Forgot your password?
typodupeerror
Privacy Crime Security Your Rights Online

Hotel Keycard Lock Hack Gets Real In Texas 132

Posted by timothy
from the those-words-in-that-order dept.
Sparrowvsrevolution writes "You may remember a vulnerability in four million keycard locks presented at the Black Hat conference in July. Hacker Cody Brocious showed he could insert a device he built for less than $50 into the port at the bottom of the common hotel lock, read a key out of its memory, and open it in seconds. Two months later, it turns out at least one burglar was already making use of that technique to rob a series of hotel rooms in Texas. The Hyatt House Galleria in Houston has revealed that in at least three September cases of theft from its rooms, the thief used that Onity vulnerability to effortlessly open rooms and steal valuables like laptops. Petra Risk Solutions, an insurance firm focus the hospitality industry also reports that at least two other hotels in Texas were hit with the attack. Onity has been criticized for its less-than-stellar response to a glaring vulnerability in its devices. The Hyatt says Onity didn't provide a fix until after its break-ins, forcing the hotel to plug its locks' ports with epoxy. And even now, Onity is asking its hotel customers to pay for the full fix, which involves replacing the locks' circuit boards."
This discussion has been archived. No new comments can be posted.

Hotel Keycard Lock Hack Gets Real In Texas

Comments Filter:
  • by Anonymous Coward

    ...unless the victim was present.

  • by Anonymous Coward on Tuesday November 27, 2012 @11:23AM (#42105671)

    ....for a broken product you gave me......who are your competitors?

    • by h4rr4r (612664)

      That would be even more expensive.
      The replacement boards slide right into the existing locks, which the competitors product will not do.

      • by Applekid (993327) on Tuesday November 27, 2012 @12:13PM (#42106127)

        If I were one of Onity's competitors, I would be fast-tracking a replacement system that uses the existing housings at least. Their lunch is right there, on the table, practically begging to get eaten.

        • by IndustrialComplex (975015) on Tuesday November 27, 2012 @01:12PM (#42106651)

          Very likely there exists a patent which covers some aspect of the board design for fitting in that slot, or interfacing with the remaining mechanism, etc.

          You probably could easily design a board to fit, but it would be seconds before Onity filed an infringement lawsuit, voided support contracts, etc. I'd be willing to bet some of the terminal equipment for programming the cards is leased as well.

          • Re: (Score:2, Insightful)

            by Anonymous Coward

            > ... voided support contracts...

            Does this still scare anyone?

            • > ... voided support contracts...

              Does this still scare anyone?

              Not when their product is enabling easy break-ins.

          • by Gordonjcp (186804)

            voided support contracts

            Voided the support contract that says they don't have to fix a lock that doesn't actually lock in any conventionally meaningful sense of the term?

          • by SeaFox (739806)

            Very likely there exists a patent which covers some aspect of the board design for fitting in that slot, or interfacing with the remaining mechanism, etc.

            You probably could easily design a board to fit, but it would be seconds before Onity filed an infringement lawsuit, voided support contracts, etc.

            Voiding support contracts on hardware we've replaced? O_o
            If you mean other systems related to this, something tells me they wouldn't support it at that point anyway even if they weren't upset about a patent infringement on the board design.

            • I was thinking of things like the POS hw or the software system that manages all the keys, accesses, etc.

              Such a system would manage employee access logins, assigning keys, revoking, inventory, logs.

              Its not that complicated, but it isn't trivial.
              The door locks are probably just one part of a comprehensive system.

        • If I were one of Onity's competitors, I would be fast-tracking a replacement system that uses the existing housings at least. Their lunch is right there, on the table, practically begging to get eaten.

          Do you really think that the housing design is not patented? That would be a remarkable oversight on Onity's part.

          • That would be a remarkable oversight on Onity's part.

            So is having the unencrypted software keys accessible from the external service port. What's your point?

            "Remarkable oversight" seems to be the company motto....

