Hotel lock hacking
December 19, 2012 10:31 AM   Subscribe

IT'S FUN TO USE LEARNING FOR EVIL: 4 million hotel rooms around the world using Onity brand computerized locks can be unlocked with a device built into the case of a magic marker.
posted by Chocolate Pickle (55 comments total) 15 users marked this as a favorite

 
Great. This is why I always carry a doorstop with me when I travel. Not to hold a door open, but to keep it shut from inside.
posted by Elly Vortex at 10:34 AM on December 19, 2012 [5 favorites]


I'm not so sure there's anything to this report. It looks like you plug in from the inside of the door, in which case what's the point? You're already in.
posted by Chocolate Pickle at 10:36 AM on December 19, 2012


Soon after, Houston police arrested 27-year-old Matthew Allen Cook and charged him with theft when he sold a laptop that was swiped in one of the robberies to a local pawn shop.

This is a wonderful illustration of high INT, low WIS.
posted by griphus at 10:39 AM on December 19, 2012 [38 favorites]


Does the old Do Not Disturb sign trick still work?
posted by 2bucksplus at 10:39 AM on December 19, 2012 [1 favorite]


No, its definitively outside the door. The picture is just showing the door open to showcase the lock opening and closing.
posted by shinynewnick at 10:39 AM on December 19, 2012 [2 favorites]


It plugs into the outside I believe. The photo is at an odd angle.

Here's the marker version with a video demo.
posted by GuyZero at 10:39 AM on December 19, 2012


It looks like you plug in from the inside of the door, in which case what's the point?

No, it's from the outside. One of the uses of this jack is to reset the lock when the batteries die, or if the keyreader fails or the slot is blocked. Unfortunately, it looks like there's no crypto involved, just a physical connection, so anyone who can figure out the physical connection and protocol owns the lock.
posted by eriko at 10:40 AM on December 19, 2012 [1 favorite]


No, Chocolate, the USB port is on the outside. Apparently someone has already been arrested trying to use this.

Here's the Hacker News thread by Brocius himself, debating how he released news of it. Basically, he didn't disclose to Onity at all before publicly releasing the exploit. Here's his blog post agonizing over the decision. He does some handwaving about it with the fact that many companies either do nothing until public disclosure, or actually sue the person releasing to prevent it. I'm sceptical of those motivations because there are ways around both, and even if the company does nothing at all, that's not an excuse for not providing them the opportunity.
posted by fatbird at 10:40 AM on December 19, 2012


A pry bar will also do the trick, and makes for a good anti-security personnel measure.
posted by Burhanistan at 10:40 AM on December 19, 2012


Walking around a hotel with a large prybar... is somewhat less subtle. Alos, hotel doors are pretty tough, usually with metal frames and doors. I actually defy you to open one by hand with a prybar.
posted by GuyZero at 10:42 AM on December 19, 2012 [1 favorite]


Ok, I'll get right on that.
posted by Burhanistan at 10:43 AM on December 19, 2012 [15 favorites]


A pry bar will also do the trick, and makes for a good anti-security personnel measure.

The hack is much faster though, surely? And quieter too, you could even stick a card in for verisimilitude and look totally innocent to any passersby.
posted by BungaDunga at 10:45 AM on December 19, 2012


The root problem is that this access port allows anyone access to the entire memory of the lock device. So the hacking involves scanning the memory for the master code, and then using that code to unlock the door.

It is a stupid design, insecure by its very nature. Onity got lazy and thought no one would be able to cheaply build a device to break it. Didn't count on the Arduino.
posted by sbutler at 10:49 AM on December 19, 2012


Great. This is why I always carry a doorstop with me when I travel. Not to hold a door open, but to keep it shut from inside.

IMO, one of the best travel devices are those GE doorstops with really loud alarms built in. They're awesome! Just make sure to take the batteries out when you put it back in your bag.
posted by jason_steakums at 10:55 AM on December 19, 2012 [1 favorite]


Cody Brocious

If that is your real name, sir.

