Huge Flaw Found in Hotel Room Locks
Posted on 22nd Aug 2012 @ 2:43 PM
Cody Brocious is a software developer for the Mozilla company. Mozilla is the company responsible for the Firefox web browser. Last month, Brocious appeared at a hacking conference in Las Vegas to demonstrate a fatal security flaw he discovered in the electronic hotel room locks manufactured Onity, a security company. Brocious wrote and posted a paper on his website which details the hack, which if used successfully, could be used to infiltrate millions of hotel rooms around the world. And according to the paper, it could very easily be done with a $30 microcontroller. That’s right, $30 and a little technical know-how is all it takes to gain entry to hotel rooms all over the world.
ExtremeTech’s Sebastian Anthony calls this a “stupendously disgusting lack of security” and argues that “for a company that is tasked with securing millions of humans every night…it would’ve been nice if Onity had shown slightly more foresight.”
Now that Mr. Brocious’s hack is public, Onity has had no choice but to start dealing with it. The hacker did not explain the flaw to the company in advance of revealing it to the public, a decision he told Forbes was because he saw “no path to mitigate this from Onity’s side.” To fix the problem, the locks’ entire circuit board has to be replaced and on millions of locks, that’s a process that could take a long time.
On Saturday, it was learned what Onity is doing to deal with this flaw: as the Verge’s Bryan Bishop reports, the company is offering hotels two solutions. The first is a mechanical fix that does not actually repair the software vulnerability: Onity will provide hotels with caps for the open ports on its locks, along with a security screw. Together, that solution will mean that potential hackers will have to partially dismantle the lock to get at the open port. The mechanical caps are free. The second solution, though and the only one that actually fixes the software problem is far from free. Here’s an excerpt from a statement the company released last week:
“The second solution Onity will offer to our customers, if they choose to use this option, is to upgrade the firmware of the HT and ADVANCE series locks. The firmware is currently complete for the HT24 lock, and by early next week should be complete for the entire HT series of locks. By the end of August we should have the firmware complete for the ADVANCE lock as well.
The deployment of this second solution, for HT series locks, will involve replacement of the control board in the lock. For locks that have upgradable control boards, there may be a nominal fee. Shipping, handling and labor costs to install these boards will be the responsibility of the property owner. For locks that do not have upgradable control boards, special pricing programs have been put in place to help reduce the impact to upgrade the older model locks.”
It’s good to see that Onity is taking steps to repair this vulnerability. But business travelers should be aware that hotels secured with Onity-brand locks that have open ports on the bottom may be vulnerable to hacking for some time to come. And it’s easy to see how a mistake like this could be devastating for Onity’s brand. Why would hotels pay to upgrade their vulnerable Onity locks to newer, supposedly impregnable Onity locks when they could switch to a different manufacturer entirely?