Open Millions of Hotel Rooms With Arduino

MrSeb writes with an excerpt from Extreme Tech about a presentation at Black Hat: "Bad news: With an Arduino microcontroller and a little bit of programming, it's possible for a hacker to gain instant, untraceable access to millions of key card-protected hotel rooms. This hack was demonstrated by Cody Brocious, a Mozilla software developer, at the Black Hat security conference in Las Vegas. At risk are four million hotel rooms secured by Onity programmable key card locks. According to Brocious, who didn't disclose the hack to Onity before going public, there is no easy fix: There isn't a firmware upgrade — if hotels want to secure their guests, every single lock will have to be changed. I wish I could say that Brocious spent months on this hack, painstakingly reverse-engineering the Onity lock protocol, but the truth — as always, it seems — is far more depressing. 'With how stupidly simple this is, it wouldn't surprise me if a thousand other people have found this same vulnerability and sold it to other governments,' says Brocious. 'An intern at the NSA could find this in five minutes.'"

Well, that's it!

[camperdave]

Bad news: With an Arduino microcontroller and a little bit of programming, it's possible for a hacker to gain instant, untraceable access to millions of key card-protected hotel rooms.

Well, that's it! There's only one thing we can do... outlaw Arduinos

I wouldn't have either

[Anonymous Coward]

When the guys share these hacks with the companies ahead of time, they tend to get sued or get their presentations cancelled by the vengeful corporations. They're better off not disclosing these things ahead of time.

Re:Lock the door when inside

[magarity]

Obviously that person meant the chain lock that's separate from the key card lock. I hope not just the deadbolt; the ones built in to hotel key card lock mechanisms can be opened by the master key card. Not the ones the housekeepers carry but the one the chief maintenance guy keeps in his office. One assumes this hack can open the bolt as well as the regular latch.

A bit of hyperbole...

[kaizendojo]

When demonstrated for the reporter, the hack only worked on *one* out of *four* of the doors tested in a REAL hotel, and then only on the second attempt after Brocious fine tuned and tweaked his software. Also, this can be defeated by simply using any one of the mechanical locks on the door.

The bottom line is that if you aren't using the mechanical bolt or slide lock when staying at *any* hotel, you were vulnerable way before this hack. Keep in mind that there are plenty of AUTHORIZED users of master card keys on the hotel staff.

What happened to responsible disclosure?

[nastav]

It's easily and effectively argued that security through obscurity does no one any good, but responsible disclosure is still widely considered to be a good practice. Supposing a vendor is willing to fix their serious bugs, it really helps in preventing large scale attacks between the time of disclosure and reaction (by the vendor). If Onity had been willing to replace all it's locks over a short period of time (say, 6 months) at massive cost to itself - but nevertheless done it to protect it's long term reputation, it makes a lot of sense to give Onity that opportunity without outing the flaw. It's unlikely that such a large-scale replacement of locks would have been pursued, but giving Onity an opportunity to consider that option would have been responsible. It helps Onity, but it also helps customers of Onity (like Hotels who might have chosen to replace their locks, or individuals who might ask questions before going to a particular hotel). Now everybody knows it can be done, and many will try. Sure, an NSA intern could have figured it out, but the fact remains that it was not being massively exploited for large-scale robberies, for e.g.. Targeted exploits are bad - no doubt - and I'm sure some of this was already going on, but there isn't much doubt that the sum total of targeted exploits does less bad than what might happen now - namely large scale exploits. I suppose I'm arguing that security-through-obscurity does work - but in a targeted and limited fashion - as to provide cover for short durations when real security is pursued. It may not work, but it's worth a try - and by going public before giving Onity a chance to pursue a 'fix', this researcher has, in my books, acted against public good.

Re:A bit of hyperbole...

[SkimTony]

When a hotel staffer uses a master key card, it's logged (the security system notes which key was used when). Presumably with this hack, that isn't necessary. Also, the ability to open the doors on 25% of hotel rooms is still a concern.

Auditing

[nastav]

All locks can be defeated with enough effort. The goal often is make it obvious that a lock was defeated - by leaving an electronic trail or physical one (broken door for e.g.). Akin silent data-loss, silent compromise of a lock is much much worse.

Re:A bit of hyperbole...

[Anonymous Coward]

The bottom line is that if you aren't using the mechanical bolt or slide lock when staying at *any* hotel, you were vulnerable way before this hack.

That might work if you're *in* the room. What if you need to venture outside?

Re:Reliable?

[Anonymous Coward]

From TFA: He tested this hack on three randomly choosen hotel room doors, failed to open any. Had to stop to reprogram the device, and then managed to open one of the doors. I'll stick to being worried about corrupt security guards.

