How many of you trust the security in your hotel room? The door to the room is locked tight, right? Key cards have become the norm, and new radio frequency ID cards are starting to roll out. You can imagine these ought to be safer than a standard metal lock that anyone with some practice and a “bump” key would be able to crack in a few seconds. Of course, hotel employees will still have access to your room with universal keys, but there’s not much you can do about that.
Well, it turns out that just about anyone can crack the electronic lock on a hotel room in a few seconds using a $50 homebrew device and a screwdriver.
At the recent Black Hat security conference in Las Vegas, Cody Brocious, a software developer for Mozilla (the foundation/corporation behind Firefox) demonstrated how to find and use the master site code in electronic hotel locks manufactured by Onity. This code is used to reprogram the locks with a small electronic device. (Read more on Cody’s website.)
However, this code is not protected by any kind of encryption and is stored in the same place on every lock. Because it also serves as a standard-sized charging port for the lock’s battery, similar to the one on an old Nokia mobile phone, it is pretty easy to create your own simple device with off-the-shelf parts to read the code and play it back to unlock the door. Who here has ever been alone in a hotel hallway? It’s not that uncommon. All a thief or other malicious person needs are a few seconds to unscrew the cover plate at the base of the lock and 200 milliseconds for the device to do its work automatically.
(Arduino devices are the modern-day equivalent of the BASIC Stamp II microcontrollers I would play around with as a pre-teen. They are not that difficult to figure out, so this trick is within the reach of most people.)
Point Me to the Plane mentioned the original story a couple weeks ago, and the exploit has since been refined to work on nearly every lock sold. But now Onity, which provides electronic locks for over four million hotel rooms around the world, has come up with a response that is underwhelming. They propose two fixes, as reported by Forbes:
- The free option: Hotels will get a plug to hide the access port. A cover plate normally covers this access port anyway–that’s why you need the screwdriver mentioned earlier. Onity will provide Torx screws that require a hexagonal screwdriver instead of the usual Phillips or standard types. Big deal. For $20 I once bought an assortment of 20 differently-sized Torx heads at the same mainstream electronics store that will sell the parts for your lock pick.
- The expensive option: Hotels will have to pay for Onity to provide new circuit boards that make this master code a lot harder to find and use. Hotels will also have to pay for shipping and labor to replace the defective locks.
This seems like a major security issue if the locks are so easy to break into. I understand the reason for a master site code. Hotel management needs to be able to access and reprogram their locks without too much hassle. But it appears that their portable reprogramming devices are no more sophisticated than the little gadget this guy made on his own. I would have expected some encryption, perhaps requiring a PIN known only to hotel management before the site code can be accessed. Instead, all the electronics inside have made this device less secure than a standard physical key.
Personally, I don’t trust the locks on these doors anyway. Nothing stops the hotel staff from entering, and more than once I’ve had to shoo away housekeeping or maintenance when they tried to enter without even knocking. So in the meantime, throw the security latch above the door and hope that hotels are either willing to write off this expense or push Onity to take more responsibility for their negligence. As for what to do when you’re out of the room… I guess you’ll just have to hope the security safe inside each room has technology slightly more robust.
Did you learn something interesting? Show your support! Like this blog on Facebook or join my Twitter feed to share it with your friends and help get the word out to potential travel hackers everywhere. Subscribe by RSS to get delivery of every new post.
Note: School and work are still taking up time as I near the finish line, but my temporary absence these last few days should become less frequent. Thanks for sticking around…