

Onity's plan to mitigate hotel lock hack - daeken
http://daeken.com/onitys-plan-to-mitigate-hotel-lock-hack

======
jgrahamc
"This -- as much as it is security-through-obscurity -- is actually a great
temporary fix."

I don't understand how the Torx screw and cover solution is security through
obscurity. They're being very open about it. It may be a weak solution, but
it's not being hidden.

~~~
K2h
If it is a security torx - or some other rarer type of driver then the average
guy probably won't have one in the truck. However - the guy coming down the
hall to hack your lock while your down at the pool will. I liked the security-
through-obscurity reference.

------
EdiX
"To further enhance the security of this fix, we will also supply a security
TORX screw with each mechanical cap to further secure the battery cover in the
lock"

I hope it's not one of those small security torx that can be unscrewed by a
flat tip screwdriver...

~~~
potatolicious
Even if they _do_ require a security torx driver, now potential criminals just
need a $5 part from Amazon.

No seriously, you can get an _entire_ set of _all_ commonly used "security"
bits for your screwdriver for $4.52, prime eligible.

Security my ass.

------
smutticus
If I wanted to break into a hotel room that bad I would just get a job working
there as a cleaner. Seriously, how big of a problem is this really? As someone
who stays in hotel rooms quite often I don't place any faith in room security.
I know multiple people in the hotel can enter my room with very little
oversight. That's why good hotels offer room safes.

~~~
moe
_That's why good hotels offer room safes._

The safes in most hotel-rooms are not safe at all. Perhaps Daeken can take a
look at those next...

------
rst
A firmware replacement clearly would require a new programming gizmo to be
effective. But if they're replacing all the lock circuit boards in a hotel,
throwing in a new programmer or two would be a comparatively minor cost. Is it
possible they just didn't bother to mention it?

~~~
daeken
That's entirely possible, though considering the costs involved (on both
sides) and the impact of the vulnerability, I'd be surprised if they weren't
to mention it at least in passing if they plan to upgrade the PP.

The encoder is an even tougher one -- hotel owners in the US (it's different
in some other countries) do not have the ability to update the locking
information on the encoder. That means that any update on the device requires
the board to be changed and _then_ the device has to be loaded with the proper
information for the hotel by Onity. That means either downtime to send in the
old encoder and get it back, or that Onity has to send out a new (updated)
encoder to each property and get the old one back. I can't imagine they
wouldn't mention that.

------
ars
A regular mechanical lock can be picked.

An Onity electronic lock can be hacked.

What's the difference that requires Onity to make this fix?

As a proof of concept and cool hack this is great. But regarding actual
security it doesn't seem any worse than a mechanical lock.

~~~
daeken
When Kryptonite's locks were found to be vulnerable to opening with a Bic pen,
they issued a recall on all affected units.

The vulnerabilities I disclosed in Onity's locks are as trivial and obvious as
possible; it's not that the lock _can_ be picked, but that it's instant and
trivial with absolutely no special skills.

~~~
K2h
That Bic pen hack was pretty crazy! for those that don't know, the technique
may have been discovered as early as 1992 [1] but the Kryptonite hack was made
public in around 2004. [2]

[1] <http://www.snopes.com/crime/warnings/kryptonite.asp>

[2] <http://www.wired.com/culture/lifestyle/news/2004/09/64987>

------
dos1
Wow look at that - once made aware of the vulnerability Onity responded with a
fix.

The last post I saw on this mentioned that the security researcher did not
responsibly disclose the vulnerability because he just knew they wouldn't do
anything. Looks like he was wrong.

~~~
daeken
> The last post I saw on this mentioned that the security researcher did not
> responsibly disclose the vulnerability because he just knew they wouldn't do
> anything. Looks like he was wrong.

I'm the security researcher in question (and author of this post). What a
company does when pressured by their customer base and what they do when no
pressures exist are two very, very different things. Had I approached them
with these vulnerabilities ahead of time, it's _highly_ likely that they would
have used their considerable cash reserves to strong-arm me legally into not
releasing this data, and the issue would not have been resolved.

As I said in my original paper/slides, this was the best way to get the issue
in front of hotel owners so that it could be resolved; this is the intended
behavior.

~~~
dos1
> I'm the security researcher in question (and author of this post). What a
> company does when pressured by their customer base and what they do when no
> pressures exist are two very, very different things

Totally agreed.

> Had I approached them with these vulnerabilities ahead of time, it's highly
> likely that they would have used their considerable cash reserves to strong-
> arm me legally into not releasing this data, and the issue would not have
> been resolved.

I guess we'll never know will we?

Edit: To be fair, I don't have a stake in this either way, and I'm glad the
end result is that they're taking the threat seriously.

