Forgot your password?
typodupeerror
Security Software Hardware

Open Millions of Hotel Rooms With Arduino 268

Posted by Unknown Lamer
from the do-not-disturb-taken-as-challenge dept.
MrSeb writes with an excerpt from Extreme Tech about a presentation at Black Hat: "Bad news: With an Arduino microcontroller and a little bit of programming, it's possible for a hacker to gain instant, untraceable access to millions of key card-protected hotel rooms. This hack was demonstrated by Cody Brocious, a Mozilla software developer, at the Black Hat security conference in Las Vegas. At risk are four million hotel rooms secured by Onity programmable key card locks. According to Brocious, who didn't disclose the hack to Onity before going public, there is no easy fix: There isn't a firmware upgrade — if hotels want to secure their guests, every single lock will have to be changed. I wish I could say that Brocious spent months on this hack, painstakingly reverse-engineering the Onity lock protocol, but the truth — as always, it seems — is far more depressing. 'With how stupidly simple this is, it wouldn't surprise me if a thousand other people have found this same vulnerability and sold it to other governments,' says Brocious. 'An intern at the NSA could find this in five minutes.'"
This discussion has been archived. No new comments can be posted.

Open Millions of Hotel Rooms With Arduino

Comments Filter:
  • Well, that's it! (Score:5, Insightful)

    by camperdave (969942) on Wednesday July 25, 2012 @09:14AM (#40763781) Journal

    Bad news: With an Arduino microcontroller and a little bit of programming, it's possible for a hacker to gain instant, untraceable access to millions of key card-protected hotel rooms.

    Well, that's it! There's only one thing we can do... outlaw Arduinos

    • Re: (Score:3, Funny)

      by Anonymous Coward

      Bad news: With an Arduino microcontroller and a little bit of programming, it's possible for a hacker to gain instant, untraceable access to millions of key card-protected hotel rooms.

      Well, that's it! There's only one thing we can do... outlaw Arduinos

      Not a complete solution, I'm sure there are other devices that could be used. To solve the problem completely we'll have to outlaw programming.

      • by billcopc (196330)

        That's not sufficient. We have to go all the way and outlaw thinking. It's the only way to be sure no one defeats our puny weapons with their superior intellect.

    • by Joce640k (829181) on Wednesday July 25, 2012 @12:43PM (#40766759) Homepage

      "...who should be scolded for not disclosing the hack to Onity before going public"

      a) As if they don't already know what the hack is.
      b) If the only solution is to change all the locks, maybe on their own dime, do you think disclosure will make them volunteer to do it?

    • Re:Well, that's it! (Score:4, Interesting)

      by uigrad_2000 (398500) on Wednesday July 25, 2012 @02:44PM (#40768371) Homepage Journal

      Well, that's it! There's only one thing we can do... outlaw Arduinos

      That's the beauty *cough* of the DMCA. They already are illegal! They will continue to be illegal until the Library of Congress makes an exemption [wikipedia.org].

      I'm not completely sure if owning them is legal or not. The DMCA prevents "dissemination of technology, devices, or services intended to circumvent measures". Later provisions in the law cover cases where the device is not intended for circumvention, but is frequently used that way, such as open source DVD player software, which is not intended for copying the DVD, but can be used that way. Simply owning an Arduino would not qualify as "dissemination", but if you unknowingly sold or gave away your Arduino, I'm pretty sure you could be charged with breaking the DMCA. It's unlikely that you would be charged, unless the person that bought your Arduino proceeded to use it to break into a hotel room, but the point is that it's nearly impossible to avoid breaking this law!

  • by Anonymous Coward on Wednesday July 25, 2012 @09:16AM (#40763791)

    When the guys share these hacks with the companies ahead of time, they tend to get sued or get their presentations cancelled by the vengeful corporations. They're better off not disclosing these things ahead of time.

    • by plover (150551) *

      Their presentations may or may not get suppressed, but this approach pretty much ensures he will get sued.