      • by plover (150551) on Tuesday November 27, 2012 @12:14PM (#42106145) Homepage Journal

        The replacement boards slide right into the existing locks, which the competitors product will not do.

        Yet.

        There seems to be a market opportunity here for a vendor who can provide a trustworthy replacement board at a reasonable price. Of course, that means replacing the programming station as well, but it would get a hotel to a potentially better engineered solution, especially if the system was Open Source and scrutinized by the public eye for vulnerabilities.

        • by Anonymous Coward

          "There seems to be a market opportunity here for a vendor who can provide a trustworthy replacement board at a reasonable price."

          1. Offer
          2. Burgle
          3. Raise prices
          4. Re-offer
          5. Profit

          • Not quite.
            1. offer (Profit)
            2. Burgle (Profit)
            3. Raise prices (Profit)
            4. Re-offer (Profit)
            5. Profit (Re-Profit)

            FTFY

            Their seems to be profit in every layer, except for the customer (hotel) and the hotel guest, who is the one paying for it all in the end.
            I wonder how much the guests are suing for? I would certainly hope they all had tens of thousands of family heirloom jewels and a new alienware in there.

        • by Lumpy (12016)

          "There seems to be a market opportunity here for a vendor who can provide a trustworthy replacement board at a reasonable price." Have you ever dealt with a hotel for selling them things or security? Their idea of "reasonable price" is about $3.00. The hotel industry is notorious for being Half assed cheapskates.

          • by plover (150551)

            Oh, I know they don't like to spend money. But if the choice is between being forced into an upgrade by a clearly untrustworthy vendor for $50/room, and an unknown but Open Source vendor for $40/room, I should think that the money would win out above all other factors. And yes, I hear you that the preferential option that will likely be chosen by the sleazier hotels (read: almost all of them) will be to do nothing for $0/room.

            But all of that has to be weighed against the potential for lawsuits filed by bu

        • by Vellmont (569020) on Tuesday November 27, 2012 @02:03PM (#42107133)

          You assume hotels think that security is some sort of top priority. It's not. You think that there aren't hundreds of people that could open your hotel room?

          If push comes to shove, I guarantee you the preferred solution for 99% of hotels will be simply securing the physical port, and not monkeying around with circuit boards or replacing the whole system entirely. It's just too expensive for too little benefit. Hotel rooms aren't meant to be Fort Knox.

          • by rHBa (976986)
            Also, I bet 99% of break-ins aren't down to technical vulnerabilities but are caused by social engineering attacks (or as I call it in this case: PEBKAFD, Problem Exists Between Keycard And Front Desk).

            So I can see why replacing millions of $$$ worth of hardware to fix 1% of break-ins would sound like a false economy.
    • by Ravaldy (2621787)

      When a manufacturer screws up, they will normally agree to eat a portion of the cost but not all if it's going to bankrupt them. It's in the best interest of the hotel to agree to a reasonnable price as the cost to replace the system is probably much more. This again depends on if the system as a whole is a failure or not.

      The way I see it, a bankrupted company will give you nothing so you're better off working with them...

  • by Gr33nJ3ll0 (1367543) on Tuesday November 27, 2012 @11:24AM (#42105683)
    Normal key locks are vulnerable to various cheap lock picks as well, and, shock of shocks, a locksmith will charge you to upgrade those locks as well. So.... where's the story? I don't see anything on slashdot about normal burglars breaking into house with zipguns and the like, why is THIS news?
    • by dav1dc (2662425) on Tuesday November 27, 2012 @11:29AM (#42105723) Homepage

      I believe its geek appeal is derived from the fact that a software hack utilized to break the locks, rather than a physical set of lock picks.

      There is also a sub-text about the social responsibility and obligation that manufacturers have to patch security holes found in their devices in a timely manner I suspect as well.

      • by drkim (1559875)

        I believe its geek appeal is derived from the fact that a software hack utilized to break the locks, rather than a physical set of lock picks.

