M'Larceny
August 29, 2017 7:47 AM   Subscribe

Throughout 2012 and 2013, Aaron Cashatt, outfitted in a trademark white fedora, went on an "epic hotel room hacking spree", stealing first linens, then televisions, and finally guests' possessions, fencing them for cash that he would spend on "drug benders, clubs, and casinos." His burglaries relied on a well-known exploit that the locks' manufacturer initially refused to fix for free.

It wasn't until his mistakes added up and law enforcement got a warrant for his Facebook communications which bragged, "Yeah u get addicted to it!!! It’s a sick adrenaline rush!!!, and u have all kinds of cool ass shit when ur done!!" that he was finally caught. He is currently serving a nine year sentence for three burglaries of the more than a hundred that he claims to have committed.
But Cashatt also says he wants to warn the world that the Onity vulnerability Cody Brocious found and that he exploited is still out there. “I guarantee you that if you tried this at some hotel in the Midwest, it would still work 19 out of 20 times,” he says. For that, he blames Onity’s negligence. “They just don’t get it.”

When WIRED asked Onity about whether its lock vulnerability persists, the company responded in a statement that “mechanical solutions have been shipped to all known affected customers, enabling them to implement the security upgrade.” But it didn’t specify how many of those “mechanical solutions” consisted of the actual replacement boards that fix the security issue or the cheap plastic plugs that Cashatt easily defeated.
Previously on Metafilter.
posted by uncleozzy (26 comments total) 19 users marked this as a favorite
 
"just because you can doesn't mean you should"
posted by Annika Cicada at 7:59 AM on August 29, 2017 [3 favorites]


A+ title.

One thing I learned while reading this is that as a career criminal, it is best not to have a trademark look.
posted by Emmy Rae at 8:10 AM on August 29, 2017 [26 favorites]


One thing I learned while reading this is that as a career criminal, it is best not to have a trademark look.

"We're the Wet Bandits!"
posted by Etrigan at 8:15 AM on August 29, 2017 [21 favorites]


> One thing I learned while reading this is that as a career criminal, it is best not to have a trademark look.

It's also a good idea to not admit your crimes on a web service known to cooperate with government agencies.
posted by ardgedee at 8:23 AM on August 29, 2017 [10 favorites]


Brocious, a round, bearded, long-haired and patchily bearded hacker prodigy

Downgraded from bearded to patchily bearded in the same sentence. Harsh!

Also, Wired? Your cursor animation sucks.
posted by zamboni at 8:28 AM on August 29, 2017 [34 favorites]


Downgraded from bearded to patchily bearded in the same sentence. Harsh!

"At the time of publication, Brocious had nearly finished shaving"
posted by Emmy Rae at 8:29 AM on August 29, 2017 [48 favorites]


[What's with the weird mouse cursor at the Wired link? I don't understand why it's red with occasional green flashes. Is it supposed to represent Onity locked/unlocked indicator lights?]
posted by notyou at 8:58 AM on August 29, 2017 [1 favorite]


[It also makes it really hard to copy/paste, so maybe that's the idea.]
posted by notyou at 9:00 AM on August 29, 2017


maybe it's an interactive experience to engage the audience, where you have to hack the article to get what you want.

Chrome: Open Developer Tools, search for "/* cursor". (⋮ > More Tools > Search). You should see something like

html body #shell #post-2260720 div #section-1503512865633 div p style (text)

above the search box. Click where it says style.
<style> == $0 should now be highlighted. Right click on it and choose Delete Element. Close the Inspector.
posted by zamboni at 9:31 AM on August 29, 2017 [13 favorites]


Brocious, a round, bearded, long-haired and patchily bearded hacker prodigy

My mind immediately conjured an image of Bruce Vilanch who, though not a hacker, is most certainly a hack.
posted by Atom Eyes at 9:46 AM on August 29, 2017 [4 favorites]


"Cody Brocious"

We're not just living in a William Gibson novel, we're living in a parody of a William Gibson novel.
posted by octobersurprise at 10:51 AM on August 29, 2017 [31 favorites]


When i worked in Yosemite National Park back in the 90's, all the cleaning people would go through everyone's luggage and steal their illegal drugs. Its not like they could complain to the park service in a federal park that someone stole their pot! Just a "for your information" tidbit....
posted by aacheson at 11:34 AM on August 29, 2017 [11 favorites]


One thing I learned while reading this is that as a career criminal, it is best not to have a trademark look.