      Worse, in his paper he uses an example of framing a hotel employee for murder! While dramatizing the vulnerability is not uncommon amongst hackers looking to draw media attention to the seriousness of their claims, suggesting a plan for murder is a really, really poor choice. The consequences of this could be even higher than the civil penalties of a lawsuit.

      • by TheCarp (96830) <sjc@nospAm.carpanet.net> on Wednesday July 25, 2012 @10:35AM (#40764817) Homepage

        That is, unless he is planning to use the Basic Instinct Defense "What, do you think I am stupid enough to publish details of how a murder could be committed, by anyone, using these devices, and then do it myself?"

        Though, if he tries it, I hope he remembers, the short white dress and no underwear is key to making it work.

      • by Mathinker (909784) on Wednesday July 25, 2012 @11:18AM (#40765507) Journal

        > suggesting a plan for murder is a really, really poor choice

        From the website explanation:

        Such circumstantial evidence, placing a staff member in the room at the time of death, could be damning in a murder trial, and at least would make that staff member a prime suspect. While other factors (e.g. closed circuit cameras, eyewitnesses, etc) could be used to support the staff member's case, there's no way we can know whether or not the audit report is false.

        Unless you believe that Brocious can somehow know the details of every murder trial currently going on anywhere in the world at this time, this fact is actually an excellent defense for justifying immediate disclosure.

        And anyway, if your interesting legal theory was correct, the broadcast of every Columbo episode, for example, would have exposed {N,A}BC to criminal charges or civil liability. Not likely.

        • by plover (150551) *

          Very good point!

          But that won't stop an attorney hell-bent on suing him into oblivion from bringing it up in court negatively as well: "The defendant literally told people how to use his device to get away with murder! This is further evidence that he was being malicious towards the plaintiff in his disclosure, which is why you must find in favor of my client."

          • Re: (Score:3, Insightful)

            by Anonymous Coward

            You know how you feel when your computer-illiterate relatives try to talk to you about programming or hacking? That's how lawyers feel when Slashdotters try to talk about law.

      • Re: (Score:3, Insightful)

        by nolife (233813)

        If they truely can not fix these locks without physically replacing them, I can garentee any prior contact with them about this bug would have resulted in every legal and possible assumed legal resposnse they could think of to prevent him from disclosing the information.
        The end result would be no disclosure and everyone that stays in one of these hotel rooms is at risk. At least if the information is public, people can take action to protect themselves and their stuff by using the deadbolt/latch, the safe,

      • by cayenne8 (626475)

        Their presentations may or may not get suppressed, but this approach pretty much ensures he will get sued.

        Why would he get sued?

        He didn't do anything libelous or slanderous....just told the truth about something he discovered.

    • by rvw (755107) on Wednesday July 25, 2012 @10:20AM (#40764595)

      When the guys share these hacks with the companies ahead of time, they tend to get sued or get their presentations cancelled by the vengeful corporations. They're better off not disclosing these things ahead of time.

      Plus in this case, what could Onity have done? They cannot create an update that is automatically downloaded and installed over the next month onto those locks, like with Windows or Flash. If they knew about this before, and had a proper fix for it, then they would have to communicate it to thousands of hotels, and that would result in disclosure as well.

  • by crazyjj (2598719) * on Wednesday July 25, 2012 @09:16AM (#40763795)

    Great news for the budget-minded vacationer looking for a hotel bargain.

  • Stolen (Score:2, Redundant)

    by Sulphur (1548251)

    Someone stole my first post. It was locked in a hotel room.

  • Reliable? (Score:4, Informative)

    by Slippery_Hank (2035136) on Wednesday July 25, 2012 @09:27AM (#40763923)
    From TFA: He tested this hack on three randomly choosen hotel room doors, failed to open any. Had to stop to reprogram the device, and then managed to open one of the doors. I'll stick to being worried about corrupt security guards.
    • Re:Reliable? (Score:5, Insightful)

      by Anonymous Coward on Wednesday July 25, 2012 @09:39AM (#40764057)

      From TFA: He tested this hack on three randomly choosen hotel room doors, failed to open any. Had to stop to reprogram the device, and then managed to open one of the doors. I'll stick to being worried about corrupt security guards.