        But, like a set of lock picks, you still need a physical device to insert in the lock and apply the software hack.

        Still geeky, though...

    • Because we didn't know about it two hours ago, and now we do. It is news for the same reason that I'm certain it appeared on the local news stations in the area. True, their perspective and spin on it certainly differed, but the events happened and then those events were reported. We call that news in the English language.
    • by wvmarle (1070040) on Tuesday November 27, 2012 @11:37AM (#42105803)

      Those locks are not sold as highly secure or so. While I'm quite positive Onity will have used "high security" as one of their sales pitches - part of the reason to use such expensive locks is that a guest not returning a key is not an issue any more, and that the keys are not so easy to copy.

      • Re: (Score:3, Interesting)

        by h4rr4r (612664)

        Not so easy to copy?
        A cheap card encoder can be had for under $100.

        • by wvmarle (1070040) on Tuesday November 27, 2012 @12:08PM (#42106099)

          Cards have a built-in expiry date; usually the date you're supposed to leave the hotel. When extending your stay, they will update your card. So while you may be able to copy them, it's not exactly useful.

          • by Lumpy (12016)

            REally? I can get my hands on a maids key far easier than a room key. and those dont expire. Oh and they let me in EVERY room.

            • Re: (Score:3, Informative)

              by kootsoop (809311)
              Actually, housekeeping staff keys are often set to expire on a daily basis. The first thing a housekeeper needs to do in the morning is to revalidate their card. If the card isn't revalidated in time, it needs to human intervention (other than the housekeeper) to be reactivates. Source: I used to work for Onity's parent company (UTC Fire & Security, as it was then), and I worked requirements for some of Onity's newer products.
              • by Lumpy (12016)

                Even in that case, one swipe and I have at least 8 hours to ransack as many rooms as I need to.

                This is the biggest problem, The door locks are so cheap they dont report suspicious behavioral patterns like keycard 44372 is being used over and over rapidly across the facility or at two places at once., heck they dont even keep a log.

                • by markxz (669696)

                  To spot suspicious activity the locks would need to be networked. For retrofitting into an existing hotel this would not have been practical so a stand-alone system was developed.

                  Some systems do keep logs (the Ving Classic lock claims to store 600 events) so it would be possible to see which cards have opened the lock.

        • by Applekid (993327)

          Only if you can get a copy of a maintenance or master key.

          • Only if you can get a copy of a maintenance or master key.

            Thieves have done it with traditional keys. I think they could use the same practices and skill set to get the keycard version, too.

        • by mcgrew (92797) *

          I think he meant a physical key isn't as easy to copy, and for a hotel room you'd have to change the lock or whoever had the key last could break right in. With key cards, it takes seconds to reprogram the lock and key.

      • . . . the keys are not so easy to copy.

        That made me wonder a little. Enough to do a little googling around . . . Looks like you can get a magstripe reader/writer or an automatic keycutter machine in about the same price range: $500 or so for a basic models. The keycutter looks harder to use to me, just from a quick glance at the instruction manual -- maybe someone into machine shop-type tools and not computers would feel the other way. The card writer would be a more subtle thing to carry around since you'd just stuff it in your laptop bag. The

        • by Anrego (830717) *

          The real difference is that the cards are usually invalidated when the guest leaves, so copying the card is mostly useless, unlike a traditional key where they are unlikely to change the lockset after every stay incase the previous guest made a copy of his key.

    • by PlusFiveTroll (754249) on Tuesday November 27, 2012 @11:42AM (#42105843) Homepage

      It depends on how the locks are sold, If they cost 10x as much as a regular lock and advertized to protect against this kind of attack, then yes the lock selling company might have an issue. If I sell you a zipgun proof lock and it's not, it become an issue of product misrepresentation.

      Also, up till recently, most people thought of these lock devices as secure, or at least the level of attack that would have to occur would be difficult and rare. Now it's less noticeable to hack these locks then a regular door.

