
Hackers random hotel by locking guests in rooms - CarolineW
http://www.thelocal.at/20170128/hotel-ransomed-by-hackers-as-guests-locked-in-rooms
======
eplanit
Please fix the title so it matches the actual article (and also so it makes
sense). "Ransom" not "Random". Thx

~~~
gjkood
Yes, the moderators should intercede and change the title. I wonder if the OP
is no longer able to.

~~~
CarolineW
Indeed - you can thank "auto-corrupt" and having to post things from a phone.

Sorry.

~~~
gjkood
Ah yes, the proverbial "ottokorrekt" as I call it. I am still on the fence
about whether it is a blessing or a curse.

------
alialkhatib
I'm not seeing the part explaining how guests are locked _in_ their rooms. Is
it that they don't feel they can leave or their belongings will be locked in a
room they can no longer access, or is it some literal situation where the
doors won't open unless the hotel's key system is restored?

If it's the former, it's more than a little melodramatic to say they're locked
in. The situation would be resolved when the hotel paid the ransom (which
they'd done _twice_ before). And they don't really even have to leave their
things in the hotel room; guests could pack up their belongings and move to
another hotel if they really feel like the situation won't be resolved in a
timely manner. I assume European laws would guarantee customers a refund (or
at least a prorated refund) in a case like this, wouldn't they?

If it's the latter, then what kind of hyper-secure system is this hotel using,
and more importantly _why_?

------
canadian_voter
_Hotel management said that they have now been hit three times by
cybercriminals who this time managed to take down the entire key system. The
guests could no longer get in or out of the hotel rooms and new key cards
could not be programmed._

Oh dear god, three times? Bump this up your priority list, fellas.

 _Brandstaetter said: "We are planning at the next room refurbishment for old-
fashioned door locks with real keys. Just like 111 years ago at the time of
our great-grandfathers."_

Ok. Or couldn't you just disconnect it from the net and secure local access?
Have a mechanical override mechanism? I feel like there are many solutions
here.

~~~
closeparen
It's crazy that there wasn't a mechanical override to _exit_. I'd think that
would be required by fire code in the US.

>Or couldn't you just disconnect it from the net and secure local access?

There are lots of ways this could work without internet access, and "secure
local access" is easier said than done for a network which must extend through
spaces where random people off the street have access and privacy.

Electronic physical security vendors are not exactly shining beacons of top-
notch security engineering. Researchers have found extremely careless, serious
vulnerabilities in systems such as HID iClass [0] and your average hotel is
probably using something much less sophisticated.

Denial of service is probably much easier than unauthorized entry, and
unauthorized entry isn't exactly hard.

[0] [https://krebsonsecurity.com/2014/08/how-secure-is-your-
secur...](https://krebsonsecurity.com/2014/08/how-secure-is-your-security-
badge/)