      Proof of Concept != Final Version

    • by garcia (6573)

      I'll stick to being worried about corrupt security guards.

      Or, as in my case on two different occasions, asking the cleaning personnel to open my door because I got locked out while going to get ice.

      But seriously, who leaves shit in their rooms at hotels anyway? The hotel safes can be opened with 0000 or 9999 most often and with staff members making minimum wage, the chance of theft is high.

      When I'm traveling, all of my items of any real value come with me (laptop, phone, wallet, money, prescriptions) and if

      • by Dcnjoe60 (682885)

        When I'm traveling, all of my items of any real value come with me (laptop, phone, wallet, money, prescriptions) and if they want to steal my shitty clothing and toiletries, so be it.

        And when you are at Disney World, the pool, the fitness center or the bar, how does lugging that laptop around go?

        • by garcia (6573)

          I never had a single problem with it (and I did exactly all of those things when I was at WDW for a conference in April).

        • by DarkOx (621550)

          The best place to keep valuables when staying somewhere like that is locked in the trunk of your car. If you flew and then took cabs rather than get a rental car, your situation is pretty hopeless.

      • by nolife (233813)

        When I travel, I leave my stuff out everywhere similar to what I do at home, throw loose bills and change on the table, laptop sitting out possible still plugged in and on. I average about 30 nights a year in a hotel room and I've never had a problem with anything mising that I've noticed. When my room is cleaned, all of my stuff is still in the same exact place or its moved into one neat pile instead of many scattered piles. It only takes one corrupt person though but its not like the one time you forge

    • by gwolf (26339)

      My experience in the last hotel where I stayed:

      Got out of the pool, wrapped in a towel, went to the desk.
      – Oh, ma'am, I'm sorry, I guess I forgot my key in the room. Can somebody open the room for me? It's 104
      – Don't worry, click-click-swipe. Here is a new key for you. Cheers!

      How hard is this system to abuse?

    • Re:Reliable? (Score:5, Informative)

      by Anonymous Coward on Wednesday July 25, 2012 @01:11PM (#40767133)

      I suspected upon hearing this that he was trying to bitbang a protocol using the Arduino functions such as delaymicroseconds and digitalwrite and he was probably having to adjust these to account for inconsistencies caused perhaps between locks (where battery voltage may affect timing) but also the inherent timing problems caused by the braindead manner in which these "friendly" functions operate. Even worse, he is using the Arduino's Serial library which is even worse about causing timing and memory problems.

      Upon reading his code I found that assumption to be correct. If he ditched the Arduino library and wrote correct AVR code using ISR's and hardware timers to implement the communication protocol I think the reliability of the exploit would dramatically improve. Reading his analysis of the protocol I even think the two-wire interface could be used directly with a tiny bit of extra hardware. Also, the Arduino MEGA is unnecessary; a normal arduino or even a $2 ATTiny would do this job fine.

      I should mention that it's not his fault that the Arduino library is terrible code and that its essentially unusable for this kind of thing; they do sort of purport that is more capable than it is. I do however suggest that you adjust your thoughts on the reliability of his exploit.

  • by kaizendojo (956951) on Wednesday July 25, 2012 @09:27AM (#40763929)
    When demonstrated for the reporter, the hack only worked on *one* out of *four* of the doors tested in a REAL hotel, and then only on the second attempt after Brocious fine tuned and tweaked his software. Also, this can be defeated by simply using any one of the mechanical locks on the door.

