
Low tech fix?
Superglue or hot-glue the data port shut?
A Texas hotel is claiming to have suffered multiple burglaries stemming from flaws in a common type of electronic lock, exploits for which were demonstrated at this year's Black Hat hacking conference. In July, security researcher Cody Brocious showed how a device cobbled together from $50 worth of parts could be used to break …
In my experience of this system at Marriott, the operators and their systems were so poor that hackers were the least of your worries. One time we were allocated a room, given a key, and walked in to find the room already occupied. Moreover, the rather unhappy occupants' cards no longer worked their door. Reception issued a new room, new key cards, and we found that the system correctly showed guest and room, but that they'd changed the cards for the people we'd walked in on so that they opened our new room. Lord knows what room our cards would then have opened.
As a system, it shouldn't be possible to issue new guest cards when a room is already booked, occupied and key cards issued (other than in emergency or lost card situations), it shouldn't be possible to re-assign the card (other than to cancel it) when the card is not in reception's hands, and it shouldn't be possible to double book a room in the first place - have they never heard of locking a record?
I have zero confidence in these key card systems, and I suspect that the risk will remain as dodgy staff with master keys, or stolen master key cards, rather than hackers.
Real keys put you right into a different basket of problems: that there will exist only a small number of keys for each room, that keys become expensive to replace instead of cheap, and it becomes impractical to change the locks every time a guest leaves. The early part of the Arthur Hailey novel "Hotel" (and his character Julius "Keycase" Milne) is recommended as an example of how hotel burglaries were ROUTINELY a problem in the "real key" era.
On top of that, either the cleaners will have to lug around a serious amount of iron, one key for every door, or there will exist a master key (or a small number of, say one for every floor). Physical keys can even be duplicated using only the keyway shape (easily taken from the actual lock with a lump of wax, or similar) and a photo, or else key impressioning. And once you have a duplicate of the master key, the hotel's security is done for.
"Presumably these locks are linked to a building management system of some kind and are thus addressable by that system?"
That would require wiring up the building, the cheaper solution is to use the mobile unlocking device. They also need to visit each lock to enable a new master key. That's why the lock needs a data port. Master keys are generated on a password protected desktop device at reception, which uses the same password as the managers Windows passwords.
And this is why you need it. Even if all the code and workings are shown and explained, if the lock is any good it will hold once it is engaged. SSH (to pick one) is full disclosure. It's also absolute nails once it is set-up (correctly) and engaged.
I'm reminded of the "high security" locks that were breached by the young girl at DefCon.
Obscurity is not security.
What is frustrating is that they only did something after the information was demoed at Black Hat. If they had really cared they would have listened to the researcher when he told them initially, advised all their clients that there was a problem and those data ports could have been glued up or something before black hat. Find it bonkers that the data port is on the outside portion of the lock though. Its like fitting a door handle with all the screws facing outward.
Old news reported many months ago and to be honest the thefts fall squarely on the heads of the hotels who didn't upgrade their security systems.Electronic locks are no more secure and no different to the older mechanical type devices they replaced in that they are liable to be compromised at some point in time they are not future proof and only act as a deterrent.
carry their own tube of fast-drying epoxy so you can seal up your own locks after checking in.
When I use hotel rooms I only unpack what I need and keep my baggage bundled up behind Pac Safe which is secure enough to beat the TSA thieves employed by US Homeland Security.
Pac-Safe now has a range of sizes including ones that secure lap-tops and even smartphones, which can be tethered to a large immovable object in the room.
A simple rubber band strapped exactly opposite the bottom edge of the mag strip will open any electronic hotel lock (at least in the U.S.).
The feature is there for firefighters to be able to enter rooms in case of an emergency. I (and 39 others) were shown how to do this when we volunteered to chaperone inner city kids on learning voyages. I can't imagine the info hasn't gotten out & douchebags are exploiting it. It is a wonder it has taken this long.
Sometimes it doesn't take fancy technology to break something. It may be as simple as a rubber band.
Well, not in Europe, as far as I know. The cards slide into a slot that would not allow a rubber band around the card, and I can't remember seeing a magstripe on the cards I've been issued; the readers on the doors looked identical in the hotels I've stayed in, so those appear to be from a single vendor. I can't readily find the technology used in the cards here, but I presume it's RFID, and in that case probably Mifare
THe security of these locks is fundamentally broken, and if the hacker's paper is to be believed, the design is at best negligent, with all the hallmarks 'we know best' security practice - in particular the DIY crypto algorithm.
Onity's statement disingenuous: the hack is hardly complex - it involves little more than a lost cost micro-controller, a battery and a few passives - probably about $5 of parts. Schematics and full source-code are readily available. The report elsewhere that a pen-size lock-pick has been made is not at all surprising.
What surprises me is that this isn't already heading towards a class-action law-suit state-side - especially if the reports here that Onity is charging hotels for new lock components.