Maker of Hackable Hotel Locks Finally Agrees To Pay For Bug Fix 66
Sparrowvsrevolution writes "Slashdot readers are no doubt familiar by now with the case of Onity, the company whose locks are found on 4 million hotel room doors worldwide and, as came to light over the summer, can be opened in seconds with a $50 Arduino device. Since that hacking technique was unveiled by Mozilla developer Cody Brocious at Black Hat, Onity first downplayed its security flaws and then tried to force its hotel customers to pay the cost of the necessary circuit board replacements to fix the bug. But now, after at least one series of burglaries exploiting the bug hit a series of hotel rooms in Texas, Onity has finally agreed to shoulder the cost of replacing the hardware itself — at least for its locks in major chain hotels in the U.S. installed after 2005. Score one point for full disclosure."
I dunno... (Score:2, Insightful)
A bunch of people got their stuff stolen, a bunch of smaller hotels are out money, and Onity takes a huge hit? Seems like everyone would have been better off if everyone kept quiet and Onity just started shipping new units with the fix.
"Score one for bad publicity" (Score:4, Insightful)
"Score one point for full disclosure". I don't think so. "Score one for bad publicity" yes. With the previous customer looking somewhere else to provide new lock as Onity wheren't caring about them and their promise of high security electronic locks...
Re:I dunno... (Score:5, Insightful)
They didn't want to ship them even after the knowledge was made public. It's not like there was any chance in hell they would have done it if nobody had known about the problem.
Sure, "in seconds" (Score:5, Insightful)
If by that you mean disassembling the face of the lock, plugging the widget in shoving the magic electrons in.
You know what else works "in seconds"? A $10 crowbar, 100% of the time.
It's a ridiculous nerd-rage non-issue, given that to work the hack you'd have to be on site for an extended period, cool as a cucumber, looking and acting like a member of staff. You might as well be staff, and that's where the real vulnerability is, and always will be.
Re:I dunno... (Score:5, Insightful)
They didn't want to ship them even after the knowledge was made public. It's not like there was any chance in hell they would have done it if nobody had known about the problem.
It's not like there was any need they should have done it if nobody had known about the problem.
Any lock is hackable. Just because Onity got targetted doesn't mean they are suddenly less secure than all the others.
Obviously, not wanting to fix a known security issue IS a problem.
Re:I dunno... (Score:5, Insightful)
Actually, the moment that lock was publicly compromised in this way, it DID become less secure than other non-compromised locks.
A regular mechanical lock is secure, but the moment it becomes public knowledge that it can be defeated with a pen [youtube.com] it becomes a lot less secure than other locks.
Locks are supposed to deter and delay. Deter regular people and delay thieves. When the lock is completely compromised like this one, it no longer delays thieves, thus making it useless.
Re:A month (Score:5, Insightful)
Your locks have one purpose. To stay shut against an intruder. That's all. Sure, we don't expect the room to be impenetrable or them to be crowbar-proof, but we do expect you to not be able to walk up to them with just a device and start changing their settings without that device being authenticated, revokable and protocol-protected. And certainly not to the point that you can work out what to do to make it accept any card from just a lock alone without some serious reverse-engineering.
Well, it's not as if you can just stick in an unbent paper clip or the barrel of a stick pen. And it's not as if you can connect a quickly hacked together "pick" out of an old wall wart and a 9 Volt battery. You have to stick in a specifically crafted piece of sophisticated electronics, The manufacturer thought that would be enough of a barrier.
But what I wouldn't accept would be it taking MONTHS to get to the position that a fix was available after a successful public demonstration. You should have been calling me up and shipping the updated boards/firmware the next day, at least, and worrying about the cost later.
You want to go from zero to having authenticated, revokable and protocol-protected lock programmers in a day? Dream on, chum, dream on.
Re:I dunno... (Score:5, Insightful)
Re:A month (Score:4, Insightful)
Well, it's not as if you can just stick in an unbent paper clip or the barrel of a stick pen. And it's not as if you can connect a quickly hacked together "pick" out of an old wall wart and a 9 Volt battery. You have to stick in a specifically crafted piece of sophisticated electronics, The manufacturer thought that would be enough of a barrier.
Actually, I think the manufacturer thought that it would be more like something you'd see on TV in CSI where only the super-duper elite criminals would be able to pick the locks, not "some dude who watched a video on YouTube or found a web page on how to do it". It's kind of like car alarms. Car alarms don't exist to stop the elite thieves because they won't. They exist to stop Joe Crackhead from trying to steal your car. What happened basically is somewhat equivalent to finding a way to turn off the car alarm so Joe Crackhead is now a serious threat to steal your car with impunity.
Re:I dunno... (Score:2, Insightful)
How do you know NOBODY knew about it? These hacks could have been going on for years in small scale in hotels but no one would blame a firmware or circuit board design if they did not know there was a flaw. Some cop in some city could have caught someone and confiscated the device and had no idea what it was or how it worked, booked the guy, he did his few days in jail and moved on. Its not like a majot hotel chain is going to publish the fact that they were robbed or hacked.