Open Millions of Hotel Rooms With Arduino 268
MrSeb writes with an excerpt from Extreme Tech about a presentation at Black Hat: "Bad news: With an Arduino microcontroller and a little bit of programming, it's possible for a hacker to gain instant, untraceable access to millions of key card-protected hotel rooms. This hack was demonstrated by Cody Brocious, a Mozilla software developer, at the Black Hat security conference in Las Vegas. At risk are four million hotel rooms secured by Onity programmable key card locks. According to Brocious, who didn't disclose the hack to Onity before going public, there is no easy fix: There isn't a firmware upgrade — if hotels want to secure their guests, every single lock will have to be changed. I wish I could say that Brocious spent months on this hack, painstakingly reverse-engineering the Onity lock protocol, but the truth — as always, it seems — is far more depressing. 'With how stupidly simple this is, it wouldn't surprise me if a thousand other people have found this same vulnerability and sold it to other governments,' says Brocious. 'An intern at the NSA could find this in five minutes.'"
Image (Score:5, Interesting)
The hacker has (in his picture for the Forbes article) unkempt hair and a T-shirt that says "It's Fun To Use Learning For Evil!". I realize Black Hat has this whole counterculture thing going guys, but would it kill you to put on the veneer of respectability? Geez... this guy looks like a cliche movie hacker lackey.
You know that your intentions are honorable, that you wouldn't (for instance) rob a hotel room, and that maybe you are part of the process by which society gets stronger over the long run, but the audience of Forbes is predisposed to see you as a shady menace (or cost multiplier). And the audience of Forbes has more real influence to pass laws that restrict or limit access to your favorite toys (prior examples being some telephony tools, radio electronics, lockpicks, encryption software, etc.).
It sounds silly, but a clean shave and a button-down is how you say "I'm one of the good guys" to this crowd (or the general public, actually).
Re:A bit of hyperbole... (Score:5, Interesting)
Does Onity offer centrally logged door units?
99% of the shit I've worked with at hotels (from an installation POV) just checks that the mag card has a particular number in track 3. They're dumb as fuck.
Putting the word "ADM" in track 2 unlocks most of the doors in many hotels. Sad but true fact.
Re:I wouldn't have either (Score:4, Interesting)
When the guys share these hacks with the companies ahead of time, they tend to get sued or get their presentations cancelled by the vengeful corporations. They're better off not disclosing these things ahead of time.
Plus in this case, what could Onity have done? They cannot create an update that is automatically downloaded and installed over the next month onto those locks, like with Windows or Flash. If they knew about this before, and had a proper fix for it, then they would have to communicate it to thousands of hotels, and that would result in disclosure as well.
Re:What happened to responsible disclosure? (Score:4, Interesting)
In this case he took it upon himself to decide that "there is no possible fix therefore responsible disclosure won't help." But we don't know for sure that the company can't fix the problem with some kind of software update - that's simply his claim. If there is a way to update the EEPROM, any way at all, then a software update could have fixed the problem. Sure, it would be a breaking change to the existing card key systems, but it might not entail a hardware fix to millions of hotel room doors. This guy never gave them that chance.
Notification would have enabled the company to create an update plan, to order a million new circuit boards, to redesign the protocols, to schedule repair crews, to do whatever it took to fix the problem, and to have all that stuff prepared before his disclosure. No matter who they are and how badly they want to fix the problem, this is a year long process at least. Now, during that entire year, bad guys with Arduinos will have full access to unoccupied hotel rooms.
And he's going to get sued into the next millennium. Not only are the plaintiffs going to use arguments like the above, but they're also going to drag his business dealings into it. They're going to make claims like "he's disgruntled because his business venture failed, and he did this out of spiteful retaliation." They're going to throw so much trash at him that I'm not sure even Johnny Cochran would have been able to get him out of trouble.
Re:Lock the door when inside (Score:5, Interesting)
Obviously that person meant the chain lock that's separate from the key card lock. I hope not just the deadbolt; the ones built in to hotel key card lock mechanisms can be opened by the master key card. Not the ones the housekeepers carry but the one the chief maintenance guy keeps in his office. One assumes this hack can open the bolt as well as the regular latch.
We had a problem with a hotel safe once. When the tech guy came he popped the plastic keypad off to expose a serial port then hooked up his iPhone to it and opened the door. I wonder how secure that is...
Re:Well, that's it! (Score:4, Interesting)
Well, that's it! There's only one thing we can do... outlaw Arduinos
That's the beauty *cough* of the DMCA. They already are illegal! They will continue to be illegal until the Library of Congress makes an exemption [wikipedia.org].
I'm not completely sure if owning them is legal or not. The DMCA prevents "dissemination of technology, devices, or services intended to circumvent measures". Later provisions in the law cover cases where the device is not intended for circumvention, but is frequently used that way, such as open source DVD player software, which is not intended for copying the DVD, but can be used that way. Simply owning an Arduino would not qualify as "dissemination", but if you unknowingly sold or gave away your Arduino, I'm pretty sure you could be charged with breaking the DMCA. It's unlikely that you would be charged, unless the person that bought your Arduino proceeded to use it to break into a hotel room, but the point is that it's nearly impossible to avoid breaking this law!