With that sweet, sweet mullet.
posted by slogger at 10:56 AM on December 19, 2012 [4 favorites]


They can come for me in my room, I'll be waiting inside with my own dry erase marker. Beware of owner.
posted by allkindsoftime at 10:57 AM on December 19, 2012 [1 favorite]


It is a stupid, and flawed, design. However, I have to disagree with Brocious concerning the hotels -- or lock manufacturer -- obligation. For starters he makes the car analogy (always a favorite) but that is very flawed; a slim jim, a very very basic device, can get you into a stunning number of cars. Car security has been horribly flawed -- and known to be -- for decades, with numerous bad flaws including very limited selection of keys, etc. and they have not been recalled, or even fixed in many cases in later models for that matter. Secondly, this is just one of many ways to enter a hotel room illegally or for illicit purpose. A lot of people have access to your room, and there are lots of master cards, plus numerous other flaws including balconies, etc. Its not like this is the only way in. And, when the person is in the room, the bar/chain/whatever works as well as it ever has, with or without this hack.

It is a good hack, a nice way to break into hotel rooms, but it isn't a revolution in robbery.
posted by Bovine Love at 11:03 AM on December 19, 2012 [2 favorites]


A minor nit, but it is a JTAG port, not a USB port on the outside, that gives access to the lock's electronic innards (remarkably poor design--why not just put it on the inside?)

Considering the number of locks Onity has sold, it might be too much to ask to have them replace all the circuit boards for all the locks they have sold at their cost, which would probably bankrupt them.

But the hotels have certainly been taking their time getting this fixed, leaving all their customers exposed in the mean time. If they can't afford the fix, just super glue or epoxy the hole. Yes, you'd have to drill it out if you wanted access to the JTAG port. But how often does that happen?
posted by eye of newt at 11:04 AM on December 19, 2012 [3 favorites]


Isn't it a barrel jack because it's actually a emergency charge port for the lock and the jtag functionality is sort of riding on the back of that? I agree it's dumb to stick an accessible jtag port on them all but I don't think they can just glue it closed without making the lock inoperable if the battery dies.
posted by GuyZero at 11:10 AM on December 19, 2012


IIRC the hack correctly (too lazy to look it up), it reveals the master key, so putting on the inside would only add the extra step of being a guest once (or otherwise gaining access to the inside of the door) to retrieve the key.
posted by Bovine Love at 11:25 AM on December 19, 2012


The doorstop / chain / bolt thing works if you are *in* the room. What about if you're not?
posted by yoga at 11:40 AM on December 19, 2012


Put all your shit in the safe.
posted by Burhanistan at 11:42 AM on December 19, 2012 [2 favorites]


The nastier problem is that onity are dragging their feet on replacing the boards in the locks.

A temporary workaround is some glue in the hole, but as pointed out, that stops you over-riding the lock when the batteries die - which means you're going to end up drilling out the locks in your own hotel, or just live with a slowly declining number of available rooms to rent...

Apparently they've come to private agreements with some big US chains (such as the Hyatt that got hit by the laptop thief guy) where they'll charge for the new boards, but provide a refund when they get back the old ones. Some chains are getting charged for installing them, some managed to arrange a discount.

Small chains, or hotels outside the US are basically stuffed unless they want to come up with the 16 euro a lock for new board and install.

"Yeah, those locks we sold you, that actually have no security and are trivial to over-ride at will and en-masse? Yeah. Well, we didn't actually SAY our locks would, you know, work. So we're um, not going to fix those for you. But we're doing a great deal on some new locks and installation... Hello? Hello?"
posted by ArkhanJG at 11:44 AM on December 19, 2012 [2 favorites]


Sooner or later the story will come out about why this particular flaw is present, and I'll be really interested to know if engineering knew there was a problem but was overruled by management, or if management was continually reassured by the director of engineering, who's also the CEO's nephew, that it was "very secure".
posted by fatbird at 12:02 PM on December 19, 2012 [4 favorites]


Given security bugs like this one I think there's just a lot of engineers who are ignorant of security issues. Even among engineers who make locks for a living.
posted by GuyZero at 12:10 PM on December 19, 2012 [2 favorites]


Try this
posted by growabrain at 12:18 PM on December 19, 2012 [1 favorite]


I'm not so sure there's anything to this report. It looks like you plug in from the inside of the door, in which case what's the point? You're already in.

