Slashdot is powered by your submissions, so send in your scoop

 



Forgot your password?
typodupeerror
×
EU Businesses Crime Security

Ransomware Infects a Hotel's Key System (dailymail.co.uk) 203

An anonymous reader writes: A luxury hotel "paid "thousands" in Bitcoin ransom to cybercriminals who hacked into their electronic key system. The "furious" hotel manager says it's the third time their electronic system has been attacked, though one local news site reports that "on the fourth attempt the hackers had no chance because the computers had been replaced and the latest security standards integrated, and some networks had been decoupled." The 111-year-old hotel is now planning to remove all their electronic locks, and return to old-fashioned door locks with real keys. But they're going public to warn other hotels -- some of which they say have also already been hit by ransomware.
UPDATE: The hotel's managing director has clarified today that despite press reports, "We were hacked, but nobody was locked in or out" of their rooms.
This discussion has been archived. No new comments can be posted.

Ransomware Infects a Hotel's Key System

Comments Filter:
  • by Anonymous Brave Guy ( 457657 ) on Sunday January 29, 2017 @11:41AM (#53759865)

    Who thought it was a good idea for essential systems like this to be online in the first place?!

    This is why the Internet of Things is such a horrible concept. Most things don't need to be online and connected to everything else, and the cost of trying to be trendy is huge increases in risks to the privacy, security and reliability of everyday items.

    Closed networks do just fine for these kinds of systems, don't actually need to cost that much more, and have none of the vulnerabilities.

    • by NotInHere ( 3654617 ) on Sunday January 29, 2017 @11:52AM (#53759939)

      Probably the network the hotel was connected to was already reasonably firewalled or maybe even inside some virtual chain intranet. But such networks are still very easy to hack because of shitty update policies, microsoft windows, and attachment.zip.exe.

      It doesn't need to be "thing that talks with cloud and you talk with cloud to talk with thing" like IOT to be hackable.

      • by CaptainDork ( 3678879 ) on Sunday January 29, 2017 @01:36PM (#53760599)

        ... easy to hack because of shitty update policies, [...], and attachment.zip.exe.

        Agree, and it's because the hotel thinks the bottom line is accounts payable/accounts receivable where revenue exceeds expenses.

        Loss-prevention is a cost of doing business.

        Hotels can pay for that up front, or pay for it later.

        Delay is expensive.

        As discussed in TFS, they have to pay the ransom and then go back and pay to harden the system.

    • Plus you don't have a situation like this where three guests died waiting for the BTC confirmation.

    • Who thought it was a good idea for essential systems like this to be online in the first place?!

      Hackers - duh.

    • by Anonymous Coward on Sunday January 29, 2017 @01:09PM (#53760439)

      That's not the failure here. The failure here is that there's no way of manually unlocking the door from the inside. That has to be some sort of firecode violation.

      The fact that the computer that ran that was also connected to the internet just compounds the problem. People should always be able to get out, no matter what's going on with the computer system.

      • Obviously there should be physical safeguards for when the tech screws up, but I don't think that diminishes the scale of the original screw up.

      • /Checks where this took place... Austria. /Considers the possiblity for off-color jokes....

      • No kidding (Score:4, Informative)

        by Sycraft-fu ( 314770 ) on Sunday January 29, 2017 @05:22PM (#53761713)

        We have electronic locks at work, and they are on the Internet. They are VLAN'd and firewalled off but they are still on the Internet because the company that administers them is remote. You can argue we should do it our self and I'd agree, but that is the arrangement. However every single one can be overridden on the inside the the handle. The locking mechanism is just that it basically unlocks the door frame so you can push it open from the outside with the electronic lock. Inside, you can always use the handle to override.

        The reason is, as you say, fire code. All our doors always open towards the outside, no matter what. Old lock and key doors are the same. You will find a door with a Medeco lock on the outside that can't be permanently unlocked, only turned to move the bolt, but on the inside ti is just a bar you push to open it up. No matter where you are in the building, you can always get out just by following the doors that will open manually with no key/code. The locks are for locking people out, not in.