Proof of Concept != Final Version

Re:A bit of hyperbole...

[camperdave]

The problem with using the mechanical bolt or slide lock is that they must be operated from *INSIDE* the room. I don't know about others, but when I'm staying at a hotel it is because I am attending a conference or something, so most of the time I am not inside the room. So the deadbolt or chain lock does nothing. If a bad guy wanted in while someone was inside, all he would have to do is knock on the door and say "Hotel security. Open the door, please".

Wrong

[Belial6]

Every single lock will not have to be changed. There are several ways to fix this without replacing the entire lock. Fill the hole. Cover the whole with an exterior lock. Put a more secure circuit between the exterior plug and the lock's main board. That more secure circuit only need to handle NOT letting you read the memory. Given that the article is completely wrong about having to change the locks, I would question whether there really isn't a way to fix it via firmware. Either way though, the fix does not require a new lock, and it is a task that the hotel's regular handyman can perform.

Re:I'm sure the government has easier ways

[Maximum Prophet]

Silly Reader, warrants are so 20th century. These days, they just show a letter, that you can't discuss with anyone, citing a "secret" law. Yes, it's unconstitutional, but if you're a $12/hour clerk, and the guy with the gun is asking, are you going to make a fuss?

Re:Image

[slashmojo]

would it kill you to put on the veneer of respectability?

Like a banker? ;)

Re:I'm sure the government has easier ways

[gstoddart]

I'm pretty sure that all the US government would have to do is turn up with a warrant and be given access to any room they like regardless of the type of lock used.

With a warrant, you can do practically anything, because a judge has signed off on it.

It's what they can do without warrants that scares me.

Re:What happened to responsible disclosure?

[epine]

If Onity had been willing to replace all it's locks over a short period of time (say, 6 months) at massive cost to itself - but nevertheless done it to protect it's long term reputation, it makes a lot of sense to give Onity that opportunity without outing the flaw.

Responsible disclosure is a fair response to a responsible failure. Few of these that make the news are responsible failures. Chisellers dressed up in security theatre profiting from their faux contrivances while playing this stupid game of harassing the bearer of bad news, as if the bearer of bad news is an indentured, unpaid employee.

I understand the source of this faux reverence for charlatans much better after reading God is not Great. Scientology was a crock from day one, but now that so many gentle and naive souls have absorbed this crockery and imbued it with deep personal meaning, those of us who are deeply offended by the shitbag Hubbard are supposed to subside into polite silence. I asked myself after reading Hitchens: Why do I sit around keeping a respectfully stiff upper lip about xemufascism? To hell with that.

Banks should not be bailed out of bad loans, and security professionals should not be bailed out for chrome-plating obscurity. When the mistake is subtle enough to make a patent examiner's head explode, I'm all for responsible disclosure. Either pass the bar, or don't let the door hit you on the way out.

Re:I wouldn't have either

[Yvanhoe]

Onity sells fake security. They are the ones who should be sued by their thousands of clients. If you sell security, you have to be good at it.

Re:Wrong

[pepty]

Every single lock will not have to be changed. There are several ways to fix this without replacing the entire lock. Fill the hole. Cover the whole with an exterior lock.

That port is used to recharge the battery in the lock.

Put a more secure circuit between the exterior plug and the lock's main board. That more secure circuit only need to handle NOT letting you read the memory. Given that the article is completely wrong about having to change the locks, I would question whether there really isn't a way to fix it via firmware. Either way though, the fix does not require a new lock, and it is a task that the hotel's regular handyman can perform.

The board itself is probably cheap, removing the port from the board and soldering in a new daughter board/port would be expensive. I don't see any advantage to that over replacing the whole board, which is what the article ("New circuitboards will have to be installed in every affected lock,") actually suggests.

Given that the article is completely wrong about having to change the locks, I would question whether there really isn't a way to fix it via firmware.

Brocious's full time job was to reverse engineer Onity's locks and front desk systems for a startup; he probably knows whether the lock has upgradable firmware.

Re:What happened to responsible disclosure?

[Anonymous Coward]

responsible disclosure is still widely considered to be a good practice.

As another poster has mentioned, responsible disclosure has been punished in the past, by the original disclosee using the courts to prevent the later presentation.

When the courts did not punish these parties for

1. abusing the court system to prevent presentations
2. shooting messengers
3. undermining responsible disclosure

the court system effectively took an anti-responsible-disclosure position. This guy is just going along with the government's opinion that responsible disclosure is bad idea and force should be used to discourage people from doing it, because it's better to surprise an industry and userbase with a sudden security threat. As mentioned, a very credible and lvikely alternative is that he could have been sued by the vendor for telling them about the problem prior to the presentation.