I'm confused. Are you saying you only gave yourself enough time to read and misinterpret your post after you made it?
posted by grog at 12:21 PM on December 19, 2012 [2 favorites]


The doorstop / chain / bolt thing works if you are *in* the room. What about if you're not?

If you are of the hacker persuasion, you build an arduino-powered radio-controlled bolt-engager and set the bolt after you leave. Just make sure you also make (and take with you) the bolt-disengager for when you come back.
posted by Phyllis Harmonic at 12:48 PM on December 19, 2012 [1 favorite]


I think there's just a lot of engineers who are ignorant of security issues. Even among engineers who make locks for a living.

I read this immediately after getting off the phone with another engineer - the topic of conversation: turning off authentication and authorization in a web service because it would be expedient for automated systems not to log in, and far too difficult to configure when deploying multiple instances of the service. This is how situations like the lock incident develop. (we will not be turning off authentication).
posted by combinatorial explosion at 12:48 PM on December 19, 2012 [1 favorite]


For those who don't know the background on the bug I linked to: it's a world-readable device that allows you to access all physical memory on a number of Samsung phones. You can hardly think of a bigger security hole. Why have this device? because it makes the camera app easier to write.
posted by GuyZero at 1:02 PM on December 19, 2012 [1 favorite]


If they can't afford the fix, just super glue or epoxy the hole. Yes, you'd have to drill it out if you wanted access to the JTAG port. But how often does that happen?

Great solution! Serious. Hot-melt glue or LocTite Red would even work. It turns the hack from "in-and-out with a magic-magic-marker" to 5 minutes melting and removing glue with a portable torch or heat gun. The manufacturer can send out someone on their dime to replace the lock if an issue arises during its maintenance contract.
posted by Slap*Happy at 1:08 PM on December 19, 2012


The doorstop / chain / bolt thing works if you are *in* the room. What about if you're not?

I suppose criminals could steal all of my stuff and it'd be a huge pain in the ass. But at least I could sleep at night knowing that it'd be tough to get into my room to murder/rape/otherwise accost me.
posted by Elly Vortex at 1:44 PM on December 19, 2012


As an aside, I always feel a bit inadequate as a 'tech' person whenever an Arduino comes up, as I would have no idea where to even begin to know what to do with one, were I given one.
posted by Uther Bentrazor at 1:51 PM on December 19, 2012


Well, those chains can easily be snipped with cutters. The newer horseshoe-shaped latches are a better deterrent, though.
posted by Burhanistan at 1:52 PM on December 19, 2012


This might bankrupt Onity anyway. Could the hotel chains move to another supplier after getting burned on thousands of locks that turned out to be as secure as wet newspaper? Is vendor lock-in (no pun intended) enough to prevent this?
posted by double block and bleed at 2:15 PM on December 19, 2012


Here are the relevant technical details.

>Put all your shit in the safe.

Um, yeah. About that...

I'll charitably assume that the default password can be changed, and even more charitably assume that not every hotel leaves the default default of 000000 unchanged. But how many hotels are going to use a different backdoor code for each individual safe? And if I can open my own safe, do you really expect it's engineered in such a way as to make it hard for me to extract that backdoor code that also lets me open your safe?

Bring your own safe and chain it to the drainpipe (which is, inevitably, the cheapest, thinnest, softest schedule of PVC pipe permitted by the incredibly lax building codes which prevailed in the late Cambrian period when the hotel was constructed). Crisis averted!