    The bottom line is that if you aren't using the mechanical bolt or slide lock when staying at *any* hotel, you were vulnerable way before this hack. Keep in mind that there are plenty of AUTHORIZED users of master card keys on the hotel staff.
    • by SkimTony (245337) on Wednesday July 25, 2012 @09:30AM (#40763955)

      When a hotel staffer uses a master key card, it's logged (the security system notes which key was used when). Presumably with this hack, that isn't necessary. Also, the ability to open the doors on 25% of hotel rooms is still a concern.

      • by Anonymous Coward on Wednesday July 25, 2012 @10:07AM (#40764445)

        Does Onity offer centrally logged door units?

        99% of the shit I've worked with at hotels (from an installation POV) just checks that the mag card has a particular number in track 3. They're dumb as fuck.
        Putting the word "ADM" in track 2 unlocks most of the doors in many hotels. Sad but true fact.

    • Auditing (Score:4, Insightful)

      by nastav (2611511) on Wednesday July 25, 2012 @09:34AM (#40763995)
      All locks can be defeated with enough effort. The goal often is make it obvious that a lock was defeated - by leaving an electronic trail or physical one (broken door for e.g.). Akin silent data-loss, silent compromise of a lock is much much worse.
    • by Anonymous Coward on Wednesday July 25, 2012 @09:35AM (#40764009)

      The bottom line is that if you aren't using the mechanical bolt or slide lock when staying at *any* hotel, you were vulnerable way before this hack.

      That might work if you're *in* the room. What if you need to venture outside?

    • by camperdave (969942) on Wednesday July 25, 2012 @09:40AM (#40764067) Journal
      The problem with using the mechanical bolt or slide lock is that they must be operated from *INSIDE* the room. I don't know about others, but when I'm staying at a hotel it is because I am attending a conference or something, so most of the time I am not inside the room. So the deadbolt or chain lock does nothing. If a bad guy wanted in while someone was inside, all he would have to do is knock on the door and say "Hotel security. Open the door, please".
      • by chrismcb (983081)

        all he would have to do is knock on the door and say "Hotel security. Open the door, please".

        The hotel has a voice activated door? Cause otherwise I don't quite understand how claiming to be hotel security causes the door to open.

        • by cpu6502 (1960974)

          >>>Cause otherwise I don't quite understand how claiming to be hotel security causes the door to open.

          Because you can't read.
          If a bad guy wanted in while someone was inside, all he would have to do is knock on the door and say "Hotel security. Open the door, please". I had this happen to me one time except it was a cop. I refused to open the door, so the cop went across the aisle to the neighbor instead (the source of a marijuana smell).

          • by mr1911 (1942298)

            Because you can't read.

            Did you hear that loud "whoosh" noise?

            The point is that someone knocking on the door and saying "Hotel security. Open the door, please" only works when the person in the room is a complete moron.

    • by alen (225700)

      not only that but every hotel has cleaning people on every floor every day. there are cameras everywhere in common areas. a person loitering outside a door will not only be on camera but any maid can call it in to security.

      security is the whole system, not like every individual piece has to be 100% secure

      that's why stock iphones have never had a big security issue. iOS by itself is not 100% secure but combine it with the app store and the apple ecosystem and there has never been a big malware incident

      • by Dcnjoe60 (682885)

        iOS by itself is not 100% secure but combine it with the app store and the apple ecosystem and there has never been a big malware incident

        You mean other than iOS itself, right? :)

    • by h4rr4r (612664)

      How do I use this slide lock when I leave my things in the room but I wish to leave?

      Should I hire someone to operate that for me?

    • by mblase (200735)

      Also, this can be defeated by simply using any one of the mechanical locks on the door.

      ...which you can only employ if you're actually in the room, which thwarts most burglars anyway.

  • by tekrat (242117) on Wednesday July 25, 2012 @09:28AM (#40763941) Homepage Journal

    Geeks now have the ability to get into your hotel room while changing into your bikini...

    But why would a geek be changing into your bikini?

    • by Chas (5144) on Wednesday July 25, 2012 @09:33AM (#40763991) Homepage Journal

      Basically it's the perfect armor.

      Some 500 pound guy in a thong is so horrific that you simply can't look at it long enough to aim and shoot.