    • Because of this I'm building a LAN of things for my own use. I have no need to stoke or control my woodstove from on the road anyway, but I do like to have as much as possible on my homestead automated and monitored - verily, even stuffed into a database so I can see what the weather has been like at such and such a time over the years and so on.

      Works for me - I rarely go out (living in what amounts to the Garden of Eden will do that for ya) - and no one gets my data if I don't want them to.
      BUT! Now let

    • by arth1 ( 260657 )

      Who thought it was a good idea for essential systems like this to be online in the first place?

      Hacking doesn't have to happen from the internet. The locks are in communication with the central system, which makes each lock a potential point of entry for hacking the system.

      • Well, yes. People with physical access to closed systems can potentially attack them in ways that people with only remote access can't. News at 11.

        That's not an argument against minimizing the attack surface by avoiding unnecessary remote access, though, is it?

        • by arth1 ( 260657 )

          That's not an argument against minimizing the attack surface by avoiding unnecessary remote access, though, is it?

          No, it's an argument against thinking systems become safe by detaching them from the internet.

          And from my experience, it's often easier to find vulnerabilities on local and required networks. Manufacturers tend to put very little thought into securing its own devices from each other.
          Trust is the big evil in security.

          • by lgw ( 121541 )

            No, it's an argument against thinking systems become safe by detaching them from the internet.

            There's no such thing as "safe". That's not how security works, Detaching systems from the internet makes them safer, and that's a Good Thing.

            In this case, I applaud moving back to mechanical keys. It's a mature security system, the weaknesses and their mitigations are well understood, and it matches people's expectations about what behaviors are safe. I also suspect it's not particularly expensive at any sort of scale (once it makes sense to cut your own keys, and have staff trained to do that - it's n

    • by im_thatoneguy ( 819432 ) on Sunday January 29, 2017 @02:38PM (#53760985)

      Who thought it was a good idea for essential systems like this to be online in the first place?!

      Someone who understands their most profitable customers: business customers. If your business customers can check-in online through the app and be assigned a room which they can unlock from their phone without ever interacting with the front desk.

      "Thank you Samantha for picking Great Hotel again. Your room number is 352. Click here to unlock the door. If you have any problems or questions please dial ## or stop by the front desk."

      Obviously the devil is in the details but NFC keycards aren't going anywhere (no changing locks and lost keys) and internet aware locks are the obvious next step of convenience and cost cutting.

      • Obviously the devil is in the details but NFC keycards aren't going anywhere (no changing locks and lost keys)

        OK, I'm with you so far.

        and internet aware locks are the obvious next step of convenience and cost cutting.

        ::boggle::

        Even some of the cheaper hotel chains here in the UK now routinely have machines that let you check in without staff intervention, including coding your keycards for you. It takes a few moments. It is not at all obvious to me that Internet-enabling anything about this process would be either more convenient or cheaper for anyone.

    • by HiThere ( 15173 )

      Closed networks solve SOME of the problems inherent in an electronic solution. They sure don't solve all of them. This sounds like a power outage would also have locked everyone in their rooms, e.g.

      • Maybe. The article doesn't say, but if the attack truly did lock the doors from inside then clearly they have other problems, for sure. At that point, you're not talking about vulnerabilities to hostile parties any more, you're talking about basic reliability and safety concerns.

  • by iCEBaLM ( 34905 ) on Sunday January 29, 2017 @11:41AM (#53759867)

    Critical infrastructure DOESN'T NEED ACCESS TO A PUBLIC INTERNET.

    Governments, utility providers, MILLITARIES! All of them have publicly accessible computers. WHY?

    • Because its more convenient and it "works" until cases like these, but they are very exceptional. Most people only want computers to work, "security" is a strange and unknown concept to them.

      But yeah, its trivial to get rid of this vulnerability by simply having two computers, one for the door locking management system, NOT CONNECTED, and the second one to write emails with, etc.

