
The New Hotel Key: Your Smartphone  - ghosh
http://online.wsj.com/news/articles/SB10001424052702304856504579339130820876304
======
blueskin_
If this happens, I will hide my phone and insist I don't have one until they
give me a real key.

This is a complete privacy and security nightmare both from the potential of
cracking it and from installing an app that will probably grab every
permission it can.

It's also going to be entertaining seeing people with dead batteries begging a
charge from people in the lobby.

~~~
k-mcgrady
>> This is a complete privacy and security nightmare both from the potential
of cracking it and from installing an app that will probably grab every
permission it can.

Aren't hotel room locks already easily cracked? I remember seeing it on HN
last year. As for permissions - if you don't like them don't install the app,
they aren't going to deny you a key.

>> It's also going to be entertaining seeing people with dead batteries
begging a charge from people in the lobby.

Presumably in this case they would give you a key.

~~~
blueskin_
>Aren't hotel room locks already easily cracked?

They are, but this will only make them worse.

~~~
lordCarbonFiber
There is no reason to believe that an nfc controled lock is any less secure
than a traditional physical tumbler lock. In fact, if set up correctly (well
sealed pannel, sound generation of keys, etc), it could be significantly more
secure since well set up cryptography is a hell of a lot harder than simple
lock picking.

~~~
Piskvorrr
That's a big "if". Big enough to be implausible - even nuclear missiles were
sitting in the silos for years with launch code set to "000000"; what makes
you think that hotels will care more about their security? See e.g. this:
[https://www.schneier.com/blog/archives/2012/08/hotel_door_lo...](https://www.schneier.com/blog/archives/2012/08/hotel_door_lock.html)

Moreover, the electronic mechanism pretty much never opens the lock: it
activates a relay, which opens ... drum roll ... the physical lock. So the
old, mechanical lock vulnerabilities are preserved, and new electronic ones
added on top. What could posibly go wrong?

~~~
QSIITurbo
"mechanical lock vulnerabilities are preserved"

I've never been to a hotel that uses an ordinary key since those can be easily
replicated, so that point is moot: all the electronic locks (most common these
days) already have this "vulnerability" ("so why put a lock there in the first
place?").

Second, since this system is being developed to use a smartphone, the security
is easier to manage than a PIN code (such as 000000...). One can use
centralised key-servers, etc.

Third, the company making these locks (the physical part) is ASSA Abloy, which
is an extremely reputable lock company instead of the one in your link.

~~~
blueskin_
>Third, the company making these locks (the physical part) is ASSA Abloy,
which is an extremely reputable lock company instead of the one in your link.

Fair enough, maybe they thought about the physical side then; Abloy make what
is arguably the best mechanical lock in the world.

Still doesn't mean the authentication side is secure though.

------
gmurphy
Smart locks are awesome, I have a z-wave lock in my house, hooked up to a home
automation system I wrote so that my front door unlocks whenever I walk up to
it. I love that I've reduced the "wallet/phone/keys" patdown to
"wallet/phone".

Unfortunately, many of the smart locks that use your phone as an unlock
mechanism don't have a good solution for what to do when your phone battery
runs out. Usually the answer is "use a key", but the new problem is that once
enough of your locks are smart, you stop carrying keys.

