover at the bottom it looks like and they are strengthening it. May be metal instead of plastic. And adding a *security* torx screw too. Yeah, may be they will also make it need pentalobulous head like Apple iPads. But all it will do is to slow down but can't stop the intruder. This part is free.

They are also providing a software solution. Even when the locks are programmable and upgradable, flashing the new firmware is available for a "nominal" fee. And if your lock does not have upgradable firmware? Well, you need to call in and ask for the price. I think the current pricing is one arm and one leg per upgrade.

http://www.securityinfowatch.com/news/10766203/onity-provides-lock-upgrades-following-hack [securityinfowatch.com]

Re:Onity provides a fix .... for a fee. (0)

Anonymous Coward | about a year and a half ago | (#42106191)

Hey man, thanks for the info. Funny you mentioned the security torx. Had to open my PVR and get a special screwdriver. Nothing secure there.

Re:Onity provides a fix .... for a fee. (0)

Anonymous Coward | about a year and a half ago | (#42106377)

I think you mean one ARM [based bored] and one leg.

Re:Onity provides a fix .... for a fee. (0)

Anonymous Coward | about a year and a half ago | (#42106751)

Is the total fee less than the cost of a complete retrofit minus the price you could get for the used system on eBay?

Brocious has identified a 32-bit key [webpronews.com] that identifies the hotel’s “sitecode.” The worst part is that every Onity lock has this key. By reading the key back to the lock, the lock opens. The hack is so simple that he’s surprised more people haven’t found out about it yet.

A 32-bit key... really!

After reading this, what surprises me is that Onity is still in business.

Re:Onity provides a fix .... for a fee. (0)

Anonymous Coward | about a year and a half ago | (#42106931)

Particularly since AES-128 can be run just fine and with reasonable performance (well, fast enough that encrypting serial port communications does not slow it down) on a simple ATmega 8-bit microcontroller.

who to blame (0)

Anonymous Coward | about a year and a half ago | (#42106259)

usually socially the person who figured it out gets the blame for letting this dangerous knowledge out and into the hands of criminal rather than the criminal who used it but it isn't like criminals wouldn't have figured it out as then it would just be reported as hotel theft and be left at that until it becomes an epidemic which would get less of an outrage as there is a proper role of victim and perpetrator rather than the perception of someone openly teaching someone how to steal

Even though this is the Hyatt... (1)

Phelony (2628303) | about a year and a half ago | (#42106613)

Why is it when I hear "Texas" and "Hotel", I think of an obese tattooed couple with a meth lab in a suitcase? (obviously both meat-eaters??)

Re:Even though this is the Hyatt... (1)

Redmancometh (2676319) | about a year and a half ago | (#42106977)

Because you're an ignorant asshole. It DID end in a question mark...

Re:Even though this is the Hyatt... (3, Insightful)

Richy_T (111409) | about a year and a half ago | (#42108011)

Dunno? Deep seated prejudice and intolerance?

Hotel in room safes are not much better (4, Interesting)

trout007 (975317) | about a year and a half ago | (#42107381)

I was in a hotel with an in room safe. My kid closed the door and managed to lock it so I called maintenance. The guy came up and hit the # key twice to enter supervisor mode then keyed in 6 9's. Here is a video I shot after he left. I'm pretty sure they don't have an override maintenance code for each room. You could try a few standard combos on your room to figure it out for the hotel. Or just get maintenance up to your room to show you it.

https://www.youtube.com/watch?v=UYjJuE7l7VM [youtube.com]

"Get's Real"? (1)

Richy_T (111409) | about a year and a half ago | (#42108113)

Next up: Apple to Samsung: "Oh no you din't" and "Axe Slashdot"

Re:"Get's Real"? (1)

Richy_T (111409) | about a year and a half ago | (#42108129)

Arg. Apostrophe blunder...

Load More Comments
Slashdot Account

Need an Account?

Forgot your password?

Don't worry, we never post anything without your permission.

Submission Text Formatting Tips

We support a small subset of HTML, namely these tags:

  • b
  • i
  • p
  • br
  • a
  • ol
  • ul
  • li
  • dl
  • dt
  • dd
  • em
  • strong
  • tt
  • blockquote
  • div
  • quote
  • ecode

"ecode" can be used for code snippets, for example:

<ecode>    while(1) { do_something(); } </ecode>
Create a Slashdot Account

Loading...