    • Because you don't hire a programmer nor security consultant to install these systems. You buy the system, and an installer gets the job done with a minimum of extra work.

      You're buying a modernization package, not a security solution. And it will stay this way until people mark up the contract and send it back signed, with additions. But the sale will be voided, the security won't be enforced, until the business has enough customers demanding security.

      The military aspect is kinda vague, I'm not going to addr

      • Problems have solutions ...

        Some solutions to some problems is litigation.

        Apparently, the hotel didn't purchase a turnkey (see what I did there) technical system.

        The evidence is in the part where they went BACK and hardened the system.

        There is an obvious point of failure in the procurement, implementation, and maintenance of the system.

        Who, exactly, is responsible for that?

        Whoever it is needs a good spanking in court.

        For reference, see fire-related litigation that resulted in ordinances requiring occupancy levels, extinguishers, sprin

    • Governments, utility providers, MILLITARIES!

      A "millitary" doesn't seem very powerful. My country has a megatary, I'm just saying...

    • Critical infrastructure DOESN'T NEED ACCESS TO A PUBLIC INTERNET

      The focus of my job, nor my companies is security. However if someone is on the lan with DDC (Digital Data Control) and other systems, access control for instance, they have an even better shot of pulling something like this off. For all you know, they had a default system with default security credentials and no Vlans or any other of even the most basic controls. I get your point, but it could have easily been an inside job, by even say, a gue

  • by Notabadguy ( 961343 ) on Sunday January 29, 2017 @11:42AM (#53759871)

    Welp folks, since we're not willing to use common sense in deploying our electronic systems to ensure their security and integrity, we're going to abandon digital and go back to mechanical.

    With this challenge out of the way, we're looking at resolving the parking lot conundrum by bringing back horse buggies. To prevent our central heating and air from being hacked, we're uninstalling it and putting fireplaces and fans in all the rooms.

    • by torqer ( 538711 ) on Sunday January 29, 2017 @12:13PM (#53760069)

      I think you're trying to condemn their decision, but personally, that sounds great to me. Horses, fireplaces, and physical security... not much to complain about... Given that your alternatives are cheap automobiles, dependence on fossil fuels for heating, and a security system that can track your every moment, and still get hacked and end up locked in (or out) of your room.

      I'll take a wired home phone instead of a cell phone and eat food that was harvested locally as well.

      • by Solandri ( 704621 ) on Sunday January 29, 2017 @01:24PM (#53760519)
        The problem wasn't the electronic key system. The problem was the hotel stupidly made their electronic key system (or at least the server) accessible from the public Internet.

        I used to work at a hotel and helped select one of these key card systems for purchase (I wasn't around for the installation). You're supposed to keep it on a separate and isolated network specifically to prevent problems like this. The system is completely self-contained and internal. Nothing else needs access to it, and you don't need to have access to anything else from it. The person using the key card server doesn't need to be able to browse their Facebook page on it. The only data being entered into it should be the front desk staff keying in the guest's name and dates of stay so that a new key card can be generated and the lock for that room reprogrammed.

        Physical keys at hotels were/are a huge problem because anyone can make a copy of the key. Theoretically a guest could make a copy to access the room at a later date. But more commonly, one of the maids (who have master keys so they can access all rooms) makes a copy, gives it to someone else, who then goes into the rooms and steals stuff when the maid is off-duty (so as not to arouse suspicion as to who copied their key). Changing the locks is expensive and doesn't help, because the corrupt maid simply makes a copy of the new key. It's cheaper to make a copy of a physical key than it is to change all the physical locks. OTOH, it's cheaper to change all the electronic lock keys than it is to make a copy of the newer RFID key cards. Switching back to physical keys is huge step backwards in security.
        • Also, a proper backup policy could completely eliminate this failure mode. Ironically you could *more easily* secure this with *more* internet integration. Have the backups be incremental and off-site. Setup the off-site service to keep backups for 7 days no matter what. If at any point someone hacks your system, physically insert a "RESET" DVD. Format *everything* back to factory defaults. Load the latest good database and you should be back in business in half an hour.