      That and the whole Cthulu-esque "I stared into madness and madness stared back" aspect.

    • by rvw (755107)

      Geeks now have the ability to get into your hotel room while changing into your bikini...

      But why would a geek be changing into your bikini?

      Hey! I don't have a bikini! Let's be clear about that!!!

      (And think of this: a geek who is changing into the bikini of another geek?!?! Or are we talking about two female geeks here?)

  • by nastav (2611511) on Wednesday July 25, 2012 @09:30AM (#40763951)
    It's easily and effectively argued that security through obscurity does no one any good, but responsible disclosure is still widely considered to be a good practice. Supposing a vendor is willing to fix their serious bugs, it really helps in preventing large scale attacks between the time of disclosure and reaction (by the vendor). If Onity had been willing to replace all it's locks over a short period of time (say, 6 months) at massive cost to itself - but nevertheless done it to protect it's long term reputation, it makes a lot of sense to give Onity that opportunity without outing the flaw. It's unlikely that such a large-scale replacement of locks would have been pursued, but giving Onity an opportunity to consider that option would have been responsible. It helps Onity, but it also helps customers of Onity (like Hotels who might have chosen to replace their locks, or individuals who might ask questions before going to a particular hotel). Now everybody knows it can be done, and many will try. Sure, an NSA intern could have figured it out, but the fact remains that it was not being massively exploited for large-scale robberies, for e.g.. Targeted exploits are bad - no doubt - and I'm sure some of this was already going on, but there isn't much doubt that the sum total of targeted exploits does less bad than what might happen now - namely large scale exploits. I suppose I'm arguing that security-through-obscurity does work - but in a targeted and limited fashion - as to provide cover for short durations when real security is pursued. It may not work, but it's worth a try - and by going public before giving Onity a chance to pursue a 'fix', this researcher has, in my books, acted against public good.
    • by epine (68316) on Wednesday July 25, 2012 @10:07AM (#40764441)

      If Onity had been willing to replace all it's locks over a short period of time (say, 6 months) at massive cost to itself - but nevertheless done it to protect it's long term reputation, it makes a lot of sense to give Onity that opportunity without outing the flaw.

      Responsible disclosure is a fair response to a responsible failure. Few of these that make the news are responsible failures. Chisellers dressed up in security theatre profiting from their faux contrivances while playing this stupid game of harassing the bearer of bad news, as if the bearer of bad news is an indentured, unpaid employee.

      I understand the source of this faux reverence for charlatans much better after reading God is not Great. Scientology was a crock from day one, but now that so many gentle and naive souls have absorbed this crockery and imbued it with deep personal meaning, those of us who are deeply offended by the shitbag Hubbard are supposed to subside into polite silence. I asked myself after reading Hitchens: Why do I sit around keeping a respectfully stiff upper lip about xemufascism? To hell with that.

      Banks should not be bailed out of bad loans, and security professionals should not be bailed out for chrome-plating obscurity. When the mistake is subtle enough to make a patent examiner's head explode, I'm all for responsible disclosure. Either pass the bar, or don't let the door hit you on the way out.

    • by Lithdren (605362)
      I'm fine with this point of view if it can be assured the person going to the company first wont then get sued for what they've exposed as a flaw.

      The way things are now, you're more likely to get sued and shut up by a court order before you could tell anyone else. Atleast this way, the public is aware of the issue before they get sued. If anything, this assures the public is served important information and does more for public good then going to the company directly.

      I'm not saying this company would
      • by plover (150551) * on Wednesday July 25, 2012 @10:41AM (#40764925) Homepage Journal

        In this case he took it upon himself to decide that "there is no possible fix therefore responsible disclosure won't help." But we don't know for sure that the company can't fix the problem with some kind of software update - that's simply his claim. If there is a way to update the EEPROM, any way at all, then a software update could have fixed the problem. Sure, it would be a breaking change to the existing card key systems, but it might not entail a hardware fix to millions of hotel room doors. This guy never gave them that chance.

