Open Millions of Hotel Rooms With Arduino 268
MrSeb writes with an excerpt from Extreme Tech about a presentation at Black Hat: "Bad news: With an Arduino microcontroller and a little bit of programming, it's possible for a hacker to gain instant, untraceable access to millions of key card-protected hotel rooms. This hack was demonstrated by Cody Brocious, a Mozilla software developer, at the Black Hat security conference in Las Vegas. At risk are four million hotel rooms secured by Onity programmable key card locks. According to Brocious, who didn't disclose the hack to Onity before going public, there is no easy fix: There isn't a firmware upgrade — if hotels want to secure their guests, every single lock will have to be changed. I wish I could say that Brocious spent months on this hack, painstakingly reverse-engineering the Onity lock protocol, but the truth — as always, it seems — is far more depressing. 'With how stupidly simple this is, it wouldn't surprise me if a thousand other people have found this same vulnerability and sold it to other governments,' says Brocious. 'An intern at the NSA could find this in five minutes.'"
Well, that's it! (Score:5, Insightful)
Bad news: With an Arduino microcontroller and a little bit of programming, it's possible for a hacker to gain instant, untraceable access to millions of key card-protected hotel rooms.
Well, that's it! There's only one thing we can do... outlaw Arduinos
I wouldn't have either (Score:5, Insightful)
When the guys share these hacks with the companies ahead of time, they tend to get sued or get their presentations cancelled by the vengeful corporations. They're better off not disclosing these things ahead of time.
Re:Lock the door when inside (Score:3, Insightful)
Obviously that person meant the chain lock that's separate from the key card lock. I hope not just the deadbolt; the ones built in to hotel key card lock mechanisms can be opened by the master key card. Not the ones the housekeepers carry but the one the chief maintenance guy keeps in his office. One assumes this hack can open the bolt as well as the regular latch.
A bit of hyperbole... (Score:5, Insightful)
The bottom line is that if you aren't using the mechanical bolt or slide lock when staying at *any* hotel, you were vulnerable way before this hack. Keep in mind that there are plenty of AUTHORIZED users of master card keys on the hotel staff.
What happened to responsible disclosure? (Score:5, Insightful)
Re:A bit of hyperbole... (Score:5, Insightful)
When a hotel staffer uses a master key card, it's logged (the security system notes which key was used when). Presumably with this hack, that isn't necessary. Also, the ability to open the doors on 25% of hotel rooms is still a concern.
Auditing (Score:4, Insightful)
Re:A bit of hyperbole... (Score:5, Insightful)
The bottom line is that if you aren't using the mechanical bolt or slide lock when staying at *any* hotel, you were vulnerable way before this hack.
That might work if you're *in* the room. What if you need to venture outside?
Re:Reliable? (Score:5, Insightful)
From TFA: He tested this hack on three randomly choosen hotel room doors, failed to open any. Had to stop to reprogram the device, and then managed to open one of the doors. I'll stick to being worried about corrupt security guards.
Proof of Concept != Final Version
Re:A bit of hyperbole... (Score:4, Insightful)
Wrong (Score:4, Insightful)
Re:I'm sure the government has easier ways (Score:5, Insightful)
Silly Reader, warrants are so 20th century. These days, they just show a letter, that you can't discuss with anyone, citing a "secret" law. Yes, it's unconstitutional, but if you're a $12/hour clerk, and the guy with the gun is asking, are you going to make a fuss?
Re:Image (Score:5, Insightful)
would it kill you to put on the veneer of respectability?
Like a banker? ;)
Re:I'm sure the government has easier ways (Score:5, Insightful)
With a warrant, you can do practically anything, because a judge has signed off on it.
It's what they can do without warrants that scares me.
Re:What happened to responsible disclosure? (Score:5, Insightful)
Responsible disclosure is a fair response to a responsible failure. Few of these that make the news are responsible failures. Chisellers dressed up in security theatre profiting from their faux contrivances while playing this stupid game of harassing the bearer of bad news, as if the bearer of bad news is an indentured, unpaid employee.
I understand the source of this faux reverence for charlatans much better after reading God is not Great. Scientology was a crock from day one, but now that so many gentle and naive souls have absorbed this crockery and imbued it with deep personal meaning, those of us who are deeply offended by the shitbag Hubbard are supposed to subside into polite silence. I asked myself after reading Hitchens: Why do I sit around keeping a respectfully stiff upper lip about xemufascism? To hell with that.
Banks should not be bailed out of bad loans, and security professionals should not be bailed out for chrome-plating obscurity. When the mistake is subtle enough to make a patent examiner's head explode, I'm all for responsible disclosure. Either pass the bar, or don't let the door hit you on the way out.
Re:I wouldn't have either (Score:5, Insightful)
Re:Wrong (Score:4, Insightful)
Every single lock will not have to be changed. There are several ways to fix this without replacing the entire lock. Fill the hole. Cover the whole with an exterior lock.
That port is used to recharge the battery in the lock.
Put a more secure circuit between the exterior plug and the lock's main board. That more secure circuit only need to handle NOT letting you read the memory. Given that the article is completely wrong about having to change the locks, I would question whether there really isn't a way to fix it via firmware. Either way though, the fix does not require a new lock, and it is a task that the hotel's regular handyman can perform.
