Introducing the Gizmag Store

Is your hotel room lock safe? Why the answer could well be no

By

August 23, 2012

Cody Brocious estimates there are 4 million Onity HT locks worldwide

Cody Brocious estimates there are 4 million Onity HT locks worldwide

If, during your next hotel stay, you're met with a lock on your door like that pictured above, it's time for a conversation with management. This is an Onity HT series lock. Cody Brocious claims that the company has sold 10 million of its various locks to hoteliers, accounting for half of all locks worldwide, and appearing in one in three hotels. Described by Onity as its "flagship product," the HT series lock is its big seller: Brocious reckons there are 4 million HT series locks out there. Why does this matter? It matters because on July 24, Brocious took to the stage at the Black Hat conference in Las Vegas to demonstrate how to unlock one in a matter of milliseconds using gear you and I can buy off the shelf from Radioshack for under 50 bucks.

What's the password?

The problem is this. Each HT series lock includes a DC charger port on its underside. This is used by hotel staff not only to recharge the lock's batteries, but also to program the lock with the hotel's unique 32-bit sitecode. With a self-programmed Arduino board, a 5.6 k pull-up resistor, and a DC connector, you have the gear you need to talk to the lock. Obviously it's not as simple as sending an "Open Sesame" message to the lock—not quite, anyway. For that you'd need to know the 32-bit sitecode. How do you get the sitecode? Turns out you just ask the lock for it.

"Given an address, the lock will send back 16 bytes of memory from that point," Brocious explained on a slide from his July 24 presentation, entitled My Arduino Can Beat Up Your Hotel Room Lock. And it transpires the the sitecode is stored at the same memory address on every single lock. No authentication is required to retrieve it. Bewilderingly, unlocking the door is as simple as feeding the sitecode back to the lock. Once your home-brew device is connected, Brocious claims the whole process of reading the memory to unlocking the door takes just 200 ms. Given access to spare key cards, the technique can also be used to program duplicate keys.

Practical magic

In practice, the process may not be quite as easy as it sounds. Forbes' Andy Greenberg accompanied Brocious to some New York hotels and found that, of the three locks tested, Brocious was only able to open one (on the second attempt, having jiggered with his software). But one in three is still an unacceptably high success rate, though the few hotels tested are insufficient to draw broader conclusions. The exercise does at least demonstrate that the technique isn't 100 percent reliable—at least not as the research stood at the time.

Though Brocious has stated he does not intend to refine the technique, he has released the paper presented at Black Hat, and made his source code available through his website. At the time of writing, the dedicated IRC channel setup for further research had 25 members (all idling), discounting obvious pseudonyms. Brocious told Forbes that, with refinement, he believes the technique could be used to open a significantly higher proportion of locks.

With great power...

To many, Brocious's work is loaded with ethical questions, but what is beyond dispute is that Brocious has merely exploited and publicized a security flaw that is inherent to the HT series lock. He did not create the security flaw. And Brocious has clearly wrestled with the dilemma of whether and how to release his findings.

"The decision to make this information public has not been an easy one," Brocious writes in his paper. "While it's unlikely we'll ever know for sure, we must suspect that concerns were raised inside of Onity about these issues, given the ten-plus years that these locks have been in development and on the market. However, after much consideration it was decided that the potential short-term effects of this disclosure are outweighed by the long-term damage that could be done to hotels and the general public if the information was held by a select few."

In his presentation, Brocious suggested possible fixes to the vulnerability, but asserted that a physical replacement of all lock circuitboards would be necessary, as well as replacement of the front desk equipment. "The biggest impediment to mitigation is that the locks are not upgradeable," he said.

A case of impOnity?

On July 25, Onity put out a statement that attempted to downplay the issue, apparently contradicting Brocious's assertion that a hardware intervention is necessary. "Onity understands the hacking methods to be unreliable, and complex to implement," it said. "However to alleviate any concerns, we are developing a firmware upgrade for the affected lock-type."

On August 13, Onity issued a new statement (both can be read through that link) offering to send out physical caps to hotels with HT series locks. "To further enhance the security of this fix, we will also supply a security TORX screw with each mechanical cap to further secure the battery cover in the lock," the new statement said. Effective, so long as the would-be intruder forgot to add a Torx screwdriver to their shopping list. These caps will be ready for shipping by the end of the month, Onity claims.

In addition to the physical fix, Onity is also offering to replace the control boards of locks as well as shipping a firmware update. Onity says there will be a "nominal fee" for the control boards, but that's before shipping, handling and labor: three costs which the company says hotels must pay. And the fix only works for upgradable locks. Older locks must be replaced outright, again at the hotel's expense. In essence, though, Brocious was right. Hardware upgrades are required to fix the problem.

Contrition? Not so much

Remarkably, neither of Onity's statements show a hint of compunction. Arguably more worrying for a security firm: there's no recommendation that clients take up the offer of fixes. "If you are interested in pursuing this solution…" is about as close as it gets.

It's worth reiterating the potential scale of the problem. Assuming the figure of 4 million affected locks is accurate, that's 4 million potentially vulnerable hotel rooms. Even if we assume only half of those rooms are typically occupied, and those that are by a maximum of one resident at a time (staying on average 1.6 nights), that equates to 37.5 million travelers affected in the last 30 days alone.

