Operations Planner
«  »

Hotel Lock Firm's Security Fix Requires Hardware Changes For Millions Of Keycard Locks

publication date: Sep 21, 2012
author/source: Forbes

Hotel Lock Firm's Security Fix Requires Hardware Changes For Millions Of Keycard Locks

Good news for the security of hotels and travelers: Onity, whose keycard locks can be found on at least four million rooms around the world, has a plan to fix a security flaw that could allow hackers to insert a homemade device into its keycard locks and open them in seconds.

The bad news: the fix requires hardware changes to every affected lock. And for hotels who want more than a bandaid-style repair, Onity wants its customers to pay for it. 

Earlier this week, Onity issued a statement responding to last month’s presentation at the Black Hat security conference by Cody Brocious, a Mozilla developer who showed that he was able to insert a device he built for less than $50 into the data port on the underside of Onity’s locks, read their memory to find a decryption key, and use it to gain access to the lock’s firmware and trigger its open command in a matter of seconds.

The company’s response to that epic security bug has two parts–a quick fix, and a more rigorous one, both of which it plans to make available by the end of August: First, it’s issuing caps that cover the data port Brocious’s hack exploited, which can only be removed by opening the lock’s case. To further stymie hackers who would try to open the locks and remove that cap, it’s also sending customers new, more obscure Torx screws to replace those on the cases of installed locks.

The second fix is more substantial: Onity will offer its customers new circuit boards and firmware that ostensibly fix the problems Brocious demonstrated–But Onity is asking owners of some models of its locks of some to pay a “nominal fee” for the fix, while offering others “special pricing programs” to cover the cost of replacing components. It’s also asking its customers to cover the shipping and labor costs of making hardware changes to the millions of locks worldwide.

“We want to assure you that Onity is working on providing you with a solution that will address any potential risks related to the alleged vulnerability of these locks,” the company wrote in its statement, giving customers a number to call if they wished to have the components shipped to them.

In its first response to the hack last month, Onity downplayed the flaw as “unreliable, and complex to implement.” Indeed, when I tested the hack with Brocious at three New York hotels, it only worked at one of the three.

But since then, two hackers who asked not to have their names revealed have claimed in emails to me that they independently replicated the exploit and refined it, so that it now works on any Onity hotel room lock. Brocious tells me he’s spoken with eight or nine hackers who have all been able to replicate his work to some degree.

In a blog post responding to the company’s latest response statement and fix, Brocious criticized Onity’s move to put the financial onus for the fix on its customers after selling them what he’s described as fundamentally insecure products. While the free mechanical cap solution could create hurdles for hackers, he says that’s only a partial fix replacement until the lock’s circuit boards are replaced–something that’s not likely to happen if it requires millions of dollars in costs for Onity’s customers. “This will not be insignificant, given that the majority of hotels are small and independently owned and operated. Given that it won’t be a low cost endeavour, it’s not hard to imagine that many hotels will choose not to properly fix the issues, leaving customers in danger,” he writes.

“If such a significant issue were to exist in a car, customers would likely expect a complete recall at the expense of the manufacturer,” Brocious adds. “I can’t help but feel that Onity has the same responsibility to their customers, and to customers staying in hotels protected by Onity locks.

Aside from the cost issue, Brocious also raises questions about the technical security of Onity’s fix. Onity’s statement makes no mention of hiring outside evaluators to audit its new security measures, or more specifically, replacing or upgrading customer devices known as “portable programmers,” the gadget meant to be inserted into locks’ data ports to change their settings. That’s the device that Brocious spoofed to gain access to the locks’ memory. If the upgraded locks actually have their memory protected from spoofed portable programmers, Brocious argues that would require the portable programmers to be replaced as well. The fact that Onity has no such plans leads him to wonder whether they haven’t completely addressed the problem.

I would absolutely love to be wrong about the lock protocol issue; if they can fix this at the lock level alone, and fix it well, then the impact on customers will be lower and the chances of the issue being fixed are higher. However, I find this highly doubtful. It seems far more likely to me that they have mitigated this issue at the lock level simply by shifting data around in memory or something along those lines, which would serve to break existing opening devices but not hold up to even the slightest scrutiny.

I’ve reached out to Onity for more information about its fixes and a response to Brocious’s claims, and I’ll update this story when I hear back from the company.

Onity isn’t the only one to come under fire in wake of its security flap: Brocious has also been criticized for failing to warn Onity ahead of his Black Hat demonstration and for selling a licence to use his Onity-hacking trick to a locksmith training firm for $20,000 long before he made his findings public. (See the barrage of negative reader comments on my story that first described his research last month.)

But Brocious has claimed that his hack was easy enough that it’s likely been understood by sophisticated hackers, governments, and possibly Onity itself, for years. “With how stupidly simple this is, it wouldn’t surprise me if a thousand other people have found this same vulnerability and sold it to other governments,” Brocious told me then. “An intern at the NSA could find this in five minutes.”

In his blog post Friday, Brocious reiterates that the locks were vulnerable for years before he began to examine them. “While it’s great that Onity seems to be taking these issues seriously, the fact remains that such blatant vulnerabilities existed in their massively distributed product line for nearly a decade,” he writes. “As such, I believe that Onity has a greater responsibility to their customers than they are currently taking on.”

Read Onity’s full statement here, and Brocious’s response here.


Search the Site