        Notification would have enabled the company to create an update plan, to order a million new circuit boards, to redesign the protocols, to schedule repair crews, to do whatever it took to fix the problem, and to have all that stuff prepared before his disclosure. No matter who they are and how badly they want to fix the problem, this is a year long process at least. Now, during that entire year, bad guys with Arduinos will have full access to unoccupied hotel rooms.

        And he's going to get sued into the next millennium. Not only are the plaintiffs going to use arguments like the above, but they're also going to drag his business dealings into it. They're going to make claims like "he's disgruntled because his business venture failed, and he did this out of spiteful retaliation." They're going to throw so much trash at him that I'm not sure even Johnny Cochran would have been able to get him out of trouble.

    • by icebike (68054) * on Wednesday July 25, 2012 @10:19AM (#40764573)

      He didn't reveal the actual hack, he only demonstrated that one exists.

      Further, there are already several instances of people being sued into silence after responsible disclosure.

      Further the problem can not be fixed, and replacement of all locks world wide would be so experience and time consuming that it would never be done in response to responsible disclosure.

      The probable outcome here is that the lock maker buys more insurance and sends a memo to customers offering a discount on new and improved locks. Which will be ignored by virtually all hotels.

      Responsible disclosure would serve no purpose in this instance.

      • by wvmarle (1070040)

        The hacker has announced that the complete hack will be revealed, source code and all, on his web site soon.

    • by Hatta (162192)

      responsible disclosure is still widely considered to be a good practice.

      Responsible disclosure will inform those vulnerable as soon as possible, so they can take steps to mitigate. There's nothing responsible about keeping a security flaw secret.

    • Re: (Score:2, Insightful)

      by Anonymous Coward

      responsible disclosure is still widely considered to be a good practice.

      As another poster has mentioned, responsible disclosure has been punished in the past, by the original disclosee using the courts to prevent the later presentation.

      When the courts did not punish these parties for

      1. abusing the court system to prevent presentations
      2. shooting messengers
      3. undermining responsible disclosure

      the court system effectively took an anti-responsible-disclosure position. This guy is just going along with the g

  • If true it's a pretty poor show by Onity, but I'm sure governments have had plenty of success simply forcing, tricking or bribing the hotel desk or cleaning staff into opening the rooms for them. I'm pretty sure that all the US government would have to do is turn up with a warrant and be given access to any room they like regardless of the type of lock used.

    • by Maximum Prophet (716608) on Wednesday July 25, 2012 @09:46AM (#40764139)

      Silly Reader, warrants are so 20th century. These days, they just show a letter, that you can't discuss with anyone, citing a "secret" law. Yes, it's unconstitutional, but if you're a $12/hour clerk, and the guy with the gun is asking, are you going to make a fuss?

    • by gstoddart (321705) on Wednesday July 25, 2012 @09:59AM (#40764349) Homepage

      I'm pretty sure that all the US government would have to do is turn up with a warrant and be given access to any room they like regardless of the type of lock used.

      With a warrant, you can do practically anything, because a judge has signed off on it.

      It's what they can do without warrants that scares me.

      • I never understood the warrant/warrantless issue. Could they not just hire someone to become a judge for the purpose of rubberstamping warrants?
    • by SkimTony (245337)

      The key is silent access, as another poster mentioned. If hotel staff use the master key-card, that's logged to the security system. If police show up with a warrant, that warrant is part of the public record (in most cases) and shows up in the police logs. In any of those cases, there's a way to know about the breach nearly as soon as it happened. With this crack, there's no record that the security system was defeated, which makes recovery even more difficult. Consider the following:

  • Wrong (Score:4, Insightful)

    by Belial6 (794905) on Wednesday July 25, 2012 @09:44AM (#40764109)
    Every single lock will not have to be changed. There are several ways to fix this without replacing the entire lock. Fill the hole. Cover the whole with an exterior lock. Put a more secure circuit between the exterior plug and the lock's main board. That more secure circuit only need to handle NOT letting you read the memory. Given that the article is completely wrong about having to change the locks, I would question whether there really isn't a way to fix it via firmware. Either way though, the fix does not require a new lock, and it is a task that the hotel's regular handyman can perform.
    • by Dcnjoe60 (682885)

      Chances are that retrofitting the existing lock will cost more than replacing it.