        • I used to work at a hotel and helped select one of these key card systems

          If key cards are being used, why choose a system that requires the locks be networked?

          Sure, there is a convenience in the front desk being able to remotely update the stay duration rather than having the guests come to desk to have their kay cards re-written, but is that really worth the problems? I recently attended a convent held in the Intercontinental Hotel in Dallas - a 5 star, luxury hotel. Although I couldn't afford a room in that hotel, some of the convention attendees did. And some of those extende

      • Burning wood or coal in a fireplace is NOT, in any way, shape, or form, a "green" alternative. Fireplaces are the reason cities like London & Paris were choked in smog decades before industry & transportation were even significant contributors. Compared to lumber & coal burning in 10-20 million fireplaces, oil, natural gas, and nuclear fission are almost pure ideal green goodness.

      • "And furthermore, peace, love, grass."
      • Horses, fireplaces, and physical security... not much to complain about.

        I don't think you understand how bad horses can smell (and how much mess they can make). Also, fireplaces put out a lot of pollution (and are usually just for looks: a wood stove is what will really generate some heat for you).

      • And death to all cities of any size as they drown in a wave a sickness and horse shit. Cars may pollute but its in the air and blows away. The amount of horse shit from that number of horses will choke a decent size city in a matter of days.

    • by AthanasiusKircher ( 1333179 ) on Sunday January 29, 2017 @12:50PM (#53760311)

      Welp folks, since we're not willing to use common sense in deploying our electronic systems to ensure their security and integrity, we're going to abandon digital and go back to mechanical.

      "Common sense" is not very "common" at all when it comes to electronic systems, and it's even less common when it comes to computer security. The vast majority of people -- even those running big businesses -- simply have no clue how computers or networks or whatever work in any detail. So how can they have "common sense" about them?

      And I think it's only getting worse. Interfaces on computers and electronics keep getting "simpler" with more information hidden from the end user. These changes are often pushed by companies that have a strong interest in keeping their users ignorant of things like security, because it allows them to continuously steal their users' data and information. So, a normal "user" who encounters technology on an everyday basis is going to get dumber about security if trends of the past couple decades continue. "Common sense" about such things will get even more rare.

      Seriously -- obviously an air-gapped system is a easy solution here, but do you realize that most people don't even understand what that means? I've had lots of conversations with people who still can't even tell the difference between local applications/data and the internet... and cloud interactions are further blurring such distinctions all the time, so there's little benefit for most people in trying to understand such distinctions. All the people working at the hotel are going to say is, "Huh? Why can't I check my email on this computer?? It's broken!"

      • > "Common sense" is not very "common" at all when it comes to electronic systems, and it's even less common when it comes to computer security. The vast majority of people -- even those running big businesses -- simply have no clue how computers or networks or whatever work in any detail.

        Which is why it's a great idea for absolutely everyone to be writing code for these internet-connected devices. Security? What's that? Who cares, I just wrote a Facebook app to connect my fire sprinklers to my Facebo

      • by HiThere ( 15173 )

        An air-gapped system only solves part of the problem Where's your fine electronic system when the power goes out? You say you've got battery blackup power...did you read about how that worked out for Note7 owners?

        I'm not convinced that electronic locks on hotel room doors are a good idea. I know it's convenient, and avoids certain failure modes (customers making a copy of the key and then sneaking back later for some nefarious deed), and sometimes cheaper, but that doesn't immediately translate into bett

  • by khz6955 ( 4502517 ) on Sunday January 29, 2017 @11:43AM (#53759875)
    What was the name of the ransomware, what was the name of the company that designed the locks, what OS did the reservation system run on, what OS did the cash desk system run on?

    "Unless this is all just a big publicity stunt to advertise their new door locks."

    Yea, that's it, a hotel would try and drum up business by advertising that its electronic door locks can be compromised.
    • Yea, that's it, a hotel would try and drum up business by advertising that its electronic door locks can be compromised.

      Woosh.