One of the things I love about Metafilter is seeing all the different experts coming here and sharing their work experiences.
posted by leotrotsky at 11:36 AM on August 29, 2017 [11 favorites]


Brocious, a round, bearded, long-haired and patchily bearded hacker prodigy

Does he also engage in jawdropping feats of breadcraft?
posted by leotrotsky at 11:40 AM on August 29, 2017 [1 favorite]


Brocious, a round, bearded, long-haired and patchily bearded hacker prodigy
Downgraded from bearded to patchily bearded in the same sentence. Harsh!


His beard was insufficiently brodacious.
posted by Foosnark at 12:47 PM on August 29, 2017 [2 favorites]


As Willie Nelson put it, if you're staying in motel in Laredo, and leave, don't leave nothin in your clothes.
posted by spitbull at 1:39 PM on August 29, 2017 [1 favorite]


One thing I learned while reading this is that as a career criminal, it is best not to have a trademark look.

There are a bunch of things that he did that strike me as really dumb, even for a meth addict with priors: not just having a trademark look, but one that would be difficult to conceal (a white fedora as opposed to, say, a MAGA hat that could be stuck in a suitcase or under a car seat), limiting his exploits mostly to one geographic area, frittering his money away, etc. Which makes me wonder if, contrary to the article's assertion that only Cashatt used Brocious' exploit "to its full criminal potential", you had smarter thieves who planned things out just a little bit better and got away/are still getting away with it.
posted by Halloween Jack at 1:50 PM on August 29, 2017 [7 favorites]


Read a couple grafs of the article, rushed over to Metafilter, where I saw 17 comments had already been posted and I knew, crestfallen, that the double-bearded sentence had surely already been pedanted beyond repair.
posted by Joseph Gurl at 4:41 PM on August 29, 2017 [3 favorites]


Well, they fixed the double-beard sentence, but they still spell "weaning" as "weening".
posted by kenko at 4:51 PM on August 29, 2017


That's brown as fuck. Hail Boognish.
posted by Joseph Gurl at 8:33 PM on August 29, 2017 [2 favorites]


I tried Weening once. For.some reason it seemed to involve sitting in a tin tub filled with a mint Jell-O salad of broken guitar strings and stinky old socks while wearing a gas mask that reeked of brand new couch.
posted by loquacious at 9:57 PM on August 29, 2017 [1 favorite]


So much for white-hat hacking.
posted by tully_monster at 5:51 AM on August 30, 2017 [1 favorite]


Yeah, it's interesting because this is a great case for white-hat hacking: it's a terrible vulnerability that a manufacturer didn't want to fix. But instead of public scrutiny pressuring them to fix it, they just ... stuck some chewing gum on it and called it done?

If you ran a hotel chain, wouldn't you start looking for another electronic lock manufacturer in the face of this?
posted by uncleozzy at 6:00 AM on August 30, 2017 [1 favorite]


Maybe it's a case of vendor lock-in...
posted by Television Name at 10:44 AM on August 30, 2017 [2 favorites]


uncleozzy, I was making a terrible joke! Someone had to say it :-)

Seriously, though, the expense of replacing all those locks would be dwarfed by the loss of revenue because prospective customers down the line no longer felt safe. You'd think they'd take that into consideration. Or maybe they did and decided it was a risk they were willing to take. When you're exhausted and looking for a place to crash, you don't bother to find out what kind of cardreader the closest vacant room has installed.
posted by tully_monster at 2:13 PM on August 30, 2017


Rhymes with 'ass-hat'
posted by ctmf at 7:00 PM on August 30, 2017


« Older Character is what you do when you've got a lot to...   |   A gentleman should be be a rebuke and scandal to... Newer »


This thread has been archived and is closed to new comments