
Hotel-room hacks: Picking the lock - ljensen
http://www.economist.com/blogs/gulliver/2012/08/hotel-room-hacks
======
tzs
> The hacker did not explain the flaw to the company in advance of revealing
> it to the public, a decision he told Forbes was because he saw "no path to
> mitigate this from Onity's side." To fix the problem, the locks' entire
> circuitboard has to be replaced—and on millions of locks, that's a process
> that could take a long time.

That seems like rather an asshole move on his part. I understand the argument
for disclosing security flaws to force a reluctant vendor to deal with them,
but in this case he didn't even give them a chance.

~~~
daeken
I've covered this a number of times. Simply put, I felt that the best route
for hotel owners and customers (who I care about, unlike J. Random Vendor) was
to make them aware of the vulnerability and make them aware that they've had a
horribly insecure product on their doors for nearly 20 years. Given how
ridiculously simple the vulnerabilities are, I'd put money on many others
having discovered them in the past, almost definitely using them for malicious
purposes. In addition, there's absolutely no way that Onity did not know about
this themselves -- it would not have required digging, but been _immediately_
obvious from the design of the system.

The route I took may not have been pretty, but it will get the issue fixed in
a timely fashion, I believe, and hopefully alert people to the fact that we
need real security processes in place around such things; not having your
equipment audited in the case of a security product is simply not acceptable.
Not now, and not in 1993.

~~~
samstave
Just out of curiosity, how much more secure would a lock be if the hotel asked
the patron to have a smartphone app instaled and to enter a personal PIN upon
checkin.

When you get to your room, swipe your NFC enabled phone over the lock, then it
asks for your pin (on the phone) to unlock the door.

The activity would need to allow you to swipe the NFC over the lock, which
will auto-launch the app and prompt for pin to be a smooth user experience.

If you have to find the app and launch it and maybe make another click, to get
to the PIN prompt, it would be too cumbersome to users to be a good
experience.

~~~
daeken
It really depends on the implementation. There are a lot of ways this can all
be done securely (from magstripes -- ignoring the ease of copying -- to chip
cards or NFC with smartphones or ...), but at the end of the day, it comes
down to the implementation. With some slightly different choices, Onity's
system could've been rock solid, but they dropped the ball.

~~~
samstave
can you expand on what would have made it rock solid?

~~~
daeken
Well, from what I know of its failures:

\- Use an industry-standard (for the time) crypto algorithm for cards, and use
the biggest key size possible. As it stands, they use a (horrible) proprietary
algorithm and 32-bit keys.

\- Make the lock know which door it's actually for and encode a list of
acceptable lists along with the code key values on the card. This prevents a
card from one door from opening another door. Not a huge security issue, but
it happens more often than you'd think.

\- Use secure, authenticated protocols for programming the lock. This is
really the critical part; unauthenticated, raw memory reads/writes are just
not OK.

~~~
kamaal
You were planning to do a Reddit AMA on reversing in General.

Did that ever happen? Have you written anything on that?

~~~
daeken
I did indeed --
[http://www.reddit.com/r/IAmA/comments/yeiac/iama_reverse_eng...](http://www.reddit.com/r/IAmA/comments/yeiac/iama_reverse_engineer_who_broke_millions_of_hotel/)

It went better than I could've ever imagined; it was topping the front page
for a while! Seriously awesome experience.

~~~
wglb
And I thought it went very well--it answered all the questions that I was
going to ask you via email.

Thanks for doing it.

------
kanzure
I once worked with Cody (daeken) when he was reverse engineering the Emotiv
EPOC headset, he's definitely top notch. It turns out he does other things:
<http://demoseen.com/portfolio/>

------
ams6110
Are hotel room locks really that big a target? If you're in the room, set the
deadbolt. When you leave, take your valuables.

The easiest way into a hotel room is social engineering via the housekeeping
staff.

~~~
daeken
The deadbolt doesn't do anything with this, for what it's worth. The deadbolt
on Onity locks is software-controlled; that is, there's a privacy switch
that's triggered when you throw the deadbolt, and it checks the value of that
when you put in a card. If you use a card with the 'privacy override' flag, or
you use the Portable Programmer (or my opening device), the lock opens
regardless of whether or not you use the deadbolt, as it's disengaged by the
lock mechanism when you turn the handle.

~~~
montecarl
I think he is referring to a manually operated dead bolt or those latches at
the top of the door. The locks that can only be set and unset from inside of
the room.

~~~
daeken
Latches will work, but 99.9% of doors with Onity locks will only have the
deadbolt inside the Onity lock, which is vulnerable to the problem I detailed
above. Just something to keep in mind.