The board itself is probably cheap, removing the port from the board and soldering in a new daughter board/port would be expensive. I don't see any advantage to that over replacing the whole board, which is what the article ("New circuitboards will have to be installed in every affected lock,") actually suggests.
Given that the article is completely wrong about having to change the locks, I would question whether there really isn't a way to fix it via firmware.
Brocious's full time job was to reverse engineer Onity's locks and front desk systems for a startup; he probably knows whether the lock has upgradable firmware.
Re:What happened to responsible disclosure? (Score:2, Insightful)
As another poster has mentioned, responsible disclosure has been punished in the past, by the original disclosee using the courts to prevent the later presentation.
When the courts did not punish these parties for
the court system effectively took an anti-responsible-disclosure position. This guy is just going along with the government's opinion that responsible disclosure is bad idea and force should be used to discourage people from doing it, because it's better to surprise an industry and userbase with a sudden security threat. As mentioned, a very credible and lvikely alternative is that he could have been sued by the vendor for telling them about the problem prior to the presentation.
And of course, there's the other point, which is that most people who would take advantage of this hole, probably already knew about it.
Here's how it can be fixed. Some people still do still use responsible disclosure. It's not dead; it's just risky and didn't happen in this case. I want to see the Right Thing happen when a vendor mis-handles it. If they sue the bad-news-bearer or sue to prevent a presentation, and the court responds with serious sanctions, so that the suing company's equity holders lose all their equity (and maybe some personal assets as well) as a direct result of their legal aggression, then responsible disclosure will become a viable practice.
Telling your lawyer to write a nasty letter, needs to become a risky thing to do, only done when someone is sure they're right. People who do that in bad faith, knowing they will cause expense or inconvenience for the innocent party that the nasty letter is aimed at, need to lose. We need to enact policies which cause them to lose. And you can't have responsible disclosure be a widely-used strategy, without these new policies.
Re:Wrong (Score:5, Insightful)
Every single lock will not have to be changed. There are several ways to fix this without replacing the entire lock. Fill the hole. Cover the whole with an exterior lock. Put a more secure circuit between the exterior plug and the lock's main board. That more secure circuit only need to handle NOT letting you read the memory. Given that the article is completely wrong about having to change the locks, I would question whether there really isn't a way to fix it via firmware. Either way though, the fix does not require a new lock, and it is a task that the hotel's regular handyman can perform.
Fill the hole: No. Read the article. The hole is needed and used routinely to charge the battery and reprogram.
Cover the hole with an exterior lock: So this is your plan to avoid changing out the lock? Add yet another lock on top? And how secure is that lock?
Add a circuit ahead of the main board: Where? There is no room for that. You would have to replace the entire main board.
Firmware fix: Perhaps possible, but these are very old designs using very limited microcontrollers. And you would still have to replace every reprogramming device in the field to get around this because your solution would also prevent reprogramming the lock.
So, NO, the article is not completely wrong. Your post is pretty close to completely wrong.
By the time you do any of the modifications you suggest, it would be cheaper to change the lock.
And none of those changes could be accomplished by the handyman. At best, they might be able to change out the lock. Most of those guys know how to swing a wrench and a toilet plunger. They are not very good at board level soldering. Even worse at changing microprocessors inside a lock chassis designed specifically to be tamper resistant.
Best case is that they can replace the entire circuit board using cheaper more modern ICs in the same amount of space. But even that is likely to more expensive to than just replacing every single lock.
In actuality, This will never be done, until the next hotel remodel. Additional theft insurance, maybe purchased by the manufacturer, will be by far the cheapest alternative.
Re:I wouldn't have either (Score:4, Insightful)
> suggesting a plan for murder is a really, really poor choice
From the website explanation:
Unless you believe that Brocious can somehow know the details of every murder trial currently going on anywhere in the world at this time, this fact is actually an excellent defense for justifying immediate disclosure.
And anyway, if your interesting legal theory was correct, the broadcast of every Columbo episode, for example, would have exposed {N,A}BC to criminal charges or civil liability. Not likely.
Re:I wouldn't have either (Score:3, Insightful)
If they truely can not fix these locks without physically replacing them, I can garentee any prior contact with them about this bug would have resulted in every legal and possible assumed legal resposnse they could think of to prevent him from disclosing the information.
The end result would be no disclosure and everyone that stays in one of these hotel rooms is at risk. At least if the information is public, people can take action to protect themselves and their stuff by using the deadbolt/latch, the safe, taking their shit with them, leaving in their trunk or at the place they are working if this is a business trip.
Re:Image (Score:4, Insightful)
Do you want to turn people off needlessly
If those people are such sorry excuses for human beings as to judge someone based on the clothes they wear, they can fuck right off. There is nothing inherently respectable about wearing slacks, and quite a lot inherently disrespectable about judging people based on appearances. It's just another manifestation of the base tribal instincts that are responsible for racism, and it's not a bit nicer.
Re:I wouldn't have either (Score:3, Insightful)
You know how you feel when your computer-illiterate relatives try to talk to you about programming or hacking? That's how lawyers feel when Slashdotters try to talk about law.
Re:Well, that's it! (Score:5, Insightful)
"...who should be scolded for not disclosing the hack to Onity before going public"
a) As if they don't already know what the hack is.
b) If the only solution is to change all the locks, maybe on their own dime, do you think disclosure will make them volunteer to do it?