Accommodation guest keycard provider Onity has developed patches to safeguard millions of hotel keycard locks against an attack demonstrated at the Blackhat conference last month.
But the most comprehensive of the two approaches involves a partial hardware replacement that will cost hotels a substantial amount of cash to apply.
Mozilla software developer turned security researcher Cody Brocious used a Arduino micro-controller costing around $50 to come up with an effective hack against hotel keycard locks, that he demonstrated at last month’s Blackhat security conference in Las Vegas. The hack involved plugging in the homemade device into a data port on the underside of Onity’s locks, reading memory to extract a decryption key, before using this decryption key to fake an “open door” command. Mr Brocious created a cheap rig that spoofed portable programmers, gadgets designed to allow hotels to change the settings on locks supplied by Onity.
The hack is only possible because of two interlinked problems: the ability to read memory locations on vulnerable electro-mechanical locks and flawed cryptography in the key cards system itself.
Onity (that initially dismissed the door springing hack as “unreliable and complex to implement”) has come up with two mitigations against the attack, the most effective of which will necessitate its hotelier customers shelling out some more cash.
The entry-level (free) fix involves supplying a physical plug that blocks access to the portable programmer port of potentially vulnerable HT series locks, coupled with the use of more-obscure Torx screws to make it more difficulties for would-be intruders to open the lock’s case and access its internal systems.
The second more rigorous fix involves upgrading the firmware of potentially vulnerable HT and Advance series locks together with manually changing the locks’ circuit boards. This more comprehensive fix comes with a fee including parts, shipping and labour costs. Older locks will be more expensive to upgrade – although there will be a special pricing program. Both fixes will be available from the end of August.
It’s unclear how much Onity’s upgrade of its widely used hotel keycard locks will end up costing either hotel chains or Onity itself. Criticism has been voiced over the fact that hotel chains will have to pay out to get comprehensive remediation against a problem that’s not of their making. “Given that it won’t be a low-cost endeavour, it’s not hard to imagine that many hotels will choose not to properly fix the issues, leaving customers in danger,” Brocious said.
“If such a significant issue were to exist in a car, customers would likely expect a complete recall at the expense of the manufacturer. I can’t help but feel that Onity has the same responsibility to their customers, and to customers staying in hotels protected by Onity locks.”
Onity’s keycard locks secure access to an estimated four million hotel rooms worldwide.