Hotel Lock Security Flaw Opens Doors for Crooks that Code

Hotel Lock Security Flaw Opens Doors for Crooks that Code

The good news: the mechanized locks on hotel doors can’t be picked using the old “slide a credit card between the lock and the frame” trick. The bad news: ne’er-do-wells with coding skills and less than $50 in off-the-shelf computer hardware can crack those very same locks in seconds — and they’re already doing so.

Security researcher Cody Brocious first disclosed the vulnerability with Onity brand locks — which can be found on at least four million hotel doors worldwide, Forbes reports — at the Black Hat conference in July. A Texas man has now been arrested and charged after possibly exploiting that flaw in a string of September robberies at the Hyatt House Galleria in Houston.

Hyatt management examined the locks after three rooms were broken into despite no obvious signs of forced entry. Their conclusion: the electronic lock was hacked. Soon after, Houston police arrested 27-year-old Matthew Allen Cook and charged him with theft when he sold a laptop that was swiped in one of the robberies to a local pawn shop.

Brocious’s original hack involved using a full $25 Arduino microcontroller board, complete with messy cabling and accessories, as you can see in the image above. That’s not exactly inconspicuous.  ExtremeTech reports that hackers have since improved the tool’s success rate and managed to cram all of the necessary hardware into a single, innocent-looking dry erase marker, as you can see demonstrated in the video below.

Onity’s response to the vulnerability has been mixed, at best. The company offered to freely supply hotels with plastic caps for the vulnerable port on the bottom of the lock, along with Torx screws to replace the standard Phillips head screws used to secure the lock’s outer casing. Onity also developed an actual fix for the exploit, but it involves replacing each lock’s main circuit board — and Onity will only switch out those circuit boards if hotels pay for the hardware, shipping and labor costs associated with the fix. That response doesn’t fly with Cody Brocious, the researcher who first discovered the vulnerability.

“Given that it won’t be a low cost endeavour, it’s not hard to imagine that many hotels will choose not to properly fix the issues, leaving customers in danger,” Brocious wrote on his blog. “…If such a significant issue were to exist in a car, customers would likely expect a complete recall at the expense of the manufacturer. I can’t help but feel that Onity has the same responsibility to their customers, and to customers staying in hotels protected by Onity locks.”

Brocious also thinks that the encoder and portable programmer portions of an Onity lock — not just the circuit board — would need to be replaced in order to rend the lock completely invulnerable to the hack.

Image via Forbes