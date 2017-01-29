Ransomware Locks A Hotel's Guests In Their Rooms (dailymail.co.uk) 59
An anonymous reader writes: A luxury hotel paid "thousands" in Bitcoin ransom to cybercriminals who hacked into their electronic key system, "locking hundreds of guests in or out of their rooms until the money was paid." The "furious" hotel manager says it's the third time their electronic system has been attacked, though one local news site reports that "on the fourth attempt the hackers had no chance because the computers had been replaced and the latest security standards integrated, and some networks had been decoupled." The 111-year-old hotel is now planning to remove all their electronic locks, and return to old-fashioned door locks with real keys. But they're going public to warn other hotels -- some of which they say have also already been hit by ransomware.
Unless this is all just a big publicity stunt to advertise their new door locks.
Yay, connectivity and IoT (Score:5, Insightful)
Who thought it was a good idea for essential systems like this to be online in the first place?!
This is why the Internet of Things is such a horrible concept. Most things don't need to be online and connected to everything else, and the cost of trying to be trendy is huge increases in risks to the privacy, security and reliability of everyday items.
Closed networks do just fine for these kinds of systems, don't actually need to cost that much more, and have none of the vulnerabilities.
The article doesn't specify the exact system or how it was compromised, so unless you have some other source to share, none of us know whether the devices that were compromised in this specific case were directly Internet-connected. Some modern hotel systems are. It could also be that the repeated hacks in this case accessed the room key system indirectly via some other system that was compromised first. The fundamental issues raised are the same either way.
Probably the network the hotel was connected to was already reasonably firewalled or maybe even inside some virtual chain intranet. But such networks are still very easy to hack because of shitty update policies, microsoft windows, and attachment.zip.exe.
It doesn't need to be "thing that talks with cloud and you talk with cloud to talk with thing" like IOT to be hackable.
Plus you don't have a situation like this where three guests died waiting for the BTC confirmation.
Why don't people understand... (Score:5, Informative)
Critical infrastructure DOESN'T NEED ACCESS TO A PUBLIC INTERNET.
Governments, utility providers, MILLITARIES! All of them have publicly accessible computers. WHY?
Because its more convenient and it "works" until cases like these, but they are very exceptional. Most people only want computers to work, "security" is a strange and unknown concept to them.
But yeah, its trivial to get rid of this vulnerability by simply having two computers, one for the door locking management system, NOT CONNECTED, and the second one to write emails with, etc.
Because you don't hire a programmer nor security consultant to install these systems. You buy the system, and an installer gets the job done with a minimum of extra work.
You're buying a modernization package, not a security solution. And it will stay this way until people mark up the contract and send it back signed, with additions. But the sale will be voided, the security won't be enforced, until the business has enough customers demanding security.
The military aspect is kinda vague, I'm not going to addr
Common Sense At Work (Score:3)
Welp folks, since we're not willing to use common sense in deploying our electronic systems to ensure their security and integrity, we're going to abandon digital and go back to mechanical.
With this challenge out of the way, we're looking at resolving the parking lot conundrum by bringing back horse buggies. To prevent our central heating and air from being hacked, we're uninstalling it and putting fireplaces and fans in all the rooms.
I think you're trying to condemn their decision, but personally, that sounds great to me. Horses, fireplaces, and physical security... not much to complain about... Given that your alternatives are cheap automobiles, dependence on fossil fuels for heating, and a security system that can track your every moment, and still get hacked and end up locked in (or out) of your room.
I'll take a wired home phone instead of a cell phone and eat food that was harvested locally as well.
Welp folks, since we're not willing to use common sense in deploying our electronic systems to ensure their security and integrity, we're going to abandon digital and go back to mechanical.
"Common sense" is not very "common" at all when it comes to electronic systems, and it's even less common when it comes to computer security. The vast majority of people -- even those running big businesses -- simply have no clue how computers or networks or whatever work in any detail. So how can they have "common sense" about them?
And I think it's only getting worse. Interfaces on computers and electronics keep getting "simpler" with more information hidden from the end user. These changes are often
Ransomware locks hotel guests out of their Rooms (Score:2)
"Unless this is all just a big publicity stunt to advertise their new door locks."
Yea, that's it, a hotel would try and drum up business by advertising that its electronic door locks can be compromised.
Fire (Score:4, Insightful)
in some systems power lost = doors unlock (Score:2)
in some systems power lost = doors unlock (the ones that have the push to exit button) as the power is needed to hold them locked. Also the fire system can trigger the unlock.