  • Fire (Score:5, Insightful)

    by Patent Lover ( 779809 ) on Sunday January 29, 2017 @11:44AM (#53759879)
    I can understand people being locked out of their rooms. But if they're being locked in they're in massive violation of fire safety laws.
    • I can understand people being locked out of their rooms. But if they're being locked in they're in massive violation of fire safety laws.

      They probably weren't physically trapped, but without being able to re-enter they couldn't leave if they wanted to keep their belongings.

      As for manual keys as backup for staff entry, most hotel theft - just like most retail theft - is perpetrated by staff. The electronic doors keep track of which employees are in which rooms so they can investigate complaints of theft.

      • They probably weren't physically trapped, but without being able to re-enter they couldn't leave if they wanted to keep their belongings.

        First off, if that were true, then all the reporting is erroneous, since that's "locked out" of rooms, NOT "locked in."

        Second... well, we can just RTFA:

        Hotel management said that they have now been hit three times by cybercriminals who this time managed to take down the entire key system. The guests could no longer get in or out of the hotel rooms and new key cards could not be programmed.

        Or read the other article:

        Mr Brandstaetter said they had been hit three times by the cybercriminals, who managed to lock all the doors, trapping many guests inside and some outside their rooms.

        One doesn't usually use the word "trapping" when someone can just walk out a door voluntarily. Obviously if your scenario were true, guests could simply pick up all their belongings and check out. Or they could prop the door open or something. Both of the linked stories imply this was NOT the case. (One even says explicitly th

    • According to this article [bleepingcomputer.com], they were not locked in their rooms. But most people were out skiing at that time, so almost everyone was locked out.

      Fire code regulations all over the globe mandate that electronic key locks to open manually from the inside, which means no guest was locked inside their rooms. Additionally, electronic key systems are also created to handle power failures, so there was a way to open the doors from the outside, meaning no one was locked out either. According to Austrian news site ORF, the hotel was fully-booked with 180 guests. According to hospitality news site Allgemeine Hotel- und Gastronomie-Zeitung, at the time the ransomware took root, all the hotel's guests were on the local ski slopes.

      • by Imrik ( 148191 )

        I suspect that no one thought to cut power to unlock the doors, otherwise they wouldn't have had breaking down the doors as their alternate solution.

        • No, the doors weren't locked. Read that article: it was the machine that was used to re-program the keys that got encrypted.
  • Following me once, shame on you. Fool me twice, shame on me.

    Three times? Really?

  • a sane locking system that would not have an override on the inside so that occupants can leave the room whatever the state of the electronic lock.

    Fail-safe instead of fail-secure would have to be mandatory in these cases. What if there was a fire?

  • This is type-a classic prankster penetration, now under the guise of "IOT" because SOCs have become so cheap you can stick them into anything, add a shoddy non-updateable web-thingie to it that is 5 version behind and has holes in it so big you can drive a mac truck through it. Or, more likely, default access codes that a 12-year old can look up on the intarweb in less than 15 seconds.

    This is freakin' hilarious and really quite funny.

    Did anyone of you guys see this coming? I certainly did.
    IOT is one big pil

    • by Viol8 ( 599362 )

      "Did anyone of you guys see this coming? I certainly did."

      EVERYONE with a clue saw this coming. Unfortunately that excludes the marketdroids trying to sell IoT and the Oooh Shiny! idiots who buy it.

  • by szy ( 4052287 ) on Sunday January 29, 2017 @11:57AM (#53759975)
    Daily Mail? Seriously? Out of all the media that covered this story extensively over the past couple of days, you picked to link to the daily mail as the source? Also including the clickbait phrase of "paid thousands" to refer to 2 bitcoins? The only hope is that slashdot community does what it's best at: does not read the article.
  • I thought electronic door locks could stil be overridden manualy with old fashioned knobs and handles on the room side of the door. I wonder what the city's code enforcement and fire department thinks about this?
    • by ruir ( 2709173 )
      Exactly my thoughts. The notice seems a bit sensationalistic. While maybe they are idiots enough to not allow the guests, I pretty much doubt there are not old fashioned door locks and a master key.
      What it meant is that they would take a couple of hours to open all the doors, and they probably paid in the stop to avoid more trouble and upsetting even more the guests.
      • by Imrik ( 148191 )

        While I doubt people were locked in their rooms, there were not old fashioned door locks and the master key is tied to the same electronic system. Unlocking all the doors without a key would require cutting power if they were designed properly or breaking down the door if they were not.

