Hotel Keycard Lock Hack Gets Real In Texas 132
Sparrowvsrevolution writes "You may remember a vulnerability in four million keycard locks presented at the Black Hat conference in July. Hacker Cody Brocious showed he could insert a device he built for less than $50 into the port at the bottom of the common hotel lock, read a key out of its memory, and open it in seconds. Two months later, it turns out at least one burglar was already making use of that technique to rob a series of hotel rooms in Texas. The Hyatt House Galleria in Houston has revealed that in at least three September cases of theft from its rooms, the thief used that Onity vulnerability to effortlessly open rooms and steal valuables like laptops. Petra Risk Solutions, an insurance firm focus the hospitality industry also reports that at least two other hotels in Texas were hit with the attack. Onity has been criticized for its less-than-stellar response to a glaring vulnerability in its devices. The Hyatt says Onity didn't provide a fix until after its break-ins, forcing the hotel to plug its locks' ports with epoxy. And even now, Onity is asking its hotel customers to pay for the full fix, which involves replacing the locks' circuit boards."
Not "rob", burglarize (Score:1, Informative)
...unless the victim was present.
Re:And a normal locksmith will also charge (Score:5, Informative)
I believe its geek appeal is derived from the fact that a software hack utilized to break the locks, rather than a physical set of lock picks.
There is also a sub-text about the social responsibility and obligation that manufacturers have to patch security holes found in their devices in a timely manner I suspect as well.
Re:And a normal locksmith will also charge (Score:4, Informative)
Those locks are not sold as highly secure or so. While I'm quite positive Onity will have used "high security" as one of their sales pitches - part of the reason to use such expensive locks is that a guest not returning a key is not an issue any more, and that the keys are not so easy to copy.
Re:And a normal locksmith will also charge (Score:4, Informative)
Lock picks take time
Google 'bump key'. They can open a lot of rotary yale-type locks in under 5 seconds.
https://www.youtube.com/watch?v=hr23tpWX8lM (skip to 1:00)
Needless to say I never leave the house without locking a deadbolt too.
Onity provides a fix .... for a fee. (Score:5, Informative)
They are also providing a software solution. Even when the locks are programmable and upgradable, flashing the new firmware is available for a "nominal" fee. And if your lock does not have upgradable firmware? Well, you need to call in and ask for the price. I think the current pricing is one arm and one leg per upgrade.
http://www.securityinfowatch.com/news/10766203/onity-provides-lock-upgrades-following-hack [securityinfowatch.com]
Re:Not "rob", burglarize (Score:5, Informative)
Re:Not "rob", burglarize (Score:5, Informative)
Re:Sure I will pay.... (Score:5, Informative)
You assume hotels think that security is some sort of top priority. It's not. You think that there aren't hundreds of people that could open your hotel room?
If push comes to shove, I guarantee you the preferred solution for 99% of hotels will be simply securing the physical port, and not monkeying around with circuit boards or replacing the whole system entirely. It's just too expensive for too little benefit. Hotel rooms aren't meant to be Fort Knox.
Re:And a normal locksmith will also charge (Score:3, Informative)