
Hotel ransomed by hackers as guests locked in rooms - lando2319
http://www.thelocal.at/20170128/hotel-ransomed-by-hackers-as-guests-locked-in-rooms
======
tangue
Is the local.at a reliable source ? Seems like the only article talking about
the incident in german is from the german version of Russia Today [0]. It
doesn't make sense that an austrian hotel choose this media to communicate.

For me it's :

A - It's the hacker that contacted RT with the story

B - It's part of a fearmongering campaign to ransom hotels

C - It's fake news written by an intern

[0]
[https://www.google.at/search?hl=de&gl=at&tbm=nws&authuser=0&...](https://www.google.at/search?hl=de&gl=at&tbm=nws&authuser=0&q=Romantik+Seehotel+Jaegerwirt&oq=Romantik+Seehotel+Jaegerwirt&gs_l=news-
cc.12...41859.41859.0.42699.1.1.0.0.0.0.0.0..0.0...0.0...1ac.2.#q=Romantik+Seehotel+Jaegerwirt&hl=de&gl=at&authuser=0&tbm=nws&tbs=sbd:1)

~~~
johansch
Here's a week-old story from the national broadcaster ORF:

[http://kaernten.orf.at/news/stories/2821290/](http://kaernten.orf.at/news/stories/2821290/)

Regarding the "locked in" issue; this article doesn't say anything like that:

"Die Gäste kamen nicht mehr in die Hotelzimmer, neue Schlüssel konnten nicht
mehr programmiert werden."

"The guests could no longer enter their hotel rooms, new keys could no longer
be programmed."

~~~
gozur88
I was wondering about that. In the US a system that could prevent guests from
leaving during a fire or medical emergency would never be allowed, and I can't
imagine Germany is much different.

~~~
wolfgke
This is Austria, not Germany. Better don't confuse these two countries if you
are in one of them. :-)

Though the laws are surely quite similar.

------
otakucode
The solution to all of this requires only 2 words: criminal negligence.

Prosecute a CEO or 2 from tech companies for criminal negligence, and you will
see companies actually investing in actual security. Put some business school
graduates in a jail cell on criminal charges for their hiring and corporate
practices, which would be criminal negligence if they were building bridges or
doing any sort of work in any other industry.

Hiring the cheapest, least experienced engineers you can find, not even
mentioning the word security on your job listing requirements for software or
hardware design engineers, depriving the engineers of the time, tools, and
environment they need to do competent work, putting business concerns ahead of
engineering concerns when determining product development schedules, etc are
things that executives should be judged in a court of law for. They are
criminal acts that put not just money in jeopardy but frequently lives.

~~~
g00gler
Gucifer more or less said this at DefCon this summer, blame the IT companies,
and I'm definitely in agreement.

I don't think anyone should go to jail, like pretty much ever (let me pay a
fine or kill me rather than lock me up), but I don't see a reason why whoever
set this up, for example, shouldn't be held liable in the same way a doctor is
liable with malpractice insurance to cover it.

It seems it'd fit the US laws very well, tech companies would buy insurance
policies that'd pay out when their shit software or infrastructure is hacked.

Huge companies like Google or Apple could self insure.

That'd also give some incentive to the MBA's to take security seriously, as
proving they take the extra steps would lower their premiums.

~~~
spiffytech
Fines and insurance would provide compensation for the victims, but would
provide less pressure to fix the problematic practices at their roots,
compared with otakucode's plan. Tech profits are high enough to swallow
premiums for that sort of insurance without provoking substantial changes in
business practices.

------
ClassyJacket
Any lock that can't be opened from the inside should be illegal as a fire
hazard.

~~~
userbinator
I'll amend that to say "can't be opened without the application of
unreasonable force". The possibility of a power outage causing the same
scenario also worries me.

~~~
kevingadd
A previous employer's office had electronically locked doors (magnetic, I
think?). The studio head said that they were designed to 'fail open' (i.e.
unlocked) in the case of a power outage. Then the power went out a couple
weeks later, and the doors were locked.

Oops.

Our emergency exits were old-fashioned analog doors and still worked, at
least.

~~~
hackermailman
I once worked somewhere with magnetic locks and a decent shove easily opened
the door. We did this for smoke breaks as our magstripe cards noted every time
we left the control room.

~~~
dTal
How did you get back in? Sounds like a security hole.

~~~
zeroer
Easy. Just prop it open.

------
korginator
Where I come from, not being able to exit your hotel room is a very serious
safety breach and this hotel would be looking at very significant fines, and
probably ordered closed immediately until they fix this "feature".