    • Perhaps if the locks are constantly getting hit with the lock command, the knob can't be turned?

      Smashing the thing and disconnecting the battery would let you out in that case (the batteries are typically stored on the inside part of the unit, otherwise it's a pretty shitty lock).

  • Sometimes, try as I might, I simply cannot prevent myself from cheering wholeheartedly for the criminal.

    Must be a character flaw.
    • Hotel management said that they have now been hit three times by cybercriminals who this time managed to take down the entire key system. The guests could no longer get in or out of the hotel rooms and new key cards could not be programmed.

      Bahaha, and I hadn't even seen this yet. They're hard working, too! And they only demanded 1,500 EUR? Hell, the hotel should pay them more than that for security auditing services.

      Also, who the hell designs an electronic lock that can lock people in the room if it goes down? Is that even legal in Austria?

      Yet according to the hotel, the hackers left a back door open in the system, and tried to attack the systems again.

      See, they even offered you a free security audit checkup to verify that you fixed things properly. Try as I might, I just cannot bring myself to dislike these guys.

      Brandstaetter said: "We are planning at the next room refurbishment for old-fashioned door locks with real keys. Just like 111 years ago at the time of our great-grandfathers.

      Yeah, high security mechanical locks

      • And they only demanded 1,500 EUR? Hell, the hotel should pay them more than that for security auditing services.

        I'm going to throw a brick through your window. And then charge you 1500 EUR for auditing the physical security of your home. I presume that's okay with you.

        Yeah, high security mechanical locks have been around for at least two hundred years.

        How does this "high security" lock prevent a previous guest from having made a copy of the key? It doesn't, mechanical keys are the wrong tool for the j

        • How does this "high security" lock prevent a previous guest from having made a copy of the key?

          Dynamically re-keyable mechanical locks have been around for ages. Even Kwikset has one these days. The maid could do it in under 10 seconds. Requires a tiny bit of planning to set it up to be idiot-resistant, but basically on the maids' carts you'd have a series of small labeled boxes, one for each room number, that contain a partition with two keys: the old one and the new one.

          I'm going to throw a brick through your window. And then charge you 1500 EUR for auditing the physical security of your home. I presume that's okay with you.

          I'm going to install a lock that locks you in your hotel room if it's hacked or loses power, so you'll stand a much increased cha

  • Something about it's actually less secure to use physical keys and virtual ones. I mean even years ago they switched away from physical keys to cards because in the past you only needed to have the key copied and then it was good for that room until they thought to change the locks. (Which given they're physical wasn't going to happen because that cost money.) The new key system they basically generate a new key and put it on the card and publish it to the lock in your room every single time a new guest che
  • It's just weird. Not that anyone with some common sense wouldn't know that all these idiotic new fangled IoT devices will end up having their own problems with vulnerabilities and hacking, we basically have proof every single week or day on how easily those can be defeated... yet we keep seeing big companies investing on stuff like that as if nothing was happening.

    Save yourselves the headache guys, and do not buy any IoT devices whatsoever in which usefulness do not trample security concerns and overall pro

  • What kind of fucking stupid design is that where that is even physically possible? It should run afoul of absolutely every kind of fire regulation imaginable that a door lock can even *POSSIBLY* lock a person in their unit.

    The mechanism to unlatch the door should be *PHYSICALLY* tied to the turning of the handle or knob on the inside of the unit such that the only way to potentially lock someone in would be to physically damage the latch first... either by welding it into position or otherwise gutting the innards so that it did not work.

