Open Millions of Hotel Rooms With Arduino

MrSeb writes with an excerpt from Extreme Tech about a presentation at Black Hat: "Bad news: With an Arduino microcontroller and a little bit of programming, it's possible for a hacker to gain instant, untraceable access to millions of key card-protected hotel rooms. This hack was demonstrated by Cody Brocious, a Mozilla software developer, at the Black Hat security conference in Las Vegas. At risk are four million hotel rooms secured by Onity programmable key card locks. According to Brocious, who didn't disclose the hack to Onity before going public, there is no easy fix: There isn't a firmware upgrade — if hotels want to secure their guests, every single lock will have to be changed. I wish I could say that Brocious spent months on this hack, painstakingly reverse-engineering the Onity lock protocol, but the truth — as always, it seems — is far more depressing. 'With how stupidly simple this is, it wouldn't surprise me if a thousand other people have found this same vulnerability and sold it to other governments,' says Brocious. 'An intern at the NSA could find this in five minutes.'"

Re:Lock the door when inside

[h4rr4r]

Many of those safes have backup passwords, hotels generally do not change the default one.

Reliable?

[Slippery_Hank]

From TFA: He tested this hack on three randomly choosen hotel room doors, failed to open any. Had to stop to reprogram the device, and then managed to open one of the doors. I'll stick to being worried about corrupt security guards.

Re:Lock the door when inside

[SilverJets]

You mean those safes where hotel staff have a master code that unlocks them in case the guest forgets the code they set? Those safes?

Re:What happened to responsible disclosure?

[icebike]

He didn't reveal the actual hack, he only demonstrated that one exists.

Further, there are already several instances of people being sued into silence after responsible disclosure.

Further the problem can not be fixed, and replacement of all locks world wide would be so experience and time consuming that it would never be done in response to responsible disclosure.

The probable outcome here is that the lock maker buys more insurance and sends a memo to customers offering a discount on new and improved locks. Which will be ignored by virtually all hotels.

Responsible disclosure would serve no purpose in this instance.

Re:Wrong

[wvmarle]

Every single lock will not have to be changed. There are several ways to fix this without replacing the entire lock. Fill the hole.

And you can't recharge the battery any more - so sooner or later your lock is going to be out of service.

Cover the whole with an exterior lock.

Probably impossible as the current casing has not been designed for that; and anyway they all will end up with a single physical key: copy that and you're good. And anyway this requires a physical modification to the lock, likely the whole outer casing, not much less work than replacing the whole lock.

Put a more secure circuit between the exterior plug and the lock's main board. That more secure circuit only need to handle NOT letting you read the memory.

That is equivalent to changing out the main board of the lock. Which is probably more practical: it is not likely this lock has any space inside to install an extra board inside. Besides considering how modern devices are designed, replacing the lock is probably easier to do than replacing or adding a circuit board. Which is definitely not something your run-of-the-mill handyman can do.

Re:Reliable?

[Anonymous Coward]

I suspected upon hearing this that he was trying to bitbang a protocol using the Arduino functions such as delaymicroseconds and digitalwrite and he was probably having to adjust these to account for inconsistencies caused perhaps between locks (where battery voltage may affect timing) but also the inherent timing problems caused by the braindead manner in which these "friendly" functions operate. Even worse, he is using the Arduino's Serial library which is even worse about causing timing and memory problems.

Upon reading his code I found that assumption to be correct. If he ditched the Arduino library and wrote correct AVR code using ISR's and hardware timers to implement the communication protocol I think the reliability of the exploit would dramatically improve. Reading his analysis of the protocol I even think the two-wire interface could be used directly with a tiny bit of extra hardware. Also, the Arduino MEGA is unnecessary; a normal arduino or even a $2 ATTiny would do this job fine.

I should mention that it's not his fault that the Arduino library is terrible code and that its essentially unusable for this kind of thing; they do sort of purport that is more capable than it is. I do however suggest that you adjust your thoughts on the reliability of his exploit.