Hotel keycard firm issues fixes after Black Hat hacker breaks locks
Hotel lockmaker Onity has developed fixes to safeguard millions of hotel keycard locks against an attack demonstrated at the Black Hat conference last month. But the most comprehensive of the two approaches involves a partial hardware replacement that will cost hotels a substantial amount of cash to apply.
Mozilla software developer turned security researcher Cody Brocious used a Arduino micro-controller costing around $50 to come up with an effective hack against hotel keycard locks, which he demonstrated at last month’s Blackhat security conference in Las Vegas. The hack involved plugging in the homemade device into a data port on the underside of Onity’s locks, reading memory to extract a decryption key, before using this decryption key to fake an “open door” command. Brocious created a cheap rig that spoofed portable programmers, gadgets designed to allow hotels to change the settings on locks supplied by Onity.
The hack is only possible because of two interlinked problems: the ability to read memory locations on vulnerable electro-mechanical locks and flawed cryptography in the key cards system itself.
Onity (which initially dismissed the door springing hack as “unreliable, and complex to implement”) has come up with two mitigations against the attack, the most effective of which will necessitate its hotelier customers shelling out some more cash.
The entry-level (free) fix involves supplying a physical plug that blocks access to the portable programmer port of potentially vulnerable HT series locks, coupled with the use of more-obscure Torx screws to make it more difficulties for would-be intruders to open the lock’s case and access its internal systems.
The second more rigorous fix involves upgrading the firmware of potentially vulnerable HT and ADVANCE series locks together with manually changing the locks’ circuit boards. This more comprehensive fix comes with a fee including parts, shipping and labour costs. Older locks will be more expensive to upgrade – although there will be a special pricing programme, as a statement by Onity explains.
Both fixes will be available from the end of August.
It’s unclear how much Onity’s upgrade of its widely used hotel keycard locks will end up costing either hotel chains or Onity itself. Criticism has been voiced over the fact that hotel chains will have to pay out to get comprehensive remediation against a problem that’s not of their making. “Given that it won’t be a low-cost endeavour, it’s not hard to imagine that many hotels will choose not to properly fix the issues, leaving customers in danger,” Brocious said.
“If such a significant issue were to exist in a car, customers would likely expect a complete recall at the expense of the manufacturer. I can’t help but feel that Onity has the same responsibility to their customers, and to customers staying in hotels protected by Onity locks.”
Brocius also express doubts about the possible efficacy of the mitigations proposed by Onity, as explained in some depth in a blog post on the subject here.
Onity’s keycard locks secure access to an estimated four million hotel rooms worldwide. Brocious decided not to give Onity pre-warning about the Black Hat hack prior to his demonstration. His former employer is also alleged to have sold a licence to use his hotel keycard-hacking trick to a locksmith training firm for $20,000 long before his presentation, according to Forbes reported.
Brocious said that the nature of the vulnerability was so fundamental that it had probably been an open secret for years. “With how stupidly simple this is, it wouldn’t surprise me if a thousand other people have found this same vulnerability and sold it to other governments,” Brocious told Forbes. “An intern at the NSA could find this in five minutes.” ®