      • This whole fiasco reminds me of a few years ago when it was determined that you could open one of the Kryptonite bike locks with the end of a Bic pen. These were the locks with the circular keys. In the end, I think it was due to a class action suite, you could get a replacement lock for free that used a different key type.

        If every hotel chain that that uses these locks sues, then they will get a replacement deal of some kind.
    • by Culture20 (968837)
      A zipgun leaves obvious clues, and can draw attention. Lock picks take time, and you don't look like you're using an ordinary key while using them. With this method, presumably it takes little time to cycle through numbers, and if someone sees you in the hallway, it looks no different than a keycard (with a cable running up your jacket sleeve that few would notice). The ease of use combined with the lessened chance of getting caught makes this a story. Of course it's less effective than using a maid's k
      • by Anonymous Coward on Tuesday November 27, 2012 @11:59AM (#42106019)

        Lock picks take time

        Google 'bump key'. They can open a lot of rotary yale-type locks in under 5 seconds.

        https://www.youtube.com/watch?v=hr23tpWX8lM (skip to 1:00)

        Needless to say I never leave the house without locking a deadbolt too.

        • by green1 (322787)

          Needless to say I never leave the house without locking a deadbolt too.

          Considering that the clip you link to specifically shows using a bump key in a deadbolt... what exactly are you accomplishing?

          Now to be fair, I'm sure it's still a good idea to lock your doors with a good deadbolt despite bump keys, but maybe the better option is to get a higher security lock (The clip you link to recommends Medeco, but I was under the impression that they too can be bumped, I believe Abloy locks are one of the few that can't) or get an alarm or a dog (The dog is probably the absolute best

      • by Runaway1956 (1322357) on Tuesday November 27, 2012 @01:16PM (#42106703) Homepage Journal

        AC's reply deserves your attention - as it's the same thing I was thinking.

        Not to mention - I have a huge pile of keys. I have keys that I haven't thrown away since my Navy days, more than thirty years ago. I just don't throw keys away, no matter how "useless" they might seem.

        From time to time, I need to open a lock. I examine the lock, think a bit, poke through my big pile of keys, and usually come up with a match. There are three keys that I carry on my key chain that don't fit anything - specific. They just seem to fit a lot of things that need to be opened. There are, after all, only so many combinations that can be cut into a blank key.

        I'll admit, though, that I have few keys that are likely to fit motel room doors.

        • by Culture20 (968837)
          Bumping a lock is a little noisy too, even if you use a rubber mallet. If you try to bump several doors in a hotel hallway, someone's going to notice.

          From time to time, I need to open a lock. I examine the lock, think a bit, poke through my big pile of keys, and usually come up with a match.

          That is not going to be a fast process like with these keycards. In fact, picking the lock is faster than your method.

    • It takes much longer for physical methods to work. This system takes almost no time at all.
    • by mcgrew (92797) *

      Normal key locks are vulnerable to various cheap lock picks as well

      How fast can you pick an industrial-strength lock? This method takes no longer to get in than using a real card. If you're burglarizing people, you want to get in and out as quick as possible. Plus, how many people know how to pick a lock? This is as easy as using a legit key; anyone can do it, unlike picking a lock.

      • "Industrial strength lock"? I think not

        I've played with bump keys enough times to be able to unlock any door into my house in under a second or two.

        • by mcgrew (92797) *

          It's been my experience that nobody picks a lock to break intro a house, it's easier to just break the door down, as I discovered to my dismay last year. That hundred dollar lock did me no good whatever, they simply pried the door open. The lock held, the door frame didn't.

    • Do folks really use the term "zip gun" for lock pick guns? I thought zip guns were just improvised firearms [wikipedia.org].