The role of technology in the security sector is fundamental, but despite the rapid technological progress, one thing has remained constant: the importance of trust. Whether hoteliers wising up to the fact that they've bought what could be called a flawed security system will be willing to trust the supplier of said equipment for a fix… well, that remains to be seen.

Source: Cody Brocious, via Forbes

About the Author
James Holloway James lives in East London where he punctuates endless tea drinking with freelance writing and meteorological angst. Unlocking Every Extend Extra Extreme’s “Master of Extreme” achievement was the fourth proudest moment of his life.   All articles by James Holloway
Tags
19 Comments

My guess is that if you break a few pins in the service port, your room lock will become a lot safer... albeit maybe not as upgradable...

Pierre-André Aebischer
23rd August, 2012 @ 12:08 pm PDT

Great. This comes out before I will be spending next week in a hotel. Makes me feel secure.

MBadgero
23rd August, 2012 @ 12:09 pm PDT

Always assume that those who want to break in will. Don't keep valuables in the room lying around. Instead leave them in the room safe, or better yet, the hotel safety deposit box.

sk8dad
23rd August, 2012 @ 01:26 pm PDT

As Pierre-André Aebischer says. But you are not supposed to leave valuables in your room and on the inside there is usually a door chain as well.

Paul van Dinther
23rd August, 2012 @ 02:14 pm PDT

Super Glue is cheaper than an upgrade.

Wombat56
23rd August, 2012 @ 03:44 pm PDT

The best you can really expect from a hotel door is that it keeps people out when you have the deadbolt set and it keeps stray children out when your not there.

Slowburn
23rd August, 2012 @ 05:42 pm PDT

Everyday mechanical keys & locks can be used solve the problem of un-returned keys.

Matrix Key Systems allows a standard (

Matrix Key Systems
23rd August, 2012 @ 06:33 pm PDT

You can almost guarantee that some hotels will be too lazy to upgrade their locks with the new firmware, leaving themselves open to this kind of break in.

Oztechi
24th August, 2012 @ 12:35 am PDT

If the hotels have cameras in the corridor they can see who's up to something rather than just inserting their keycard...

agulesin
24th August, 2012 @ 05:51 am PDT

Locks are a hindrance to the innocent and offer no obstacle to the guilty.

It was ever thus.

If you don't want stuff nicked out of your hotel room, don't leave it in there.

Catweazle
24th August, 2012 @ 07:08 am PDT

BFHD Who needs electronics http://blackbag.nl/?p=1269

gizmaggot
24th August, 2012 @ 09:21 am PDT

Catweazle sums it up nicely.

Tom Wyse
24th August, 2012 @ 09:23 am PDT

"To further enhance the security of this fix, we will also supply a security TORX screw .........................

As if a hacker wouldn't be able to get past a TORX screw.

flylowguy
24th August, 2012 @ 09:43 am PDT

Not surprising that a traditional lock hardware company did not bother to hire a software engineer with a semblance of knowledge and understanding of security. The answer as with any defective product is to force a recall by the manufacturer of the locks.

First step is for the manufacturer to hire someone who can redesign the lock so that it is secure and then to develop a program to replace the locks across the country, hotel by hotel, door by door.

There are mechanical locks to secure the door from the inside and only a fool would leave valuables in their room unattended so the magnitude of the problem is less than one might at first think.

Calson
24th August, 2012 @ 10:43 am PDT

A "security torx screw" just means you have to look a little further for the proper torx driver (I have one, but it may not be the right size). And as news of this vulnerability (and Onity's lack of compunction) hits the street, Onity may have trouble giving their stuff away, much less selling it.

Bruce H. Anderson
24th August, 2012 @ 02:08 pm PDT

We'll that's great but, to be sure, the greatest part of hotel theft is carried out by staff. Sorry but that has always been true.

While it's pretty unlikely that the non-criminal will have someone wanting to break into their room while occupied, there is always the trip-wire alarm and door-stop; which should give one enough time to retrieve the Colt-45 and invite the would-be thief to leave a healthy donation to your breakfast fund.

Mirmillion
24th August, 2012 @ 02:27 pm PDT

What this article fails to mention is that Brocious previously worked for Onity. I wonder how he could know about how one would go about accessing these locks? Hm. Sounds like a disgruntled ex-employee seeking revenge...

LX88
24th August, 2012 @ 07:03 pm PDT

What security? Really... does anyone think there is security? It's only a matter of comparison. It is also a matter of time before we have frequent drive-by Bluetooth attacks on our cars that deflate the tires, activate the brakes at highway speed or the fancy new blind spot backup sensors, or start or stop the ignition. These are kernel functions triggered by signals as easily done by hacking as intentionally. My security experience for busting stuff goes back more than decade. I can only show how to attack such things and then put up more walls to make it marginally harder.

Martin Nemzow
25th August, 2012 @ 08:23 am PDT

I am 99% certain that this lock was fitted to a room in a hotel in Paris where a friend was staying. He lost a laptop and a camera. I will print out this article and take it with me next time I stay in a hotel so I can identify the lock.

anobium
28th August, 2012 @ 11:51 am PDT
Post a Comment

Login with your gizmag account:

Or Login with Facebook:


Related Articles

Just enter your friends and your email address into the form below

For multiple addresses, separate each with a comma




Privacy is safe with us because we have a strict privacy policy.

Looking for something? Search our 26,475 articles