Maker of Hackable Hotel Locks Finally Agrees To Pay For Bug Fix 66
Sparrowvsrevolution writes "Slashdot readers are no doubt familiar by now with the case of Onity, the company whose locks are found on 4 million hotel room doors worldwide and, as came to light over the summer, can be opened in seconds with a $50 Arduino device. Since that hacking technique was unveiled by Mozilla developer Cody Brocious at Black Hat, Onity first downplayed its security flaws and then tried to force its hotel customers to pay the cost of the necessary circuit board replacements to fix the bug. But now, after at least one series of burglaries exploiting the bug hit a series of hotel rooms in Texas, Onity has finally agreed to shoulder the cost of replacing the hardware itself — at least for its locks in major chain hotels in the U.S. installed after 2005. Score one point for full disclosure."
A month (Score:5, Informative)
I give it a month before the new firmware is discovered vulnerable to a very similar attack, or a way to bypass the plug is found.
That said, if I were Marriot, of course I'd have negotiated just this kind of deal. It would be quite simple, and any number of electronic lock-makers would fall over themselves to install reduced costs locks (or even compatible boards) and just live off the future support for them.
What bothers me is not the replacement policy (which looks like you need to argue lots to get something quite reasonable, like a free firmware fix), or the security (we all know that lots of modern products have security flaws and to be honest, this one requires quite some skills / balls to exploit), but the denials and brushing-under-the-carpet.
Your locks have one purpose. To stay shut against an intruder. That's all. Sure, we don't expect the room to be impenetrable or them to be crowbar-proof, but we do expect you to not be able to walk up to them with just a device and start changing their settings without that device being authenticated, revokable and protocol-protected. And certainly not to the point that you can work out what to do to make it accept any card from just a lock alone without some serious reverse-engineering.
Damn right, you'd replace my locks. Or your insurance would have one huge hefty claim on it by now from chains like Marriott. Hell, I'd even let you off if I could fit them myself on my own schedule so as to not disturb guests or interfere with business operations, and even let you charge me for delivery.
But what I wouldn't accept would be it taking MONTHS to get to the position that a fix was available after a successful public demonstration. You should have been calling me up and shipping the updated boards/firmware the next day, at least, and worrying about the cost later.
If there's a repeat of this incident with the new board, I would need to KNOW that you were going to do something timely about it BEFORE burglaries start hitting my hotel insurance, which may not even pay out if the locks are that bad.
Attempt to Limit Future Liability (Score:5, Informative)
The leaked agreement contains this paragraph:
"Onity’s proposal for franchisees is conditioned on the franchisee’s acknowledgement that Onity does not guarantee a lock’s invulnerability to hacking."
While this is a reasonable statement on its own, the real issue here is competence. Onity's design was in such blatant and avoidable violation of basic security principles (e.g. a small keyspace and a lack of real cryptography) that it might be be called negligent.