    • heck as a fail safe they should have the hinges set with pins that can be yanked out with Pliers (sitting next to the Gideon Bible in the top dresser drawer)

    • It's not a stupid design at all, just a stupid Daily Mail reporter.

  • I would never trust anything I own and absolutely need to work to an electronic lock. Not that I'm a luddite ... far from it ... but because I know what can go wrong, and in some circumstances absolutely nothing can be allowed to go wrong. So no electronic locks on my home's entry doors, and no home safes with electronic locks (includes gun safes).

    Hotels ... I can see huge advantages for a hotel to have electronic locks on rented rooms. They will also have staff who can defeat said locks if need be. Downsid

    • The more I learn about physical locks, the less I'm convinced they are up to the job. I don't think locks should be all electric, but a lot of locks that use physical keys are laughably insecure.

  • In what world is it considered a sane design decision that it is possible for guests to be locked in a hotel room? It seems like the sort of thing that should be a fire code violation at least.

  • by phantomfive ( 622387 ) on Sunday January 29, 2017 @01:42PM (#53760643) Journal
    According to this article, it was not the locks that were encrypted [bleepingcomputer.com]. The computers they used to make new card keys got encrypted. I'd bet that it was just a bog-standard Windows box with a dongle attached, maybe running Windows XP if the drivers couldn't be updated. Here is a quote from the hotel manager:

    "We were hacked, but nobody was locked in or out," said the hotel's Managing Director Christopher Brandstaetter. "For one day we were not able to make new keycards." "Since the locking system must work even in the event of power failure, the guests in the hotel almost did not notice the incident," the manager also added. "We simply could not issue new keycards because the computers were encrypted."

    • I was seriously wondering how people could get locked in their rooms. I mean that is such a massive fire code violation and commercial buildings care, a lot, about fire code because you can be sued in to oblivion.

      Incorrect clickbait headline. Now that makes much more sense :D.

  • I call BS on this one. Locking guests out of their rooms, sure. Locking guests into their rooms? Uh no. Basic fire code requires that all electronic locks always allow egress, regardless of their lock state or powered/unpowered. Basically, the mechanical locking mechanism can always be opened from the inside, regardless of how the electronic locks are hacked or malfunction.

    • Read the quote right above your post. No one got locked in... the room-card-writing computer got hit with ransomware. That's all.

      The summary is almost totally wrong, in other words.

  • All these insecure systems need to be attacked and exposed for the garbage that they are. Everyone that knows about computer systems or security has been screaming that IoT systems are bad and are not to be trusted. Despite all of this, plenty of fools in management went ahead because they are arrogant pricks who don't give a shit about what other people think. At this point, getting hit with ransomware is your wage, as in, you have gone out of your way to earn it.

    You reap what you sow.

  • by markdavis ( 642305 ) on Sunday January 29, 2017 @02:02PM (#53760755)

    >""on the fourth attempt the hackers had no chance because the computers had been replaced and the latest security standards integrated, and some networks had been decoupled." The 111-year-old hotel is now planning to remove all their electronic locks, "

    Yeesh. If you decide to not go back to physical keys, at least consider these next time:

    1) Don't connect your door/key system to the Internet, at all.
    2) Isolate the machine on your network to just the needed functionality.
    3) Isolate the machine physically- nobody but specialized staff should have physical access.
    4) Restrict root/admin access to the machine.
    5) If possible, get a system not run by any MS-Windows machines.
    6) Make, test, and retain good, redundant, and incremental backups.
    7) Perhaps hire or contract with I.T. staff that can set up and maintain your systems properly.

    Computer systems are not like ice makers or or other appliances at a hotel. They need to be designed, setup, and maintained properly to work well. And, unfortunately, they are rarely a one-time expense. This, more than anything, is what gets companies into trouble. These types of failures being reported are more about management failure than failures of technology.

  • Rubbish. I've never stayed in a hotel with key cards where the inside handle didn't override/bypass the lock.

After all is said and done, a hell of a lot more is said than done.

Working...