    • Re:Wrong (Score:4, Informative)

      by wvmarle (1070040) on Wednesday July 25, 2012 @10:49AM (#40765061)

      Every single lock will not have to be changed. There are several ways to fix this without replacing the entire lock. Fill the hole.

      And you can't recharge the battery any more - so sooner or later your lock is going to be out of service.

      Cover the whole with an exterior lock.

      Probably impossible as the current casing has not been designed for that; and anyway they all will end up with a single physical key: copy that and you're good. And anyway this requires a physical modification to the lock, likely the whole outer casing, not much less work than replacing the whole lock.

      Put a more secure circuit between the exterior plug and the lock's main board. That more secure circuit only need to handle NOT letting you read the memory.

      That is equivalent to changing out the main board of the lock. Which is probably more practical: it is not likely this lock has any space inside to install an extra board inside. Besides considering how modern devices are designed, replacing the lock is probably easier to do than replacing or adding a circuit board. Which is definitely not something your run-of-the-mill handyman can do.

    • Re:Wrong (Score:4, Insightful)

      by pepty (1976012) on Wednesday July 25, 2012 @10:57AM (#40765181)

      Every single lock will not have to be changed. There are several ways to fix this without replacing the entire lock. Fill the hole. Cover the whole with an exterior lock.

      That port is used to recharge the battery in the lock.

      Put a more secure circuit between the exterior plug and the lock's main board. That more secure circuit only need to handle NOT letting you read the memory. Given that the article is completely wrong about having to change the locks, I would question whether there really isn't a way to fix it via firmware. Either way though, the fix does not require a new lock, and it is a task that the hotel's regular handyman can perform.

      The board itself is probably cheap, removing the port from the board and soldering in a new daughter board/port would be expensive. I don't see any advantage to that over replacing the whole board, which is what the article ("New circuitboards will have to be installed in every affected lock,") actually suggests.

      Given that the article is completely wrong about having to change the locks, I would question whether there really isn't a way to fix it via firmware.

      Brocious's full time job was to reverse engineer Onity's locks and front desk systems for a startup; he probably knows whether the lock has upgradable firmware.

    • Re:Wrong (Score:5, Insightful)

      by icebike (68054) * on Wednesday July 25, 2012 @11:18AM (#40765503)

      Every single lock will not have to be changed. There are several ways to fix this without replacing the entire lock. Fill the hole. Cover the whole with an exterior lock. Put a more secure circuit between the exterior plug and the lock's main board. That more secure circuit only need to handle NOT letting you read the memory. Given that the article is completely wrong about having to change the locks, I would question whether there really isn't a way to fix it via firmware. Either way though, the fix does not require a new lock, and it is a task that the hotel's regular handyman can perform.

      Fill the hole: No. Read the article. The hole is needed and used routinely to charge the battery and reprogram.
      Cover the hole with an exterior lock: So this is your plan to avoid changing out the lock? Add yet another lock on top? And how secure is that lock?
      Add a circuit ahead of the main board: Where? There is no room for that. You would have to replace the entire main board.
      Firmware fix: Perhaps possible, but these are very old designs using very limited microcontrollers. And you would still have to replace every reprogramming device in the field to get around this because your solution would also prevent reprogramming the lock.

      So, NO, the article is not completely wrong. Your post is pretty close to completely wrong.
      By the time you do any of the modifications you suggest, it would be cheaper to change the lock.

      And none of those changes could be accomplished by the handyman. At best, they might be able to change out the lock. Most of those guys know how to swing a wrench and a toilet plunger. They are not very good at board level soldering. Even worse at changing microprocessors inside a lock chassis designed specifically to be tamper resistant.