And of course, there's the other point, which is that most people who would take advantage of this hole, probably already knew about it.

Here's how it can be fixed. Some people still do still use responsible disclosure. It's not dead; it's just risky and didn't happen in this case. I want to see the Right Thing happen when a vendor mis-handles it. If they sue the bad-news-bearer or sue to prevent a presentation, and the court responds with serious sanctions, so that the suing company's equity holders lose all their equity (and maybe some personal assets as well) as a direct result of their legal aggression, then responsible disclosure will become a viable practice.

Telling your lawyer to write a nasty letter, needs to become a risky thing to do, only done when someone is sure they're right. People who do that in bad faith, knowing they will cause expense or inconvenience for the innocent party that the nasty letter is aimed at, need to lose. We need to enact policies which cause them to lose. And you can't have responsible disclosure be a widely-used strategy, without these new policies.

Re:Wrong

[icebike]

Every single lock will not have to be changed. There are several ways to fix this without replacing the entire lock. Fill the hole. Cover the whole with an exterior lock. Put a more secure circuit between the exterior plug and the lock's main board. That more secure circuit only need to handle NOT letting you read the memory. Given that the article is completely wrong about having to change the locks, I would question whether there really isn't a way to fix it via firmware. Either way though, the fix does not require a new lock, and it is a task that the hotel's regular handyman can perform.

Fill the hole: No. Read the article. The hole is needed and used routinely to charge the battery and reprogram.
Cover the hole with an exterior lock: So this is your plan to avoid changing out the lock? Add yet another lock on top? And how secure is that lock?
Add a circuit ahead of the main board: Where? There is no room for that. You would have to replace the entire main board.
Firmware fix: Perhaps possible, but these are very old designs using very limited microcontrollers. And you would still have to replace every reprogramming device in the field to get around this because your solution would also prevent reprogramming the lock.

So, NO, the article is not completely wrong. Your post is pretty close to completely wrong.
By the time you do any of the modifications you suggest, it would be cheaper to change the lock.

And none of those changes could be accomplished by the handyman. At best, they might be able to change out the lock. Most of those guys know how to swing a wrench and a toilet plunger. They are not very good at board level soldering. Even worse at changing microprocessors inside a lock chassis designed specifically to be tamper resistant.

Best case is that they can replace the entire circuit board using cheaper more modern ICs in the same amount of space. But even that is likely to more expensive to than just replacing every single lock.

In actuality, This will never be done, until the next hotel remodel. Additional theft insurance, maybe purchased by the manufacturer, will be by far the cheapest alternative.

Re:I wouldn't have either

[Mathinker]

> suggesting a plan for murder is a really, really poor choice

From the website explanation:

Such circumstantial evidence, placing a staff member in the room at the time of death, could be damning in a murder trial, and at least would make that staff member a prime suspect. While other factors (e.g. closed circuit cameras, eyewitnesses, etc) could be used to support the staff member's case, there's no way we can know whether or not the audit report is false.

Unless you believe that Brocious can somehow know the details of every murder trial currently going on anywhere in the world at this time, this fact is actually an excellent defense for justifying immediate disclosure.

And anyway, if your interesting legal theory was correct, the broadcast of every Columbo episode, for example, would have exposed {N,A}BC to criminal charges or civil liability. Not likely.

Re:I wouldn't have either

[nolife]

If they truely can not fix these locks without physically replacing them, I can garentee any prior contact with them about this bug would have resulted in every legal and possible assumed legal resposnse they could think of to prevent him from disclosing the information.
The end result would be no disclosure and everyone that stays in one of these hotel rooms is at risk. At least if the information is public, people can take action to protect themselves and their stuff by using the deadbolt/latch, the safe, taking their shit with them, leaving in their trunk or at the place they are working if this is a business trip.

Re:Image

[Hatta]

Do you want to turn people off needlessly

If those people are such sorry excuses for human beings as to judge someone based on the clothes they wear, they can fuck right off. There is nothing inherently respectable about wearing slacks, and quite a lot inherently disrespectable about judging people based on appearances. It's just another manifestation of the base tribal instincts that are responsible for racism, and it's not a bit nicer.

Re:I wouldn't have either

[Anonymous Coward]

You know how you feel when your computer-illiterate relatives try to talk to you about programming or hacking? That's how lawyers feel when Slashdotters try to talk about law.

Re:Well, that's it!

[Joce640k]

"...who should be scolded for not disclosing the hack to Onity before going public"

a) As if they don't already know what the hack is.
b) If the only solution is to change all the locks, maybe on their own dime, do you think disclosure will make them volunteer to do it?