Locking Hack Draws Fire for Both Hotel and Vendor
A recent article by Andy Greenberg in Forbes details a string of break-ins that hit a Houston-based Hyatt in September of 2012, the result of hackers using a digital tool to trigger the opening mechanism on the hotel’s Onity locks.
This security flaw was first publicly demonstrated by Cody Brocious, a 24-year-old software developer for Mozilla, at the Black Hat hacker conference in July. Brocious reverse-engineered Onity’s locks and discovered he could spoof the “portable programmer” device meant to be used for designating master keys and opening locks whose batteries had died.
White Lodging, the Hyatt franchisee that manages the Houston hotel, believes that the rooms were opened using this device. At the Black Hat conference, Brocious showed it was possible to insert the plug of a small device he built with less than $50 in parts into the port at the bottom of any Onity keycard lock, read the digital key that provides access to the opening mechanism of the lock, and open it instantaneously.
White Lodging contends that Onity only implemented a fix for that flaw in its locks after the September break-ins at the Houston Hyatt, around two months after Andy Greenberg, the Forbes reporter, first alerted Onity to Brocious’s work.
Following those September incidents, White Lodging resorted to plugging the port at the bottom of its Onity locks with “epoxy putty,” according to the letter it sent to guests at its Houston location. The hotel company says it’s now working with Onity to put a more permanent solution in place, either plugging the locks’ ports or replacing their circuit board at every location it manages.
But even Onity’s official response, has drawn ire because rather than paying for the full fix itself, which requires a new circuit board for every affected lock, Onity has asked its hotel customers to cover the cost of those hardware replacements. The free alternative involves merely blocking the port on the bottom of the lock instead with a plastic plug and changing the screws on the locks to a more obscure model to make it harder to open the locks’ cases and remove the plugs.
Read the full story here.