      Best case is that they can replace the entire circuit board using cheaper more modern ICs in the same amount of space. But even that is likely to more expensive to than just replacing every single lock.

      In actuality, This will never be done, until the next hotel remodel. Additional theft insurance, maybe purchased by the manufacturer, will be by far the cheapest alternative.

  • Image (Score:5, Interesting)

    by firewrought (36952) on Wednesday July 25, 2012 @09:46AM (#40764143)

    The hacker has (in his picture for the Forbes article) unkempt hair and a T-shirt that says "It's Fun To Use Learning For Evil!". I realize Black Hat has this whole counterculture thing going guys, but would it kill you to put on the veneer of respectability? Geez... this guy looks like a cliche movie hacker lackey.

    You know that your intentions are honorable, that you wouldn't (for instance) rob a hotel room, and that maybe you are part of the process by which society gets stronger over the long run, but the audience of Forbes is predisposed to see you as a shady menace (or cost multiplier). And the audience of Forbes has more real influence to pass laws that restrict or limit access to your favorite toys (prior examples being some telephony tools, radio electronics, lockpicks, encryption software, etc.).

    It sounds silly, but a clean shave and a button-down is how you say "I'm one of the good guys" to this crowd (or the general public, actually).

    • Re:Image (Score:5, Insightful)

      by slashmojo (818930) on Wednesday July 25, 2012 @09:54AM (#40764245)

      would it kill you to put on the veneer of respectability?

      Like a banker? ;)

      • Like a banker? ;)

        Exactly! Better evidence to prove GP's point does not exist. Just look respectable and society at large won't punish you for losing trillions to enriching yourself. If we all started showering regularly we could own this town!

    • by Hatta (162192)

      would it kill you to put on the veneer of respectability?

      Would it kill you to judge people based on their acts and not their appearances?

      • by icebike (68054) *

        would it kill you to put on the veneer of respectability?

        Would it kill you to judge people based on their acts and not their appearances?

        Appearance IS AN ACT.

    • by gstoddart (321705)

      The hacker has (in his picture for the Forbes article) unkempt hair and a T-shirt that says "It's Fun To Use Learning For Evil!". I realize Black Hat has this whole counterculture thing going guys, but would it kill you to put on the veneer of respectability? Geez... this guy looks like a cliche movie hacker lackey.

      He's a hacker, at a hacking conference, doing something that happened to be of interest to Forbes.

      It sounds silly, but a clean shave and a button-down is how you say "I'm one of the good guys" to

    • Obviously, he wants to play himself when the movie is made.
  • by oldmac31310 (1845668) on Wednesday July 25, 2012 @09:54AM (#40764251) Homepage
    pwnity now...
  • I read about this on BBC News [bbc.com] this morning, and two things struck me:

    1. "In tests Mr Brocious conducted with Forbes news site, the system did not prove entirely successful - only one of the three doors, at three hotels in New York, opened." So it doesn't work everywhere, but it's a good proof of concept. From the above ExtremeTech article: "Brocious found that he could simply read this 32-bit key out of the lock’s memory. No authentication is required ... By playing this 32-bit code back to the lock .

  • Like the old saying goes, locks only keep honest people out. If someone wants to get into something, given enough time and resources there is nothing that will keep them out.
    • by icebike (68054) *

      Cute, but trite homily.

      Throwing that out there as an excuse is just so much hand waiving the problem away. Murder? Well, you didn't expect your dear brother to live for ever did you?

      Hotels don't promise you security against someone with unlimited time an unlimited resources, nor does anyone have enough time or resources unless they are willing to use explosives.

  • If he is always itching to disclose, who would ever hire him?
    Answer: the wrong people. Not that it sounds like his skills are so great.
    I'd be worried about his safety, next time.

When I left you, I was but the pupil. Now, I am the master. - Darth Vader

Working...