And what kind of person uses two-space indents in C code? Furrfu.
posted by sourcequench at 2:36 PM on December 19, 2012 [1 favorite]


You know, it's kind of sad that this works, but I totally agree, the level of oh my godism is a little out of place. Locks aren't great security, but 99% of the time they are good enough security. It stops people from trying the door and walking in. If you think you are important enough to be targeted by a burglar outside of (un)lucky chance you really shouldn't be relying on a hotel keycard lock as your security in the first place.
posted by aspo at 2:37 PM on December 19, 2012 [1 favorite]


I'd be cautious about trusting the "horseshoe-shaped latches", too. Marks I've seen on several hotel room doors make it clear that one of the reasons they've replaced chains is that they're easier to open from the outside. In fact, a trivial search turns up exactly the tool to open them.

Unfortunately the need to access a room locked from the inside by a disabled or deceased customer is probably a realistic concern for hotels. And it may happen frequently enough that they don't want to use a haligan bar every time. But the fact that they retain that ability leaves renters vulnerable to anyone else who can acquire it.

Personally, I'm a lot more comfortable with a couple of stout wedges and something hammer-like to force them under the door. They can be driven out from the other side, and the wrecking bar will still work, but at least neither of those things can be done silently. And when you're out of the room, it was never very safe anyhow.
posted by CHoldredge at 2:48 PM on December 19, 2012 [1 favorite]


Pretty cool hack, but...

“Given that it won’t be a low cost endeavour, it’s not hard to imagine that many hotels will choose not to properly fix the issues, leaving customers in danger,” Brocious wrote on his blog. “…If such a significant issue were to exist in a car, customers would likely expect a complete recall at the expense of the manufacturer. I can’t help but feel that Onity has the same responsibility to their customers, and to customers staying in hotels protected by Onity locks.”

It is just a hotel room lock. It is not a life-threatening machine. I doubt if any lock company in the world has ever claimed that their locks just can't be picked by anyone ever. This is even more true for locks in hotels. Hotel rooms are not top security places. Management's need for emergency access to rooms far outweighs some paranoid dude's fancy ideas about what hotel room security should be like. If you want an unpickable lock, make one yourself.
posted by vidur at 3:13 PM on December 19, 2012 [1 favorite]


A minor nit, but it is a JTAG port, not a USB port on the outside

Minor nit nitpick, but the interface is neither JTAG nor USB. It is a proprietary one-wire interface.
posted by JackFlash at 3:54 PM on December 19, 2012


The best thing for securing your hotel room is to vomit all over the outside of the door and lock.

The next best thing is a puddle of blood seeping out from under the door.
posted by orme at 4:42 PM on December 19, 2012 [2 favorites]


Bovine Love writes "For starters he makes the car analogy (always a favorite) but that is very flawed; a slim jim, a very very basic device, can get you into a stunning number of cars. Car security has been horribly flawed -- and known to be -- for decades, with numerous bad flaws including very limited selection of keys, etc. and they have not been recalled, or even fixed in many cases in later models for that matter. "

Car security only has to be as good as a rock to a window. Anything more than that is just a waste of money.
posted by Mitheral at 4:51 PM on December 19, 2012 [1 favorite]


Build it into a toy Sonic Screwdriver and we'll talk. And you'd better retain the BREEEEEEEEEEEEEEE.
posted by BiggerJ at 4:57 PM on December 19, 2012


Not exactly true Mitheral (there is exposure, plus additional risk of being pulled over with a broken window, etc adding up to more exposure then a clean break in), but yah, to an extent, of course. However hotel door security isn't far off, considering how many minimum wage possibly illegal workers have access anyway. I mean seriously, who thinks their shit in a hotel room is secure?
posted by Bovine Love at 6:07 PM on December 19, 2012 [1 favorite]


And what kind of person uses two-space indents in C code?


Anyone who's ever programmed for Google, so all the best engineers I know.
posted by w0mbat at 7:01 PM on December 19, 2012 [2 favorites]


>>And what kind of person uses two-space indents in C code?
>Anyone who's ever programmed for Google, so all the best engineers I know.

<voice persona="Archer">Wow. Ton of stuff just started to make sense to me.</voice>
posted by sourcequench at 9:18 PM on December 19, 2012 [1 favorite]


I am so using the puddle of blood trick next time. Simply brilliant!
posted by five fresh fish at 9:33 PM on December 19, 2012


Considering the number of locks Onity has sold, it might be too much to ask to have them replace all the circuit boards for all the locks they have sold at their cost, which would probably bankrupt them.