Most hotel locks, at least on the rooms, are battery powered. Often by AA batteries.
I can understand people being locked out of their rooms. But if they're being locked in they're in massive violation of fire safety laws.
They probably weren't physically trapped, but without being able to re-enter they couldn't leave if they wanted to keep their belongings.
As for manual keys as backup for staff entry, most hotel theft - just like most retail theft - is perpetrated by staff. The electronic doors keep track of which employees are in which rooms so they can investigate complaints of theft.
Shame... (Score:2)
Following me once, shame on you. Fool me twice, shame on me.
Three times? Really?
I can't imagine (Score:2)
a sane locking system that would not have an override on the inside so that occupants can leave the room whatever the state of the electronic lock.
Fail-safe instead of fail-secure would have to be mandatory in these cases. What if there was a fire?
The thing is, smart people are no exception to the rule that "people are morons".
A friend of mine who's a management consultant puts it this way: Every action you take has both intended and unintended consequences. Once a group of people become committed to a certain course of action, the intended consequences seem much more real to them and the unintended consequences seem unreal.
It's emotional involvement that makes you blind to unintended consequences, even if you're very smart. That's why the old Stoi
LOL! ... IOT is big steaming pile of doo-doo. (Score:2)
This is type-a classic prankster penetration, now under the guise of "IOT" because SOCs have become so cheap you can stick them into anything, add a shoddy non-updateable web-thingie to it that is 5 version behind and has holes in it so big you can drive a mac truck through it. Or, more likely, default access codes that a 12-year old can look up on the intarweb in less than 15 seconds.
This is freakin' hilarious and really quite funny.
Did anyone of you guys see this coming? I certainly did.
IOT is one big pil
"Did anyone of you guys see this coming? I certainly did."
EVERYONE with a clue saw this coming. Unfortunately that excludes the marketdroids trying to sell IoT and the Oooh Shiny! idiots who buy it.
Daily Mail? Seriously? (Score:2)
Wait...locked IN? (Score:2)
What it meant is that they would take a couple of hours to open all the doors, and they probably paid in the stop to avoid more trouble and upsetting even more the guests.
Perhaps if the locks are constantly getting hit with the lock command, the knob can't be turned?
Smashing the thing and disconnecting the battery would let you out in that case (the batteries are typically stored on the inside part of the unit, otherwise it's a pretty shitty lock).
Character flaw (Score:2)
Must be a character flaw.
Tenacious and bargain-priced! (Score:2)
Hotel management said that they have now been hit three times by cybercriminals who this time managed to take down the entire key system. The guests could no longer get in or out of the hotel rooms and new key cards could not be programmed.
Bahaha, and I hadn't even seen this yet. They're hard working, too! And they only demanded 1,500 EUR? Hell, the hotel should pay them more than that for security auditing services.
Also, who the hell designs an electronic lock that can lock people in the room if it goes down? Is that even legal in Austria?
Yet according to the hotel, the hackers left a back door open in the system, and tried to attack the systems again.
See, they even offered you a free security audit checkup to verify that you fixed things properly. Try as I might, I just cannot bring myself to dislike these guys.
Brandstaetter said: "We are planning at the next room refurbishment for old-fashioned door locks with real keys. Just like 111 years ago at the time of our great-grandfathers.
Yeah, high security mechanical locks
Because they're constantly generating new keys. (Score:2)
Wait I thought they couldn't use physical keys (Score:2)
How much longer... (Score:2)
It's just weird. Not that anyone with some common sense wouldn't know that all these idiotic new fangled IoT devices will end up having their own problems with vulnerabilities and hacking, we basically have proof every single week or day on how easily those can be defeated... yet we keep seeing big companies investing on stuff like that as if nothing was happening.
Save yourselves the headache guys, and do not buy any IoT devices whatsoever in which usefulness do not trample security concerns and overall pro
Wait, did they say locked *IN*? (Score:2)
What kind of fucking stupid design is that where that is even physically possible? It should run afoul of absolutely every kind of fire regulation imaginable that a door lock can even *POSSIBLY* lock a person in their unit.
The mechanism to unlatch the door should be *PHYSICALLY* tied to the turning of the handle or knob on the inside of the unit such that the only way to potentially lock someone in would be to physically damage the latch first... either by welding it into position or otherwise gutting