    • by bdwebb (985489)
      A locksmith may charge you to upgrade those locks but 99% of the time that locksmith is not the creator of the locks he installed and is therefore not responsible for the vulnerabilities therein. In this case, Onity is the manufacturer of these locks and they hold the patents for design and build of the locks. I think as a responsible, forward-thinking company they should be responsible for fixing the vulnerability that caused the loss even though it represents a significant loss...ultimately they are not
    • So.... where's the story? I don't see anything on slashdot about normal burglars breaking into house with zipguns and the like, why is THIS news?

      Security, and in particular the continuing use of amateurs to develop software and systems that should be secure, is a topic that definitely belongs here (as would new developments in lock-picking, in my opinion).

      This lock was very badly designed, and Onity acted irresponsibly in not taking security seriously (and for a lock, no less). It will send a valuable message to the marketplace if they go out of business as a result.

    • by Bryansix (761547)
      A locksmith is not analogous to a manufacturer. Yes, you pay the locksmith to replace your locks but that doesn't mean you forget about the problem. You can also complain to the manufacturer for making such junk locks. The method for preventing picking in locks has been well known for a long time now. In fact there are many methods. This company was negligent. They should have made the port to reprogram the lock, only accessible if the lock was unlocked or removed from the door.
  • by guttentag (313541) on Tuesday November 27, 2012 @11:27AM (#42105707) Journal
    Chocolatey = Chocolate, Sort of...
    Onity = On It, Sort of...
  • by slashmydots (2189826) on Tuesday November 27, 2012 @11:32AM (#42105757)

    The Hyatt says Onity didn't provide a fix until after its break-ins, forcing the hotel to plug its locks' ports with epoxy

    Well, at least they issued a patch.

    • by bughunter (10093)

      From now on, I'll be providing my own patch. When I'll be travelling, I'll be taking a wad of Mighty Putty [walgreens.com].

      I advise you all to do the same.

    • by AmiMoJo (196126) *

      Epoxying the service ports made the situation worse for Onity, since there is now no way to issue a software fix without opening the lock.

  • by wvmarle (1070040) on Tuesday November 27, 2012 @11:34AM (#42105769)

    Surprised it took thieves two months before starting to use this exploit. Even more surprising that the summary says "already".

    The exploit was very well documented, and rather simple to copy. It took mere days for YouTube videos showing off the same hack to appear.

    It is more likely that other hotels were hit with the issue already, but didn't disclose it to the public for fear of attracting more thieves to their hotels, and/or for the bad publicity and the risk of guests staying away from their insecure rooms.

    • by rsmith84 (2540216) on Tuesday November 27, 2012 @11:52AM (#42105955)
      You have to let the chatter about the exploit die down enough so that you can pull the heist off with better success. Going out and attempting it immediately after Black Hat is too risky and the sign of foolish thief.
    • by Rob the Bold (788862) on Tuesday November 27, 2012 @12:40PM (#42106411)

      Surprised it took thieves two months before starting to use this exploit. Even more surprising that the summary says "already".

      Maybe it's only after the exploit was revealed that anyone thought to suspect this was the way some hotel burglaries were happening. We don't necessarily know that Brocious was the first to discover the attack mode -- only that he was the first to publicize it.

  • Now who's the robber/thief?
    • Easy now; don't blame something on stupidity that you assign to sheer incompetence. Or a third variation, towards a quest of more profit!

      I can design a super-secure lock. It will cost more to develop, and then it will cost more to produce, which will raise its price. Which in turn will lower my potential customers (90% of folks just want a lock that can be easily managed and is simple for their users). The accounting people said, "Do the simpler version, it will be good enough and return us 87% more pro

      • by rockiams (12481)

        I don't think your car analogy is accurate. In this case I bought the BMW(and really a 325 impresses my friends? I need better friends!) to impress my friends, not to protect the platinum in my muffler. If someone steals my muffler, my friends should still be impressed by my status symbol, so long as it isn't running. (Unless my friends are Joe Dirt, and then that loud roar is badass, yeeehaawww!)

        A lock on the other hand, was purchased for the sole purpose of denying entry to unauthorized people. It fai

        • Well done. Yeah, I suck at car analogies. The thing is, the muffler is an important ingredient in the overall product.