In the home, keypads work well (and they can easily be set up for guests,
etc), but that seems prone to memory error in hotel situations.

~~~
dangrossman
> Unfortunately, many of the smart locks that use your phone as an unlock
> mechanism don't have a good solution for what to do when your phone battery
> runs out.

The only z-wave smart locks I've seen carried in national retail stores also
have keypads [1,2,3]. Isn't that the solution to the battery problem?

What lock do you use? I could never rely on z-wave to open mine; I only use
that to automate locking up the house at night in case I forgot. It can take
up to 30 seconds for my lock to respond to a z-wave command if it hasn't
already been woken by some other event, which is a long time to stand outside
your door waiting for it to open for you.

1: [http://www.homedepot.com/p/Schlage-Camelot-Aged-Bronze-
Touch...](http://www.homedepot.com/p/Schlage-Camelot-Aged-Bronze-Touchscreen-
Deadbolt-with-Alarm-BE469NX-CAM-716/203814066)

2: [http://www.homedepot.com/p/Schlage-Aged-Bronze-Home-
Keypad-D...](http://www.homedepot.com/p/Schlage-Aged-Bronze-Home-Keypad-
Deadbolt-with-Nexia-Home-Intelligence-BE369NX-CAM-716/203397806)

3:
[http://www.lowes.com/pd_497751-350-910+TRL+ZW+15+SMT+CP_0__?...](http://www.lowes.com/pd_497751-350-910+TRL+ZW+15+SMT+CP_0__?productId=4755138&Ntt=kwikset+910&pl=1&currentURL=%3FNtt%3Dkwikset%2B910&facetInfo=)

~~~
gmurphy
Yep, z-wave locks have keypads - it's what I have (Yale Real Living), and is a
great solution. The problem I was referring to was the new class of Bluetooth-
based locks that rely on your phone, but don't have keypads (Lockitron,
Kwikset).

The lock does have some lag in it, but I just try to keep it awake by pinging
it, and rely on early detection of the beacon to get the request in early.
Definitely not a great solution though, and I'd love to find something faster.

------
Piskvorrr
I can imagine that. "App permissions required: EVERYTHING, plus your
firstborn." Why is everyone so intent on messing around with my smartphone? Oh
wait, my data.

------
privong
I was able to read the RFID card at an Aloft hotel (they were mentioned in the
article) using NFC on my phone. In principle, it should have been possible to
clone that room card to my phone so I could have just used my phone, but I
didn't pursue that.

~~~
onion2k
I always assumed hotel keycards are writable[1], so they just change the code
on the card and associate the new one with the room whenever a new guest
checks in. Knowing what the code was when you were staying there wouldn't be
any help at all in the future.

[1] This sort of thing: [http://proto-pic.co.uk/mifare-one-rfid-
card-13-56mhz/?gclid=...](http://proto-pic.co.uk/mifare-one-rfid-
card-13-56mhz/?gclid=CPK_gbaGobwCFeXKtAodsnoAVg)

~~~
QSIITurbo
Some keycards are even completely disposable (paper / cardboard), though most
of them are reprogrammable (plastic). I've seen hotel personnel swipe the card
to grant me access to my room (with a new and/or unique key, etc.)

------
fvox13
I smell a DEF CON talk coming...

------
smackfu
A side effect of this is that your room security is only as good as your SPG
account password. Since someone else can just install the app on their phone,
log in as you, and unlock your door.

------
post_break
I just installed a bluetooth deadbolt at my apartment the other day. It's
actually pretty nice. And no it's not a Lockitron since apparently they don't
know how to ship a product on time.

The app requests the key from a server and if it's correct it allows you to
send the commands to the deadbolt. Now it's just time to start fuzzing for
those commands. The only problem is that I can manipulate wifi pretty easy,
but have no clue how to put bluetooth into monitor mode.

------
xexers
why cant they just send an old fashioned text message with a pin code... then
use that pin code to open the door.

messing around with bluetooth sounds complicated

~~~
smackfu
A pin code is observable by someone else.

~~~
Kliment
So send a new one on every unlock? Have a button on the door that sends a code
to the phone, invalid after timeout or after first use. Invalid codes can
generate a new code so if someone tries to access your room you get notified
as well.

------
evandena
This seems like a solution looking for a problem. Lost your key? Go to the
front desk. Not that big of a deal.

------
k-mcgrady
If it works I like this idea. At least it'll solve the problem of phones
deactivating keycards.

------
dbot
I always thought you should be able to open the room with the credit card you
used to book it.

~~~
stonemetal
Sounds a little scary to me. Trying to secure it against skimmers seems like
it would be impossible. All you would have to do is rent the room, put out the
do not disturb sign, then you would have unfettered, unmonitored access to the
lock for as long as you like.