To be blunt, I'm okay with that outcome. Blatant, demonstrated incompetence should have consequences.
posted by Suddenly, elf ass at 9:41 PM on December 19, 2012 [1 favorite]


I use two spaces for everything. Why use more? (I was already doing that before I worked at Google...)

It's funny, in a hotel I simply never worry about someone forcing their way into my room - but I do rather worry about people stealing things when I'm gone.

My general theory is to take my ID with me, hide my computer in plain sight in the room (shan't publish the details) and then leave $20 or $40 in the first draw you'd look on the theory that when someone finds the cash and sees nothing else obvious, they'll leave and hit someone else ("I can put this in my pocket and walk out, and it's as if I never went in.")

(This happened to me once that someone broke in and took one obvious tiny thing, so my theory goes they'll do it again.)
posted by lupus_yonderboy at 11:43 PM on December 19, 2012


Oh, and what's funny is that if I were going to make a new line of computer locks, I'd make a dozen prototypes, and then have a contest with a $5K prize for hacking to get the lock open... repeat it a few times and you have something pretty darned tough!
posted by lupus_yonderboy at 11:46 PM on December 19, 2012


Ah, but lupus, you seem to labouring under the belief that security is their number one requirement. I doubt that it is. Ease of access by staff, easy programming, keep drunk customers out of the wrong room, cut a customer off from the room, cheap cards, etc. probably all rate much higher then technically savvy, or at least well equipped, thieves do. I'm not saying that it is impossible to meet all the requirements and get security too (though the price may now also be problematic), I'm just suggesting that it wouldn't normally be all that high priority. Of course, now that this story has got some mainstream press coverage, it becomes an embarrassment, and then 'security' becomes more of an issue.
posted by Bovine Love at 2:59 AM on December 20, 2012 [2 favorites]


...I'd make a dozen prototypes, and then have a contest with a $5K prize for hacking to get the lock open...

A friend of mine who went to Caltech told me that an early ATM maker did exactly that with one of their early prototypes. They took it to Caltech, and offered a prize to anyone who could get it to issue money illicitly. It cost them quite a lot of prize money, but of course it was money well spent, because the students found a lot of vulnerabilities.
posted by Chocolate Pickle at 7:26 AM on December 20, 2012


Bovine Love:
Ah, but lupus, you seem to labouring under the belief that security is their number one requirement. I doubt that it is. Ease of access by staff, easy programming, keep drunk customers out of the wrong room, cut a customer off from the room, cheap cards, etc. probably all rate much higher then technically savvy, or at least well equipped, thieves do.
Right, I was thinking that too. As far as the hotel -- the customer of the lock -- is concerned, their top priority is revenue; and that comes from being able to sell the room. Security matters to the hotel only in so far as it is useful for the guests to feel secure.

Thus pretty much all of the weaknesses discovered are convenience backdoors that allow the hotel to recover from failures and sell the room. If the lock has failed closed, there are multiple ways for the hotel to open it. If the card programmer at the reception desk has failed, there is a way for the hotel to create guest cards at the lock (the "programming key" attack).

(FWIW, I'm at a hotel at the moment and my room key failed three days in a row earlier in the week: every time my room was cleaned, my key stopped working. I wonder if I was bumping up against the "card cycling" lookahead described in the vulnerability.)
posted by We had a deal, Kyle at 8:37 AM on December 20, 2012


You can unlock almost every toilet cubicle in Britain with a 5p piece. I think it's a safety feature.
posted by mippy at 9:27 AM on December 20, 2012


five fresh fish: I am so using the puddle of blood trick next time. Simply brilliant!
Pro Tip(tm): Don't use your own. You end up feeling dizzy by the end of the stay.
posted by IAmBroom at 4:16 PM on December 20, 2012 [2 favorites]


« Older A 22-year old student, Imogen Hedges of London's K...  |  (SLYT) Not your average flashm... Newer »


This thread has been archived and is closed to new comments