          One could argue that the only "key" (pun partly intended) feature is the security of the room protected by the lock as you rightly stated, and yes, it failed to do so. The other pieces would be the management of the cards, auditing of entry to the rooms and the wow factor to the clientele.
          Could also the argument not be made that it would deter 99.99% of unauthorized access? In most circl

          • by rockiams (12481)

            I would argue that the muffler is not as important, more akin to the management of cards or the 'wow factor.' A car's main function is transportation, so if it fails that it almost can't impress anyone. So a lock can have several ancillary features but if it is easily defeated, it gets a fail in my book.

            And I am not sure how you would measure a lock to get the 99.99% and if that number is even possible for a lock(Google 'myth 5 9s')

            And I am happy with my hippie GNU friends...and I let MUNI drive me around

        • The car analogy is simple. The uber secure keyless systems in cars turned out to be insecure like the hotel rooms. Maybe a tad more difficult to break, but still very breakable. BMW is one of the lucky ones to be hacked. Just one example http://www.geekosystem.com/keyless-bmw-hacked-3-minutes/ [geekosystem.com]

      • by plover (150551)

        Car analogy: You bought the BMW 325 to impress your friends while driving with the collar of your polo shirt up. It turns out that thieves can steal your muffler for the precious precious platinum in the catalyctic converted. The brand new M3 model developed after the news broke out has the muffler protected by the body. Do you expect a free upgrade from BMW?

        +1 for the car analogy. And as far as my ancient Ford truck goes, I don't think they'd issue a recall for anything other than a safety issue. But a BMW? I would indeed expect a product recall from BMW, where they would freely install some "catalytic converter locks" that would be nearly as effective as the body redesign solution you hypothesized.

  • I am waiting for the story about Cody Brocious being sued by Onity for enabling this crime.
    • Considering that he went for glory by not providing some professional courtesy (your mileage may vary) and disclosing this to Onity before his Black Hat presentation, he may get suffer potentially a bit by "enabling crimininals to circumvent the protection offered by the lock". It is a Black Hat conference after all, so the motivations and the spirit is a tad different other "community" InfoSec conferences. I won't argue what the right approach is. At the end of the day, the vulnerability probably shouldn

  • by 140Mandak262Jamuna (970587) on Tuesday November 27, 2012 @12:02PM (#42106055) Journal
    Onity has announced two step solution. The first one is making it difficult to access the port. There is a cover at the bottom it looks like and they are strengthening it. May be metal instead of plastic. And adding a *security* torx screw too. Yeah, may be they will also make it need pentalobulous head like Apple iPads. But all it will do is to slow down but can't stop the intruder. This part is free.

    They are also providing a software solution. Even when the locks are programmable and upgradable, flashing the new firmware is available for a "nominal" fee. And if your lock does not have upgradable firmware? Well, you need to call in and ask for the price. I think the current pricing is one arm and one leg per upgrade.

    http://www.securityinfowatch.com/news/10766203/onity-provides-lock-upgrades-following-hack [securityinfowatch.com]

  • Why is it when I hear "Texas" and "Hotel", I think of an obese tattooed couple with a meth lab in a suitcase? (obviously both meat-eaters??)

  • by trout007 (975317) on Tuesday November 27, 2012 @02:26PM (#42107381)

    I was in a hotel with an in room safe. My kid closed the door and managed to lock it so I called maintenance. The guy came up and hit the # key twice to enter supervisor mode then keyed in 6 9's. Here is a video I shot after he left. I'm pretty sure they don't have an override maintenance code for each room. You could try a few standard combos on your room to figure it out for the hotel. Or just get maintenance up to your room to show you it.

    https://www.youtube.com/watch?v=UYjJuE7l7VM [youtube.com]

  • Next up: Apple to Samsung: "Oh no you din't" and "Axe Slashdot"

Money will say more in one moment than the most eloquent lover can in years.

Working...