~~~
jusben1369
No no you're missing the point I think. Nearly every hotel room has a big old
manual separate bolt set up higher and away from key based locking system.
Slides open maybe 2 inches etc. Twice in my life the hotel person has given my
room to someone else by mistake (I travel a lot for work). That is, I'll be in
there, twice late at night, and someone else puts in a key and it works. After
the first time I always set that manual bolt no matter what - just in case.
Not that I think there's any real merit to the original point that kicked off
this particular thread.

~~~
nopassrecover
I think you're missing the point - Onity locks don't usually have this "big
old manual separate bolt" as they're sold as "deadbolt inclusive".

~~~
jusben1369
It's pretty rare to not see them (can't remember when i haven't) due to the
reason I list.

------
K2h
Real engineered solution - without new hardware: If this thing is not
reprogrammable, and only has an EPROM - do some real enginerering and
calculate the ADDITION of bits to set to disable the exploit. Thats the one I
would be working on if I worked for Onity.

alternativly, take a mechanical approach to the problem - if you can live
without the connector for servicing the lock.

1) De-solder the connector on the board and cut the traces/pads off the board
- it won't stop everyone, but enough that have read of the exploit and try to
follow through on it without applying any more critical thinking will be
thwarted.

2) epoxy over the connector (they kind of did this with the security screw
fix, but not really)

3) leave the connector, but add so much resistance between the connector and
uP that you have to use a special interface cable to talk to the uP. no one
will be able to tell until they pull the lock apart that its not stock.

~~~
bitwize
Hotels can't even get their internet right. Shit is outsourced to some service
company who can't fix on-site problems with their routers, and you just get a
shrug of the shoulders from hotel maintenance personnel. How in the unholy
fuck do you think a Ramada Inn is going to roll out hundreds of modded door
locks?

~~~
gvb
They don't mod the locks, they call up Onity and say "send us 600 new locks
that are not flawed." Onity replies "Sorry, no." Then they fight in court for
the next 10 years over whether Onity owes the hotel replacement locks.

Assuming the hotel wins, Onity sends a team in to replace the locks (a
relatively simple and already solved problem - that is how the original locks
were installed). Then Onity sends the hotel the bill for the replacement
service and the hotel says "Sorry, no." Then everybody fights in court over
the retrofit bill for another 10 years.

------
waterlesscloud
Previous discussion here: <http://news.ycombinator.com/item?id=4281722>

------
Freestyler_3
What can people do about it? barricade their hotel door? No, this is much more
of help to people looking to get to other people and now they just got an
extra option. This really opened a market.

If you really care about hotel customers you would be on the company side that
made all these locks, because they really need help. Yes they screwed up, they
deserve punishment but do the customers have to be the victim?

------
DigitalSea
Nothing is secure. I don't see how the electronic lock is any less secure than
the glass used on most house windows. It's like saying glass manufacturers
aren't making glass secure enough to protect home owners from intruders when
someone can throw a piece of brick and smash it.

~~~
cheald
Crappy comparison. Glass is installed for aesthetics, not security. Locks are
installed specifically to keep people out. Windows are a known and accepted
security hole that often have additional security measures attached to them.

~~~
DigitalSea
How about glass in general? Glass in police vehicles, glass in a police
station, court house... Glass isn't a purely aesthetic material, it has many
uses.

------
jliechti1
>"I would like to point out that the '$30 microprocessor' in 2012 would have
needed a refrigerator size computer 20 years ago when the Onity system was
designed. Twenty years from now all of our current 'state of the art' security
will be hackable with nothing more powerful than a 2032 edition pocket
calculator."

Just read this comment on the site - perhaps a bit exaggerated, but I think a
valid point nonetheless. Of course, Onity should have done something about the
flaw.

~~~
daeken
Hah, I didn't see that comment on the story. It's funny, but it's completely
untrue. The chip may have cost you $5 (rather than the $0.05 it costs now),
but a PIC from 1993 -- when Onity released the HT locks, and they actually
used for the locks themselves -- would've opened them just as well as a modern
PIC/AVR/Propeller.

If someone didn't know about and exploit this flaw in 1998 (5 years later),
I'd be downright flabbergasted. It's just way, way, way too simple.

------
jgannonjr
the code and paper: <https://github.com/daeken/LockResearch>

~~~
daeken
Mind changing it over to <http://daeken.com/blackhat-paper> please? I keep
failing to keep the git repo up to date (been way too busy).