While this may be fine for high-security bank vaults, it is completely
unacceptable for hotel room doors to operate in a fail-secure mode _without a
backup non-electrical unlocking mechanism_ as is the case here.

~~~
phil21
I am highly skeptical people were "locked" in their rooms. I'm guessing it was
mostly hyperventilating tourists breathlessly telling the reporter how they
were "locked in" their rooms since they couldn't leave and get back in. More
like "Bob and I were locked in our room overnight! We couldn't even go
downstairs for a nightcap!" vs. "Bob and I were pounding on the door trying to
get out for hours!".

Locked in on their own volition, essentially. I've traveled a little bit, and
I've yet to stay in a hotel that you needed anything electronic to exit.

------
jle17
It seems to me that the hotel should take at least part of the blame here.

According to the article this was not the first attempt to breach their
security, yet they didn't put sane security practices in place, such as
separating door lock controls from their internet connected network or not
having door locks that can lock guests in in the first place, which, as
pointed out in other comments, is likely not compliant with regulations.

> The manager said it was cheaper and faster for the hotel to just pay the
> Bitcoin.

Cheaper for him, but the cost will be beared by society as he has now
encouraged the practice.

I understand that my comment can be seen as victim-blaming, but it seems to me
that part of the service sold by an hotel is the security they procure to
their guests.

~~~
mseebach
> Cheaper for him, but the cost will be beared by society as he has now
> encouraged the practice.

Perhaps white (grey?) hats should run a series of ransom hacks and proceed
_not_ to release the code after payment.

~~~
pavel_lishin
I'm not entirely sure how executing a ransomware attack and not undoing the
damage constitutes a white or grey hat approach.

~~~
mseebach
It would teach people not to pay the ransom, ruining the incentive for further
attacks.

------
anilgulecha
We'll start seeing this becoming more common, until the best-practices suggest
that IoT/embedded frameworks have to be on a network completely separate from
the common/public internet.

(This will not just mean a network to VPN into, but physically separate, with
no device-intermingling.)

~~~
userbinator
Electronic locks have been around for a long time, and the earlier systems
were not Internet connected because it would've been additional cost at
essentially no advantage. Now it seems like hardware/software has become so
cheap (and unfortunately more complex, thus more likely to contain non-obvious
bugs and misfeatures) that in some ways it's easier to develop products based
on Internet standards than isolated proprietary protocols, putting the "does
this really need to be connected to the Internet?" question mostly out of
mind.

I don't think it's about "best practices" or any sort of dogma, but more of a
common-sense evaluation: do you _really_ need your lock systems accessible
from _anywhere_ on the planet, which connecting to the Internet enables?

~~~
anilgulecha
> it's easier to develop products based on Internet standards than isolated
> proprietary protocols

Building on TCP/IP is just fine (in-fact recommended) -- just keep that
network physically isolated to the location it's implemented at.

~~~
mypalmike
I wonder how many of these lock systems rely on cloud services, making
physical isolation impossible without some redesign.

------
eridius
They only wanted 1,500 EUR? That seems like an awfully low number for
something this serious.

~~~
pushECX
I believe the strategy is usually to demand an amount that is enough to be
annoying but not so much that it is prohibitive. Ideally, the target is
willing to quickly pay the money to unlock their systems.

> The manager said it was cheaper and faster for the hotel to just pay the
> Bitcoin.

~~~
phil21
Yep, you want something the manager of the local enterprise can authorize out
of his petty cash - not something he has to call the CEO in on for a decision.

Even better if the guy tries to hide it out of fear of being fired for
incompetence - which is the general way these things go.

------
daxfohl
Monthly reminder to self: never get a self-driving car.

~~~
jay_kyburz
Oh shazbot, I never thought of being held to ransom on the freeway. Pay now or
you will crash.

~~~
paulddraper
You could make a Speed sequel.

[https://en.m.wikipedia.org/wiki/Speed_(1994_film)](https://en.m.wikipedia.org/wiki/Speed_\(1994_film\))

~~~
userbinator
Like this one?
[https://en.m.wikipedia.org/wiki/Speed_2:_Cruise_Control](https://en.m.wikipedia.org/wiki/Speed_2:_Cruise_Control)

~~~
cube00
Screw self driving cars, I'm holding out for my self driving boat!

------
Pyxl101
How in the world could guests be locked _in_ to their hotel rooms? That sounds
like a major unacceptable design flaw and fire hazard.

~~~
a3n
Yeah, really. How could anyone possibly design, sell, buy or install a door
lock that can't mechanically override the lock from the inside.

Hopefully the local fire chief has shut the hotel down.

~~~
rallison
Not quite the same situation, but in my travels abroad, I've encountered a
pretty significant number of places that require a key to leave the
room/apartment/house. Lose that key, and you are effectively locked inside. I
think it is mainly done to prevent break-ins (e.g. you can't just break the
window next to it and reach in to unlock the door), but it's always concerned
me from a fire safety standpoint.

Anyway, at least in some countries, this is pretty common. Not that's it good.
But, common? Yes.

------
rdtsc
> Hotel management said that they have now been hit three times by
> cybercriminals who this time managed to take down the entire key system.

> Yet according to the hotel, the hackers left a back door open in the system,
> and tried to attack the systems again.

I think that answers probably why the ransom was only a 1K EUR or so. It was
turning to be into some kind of a rent or protection scheme.

------
throw2016
This is like building a hotel in a gangster infested area and expecting to be
safe. The internet is not a safe space and if your systems are connected to
the internet expect chaos or take the responsibility to secure your systems.

The problem here is this is the kind of constant battle that may not be
economically viable for most.

IOT is a deadend without better architecture, these devices cannot be in the
open internet and vulnerable to hijacking. Those working on these systems may
think otherwise but once businessess are disrupted and have to pay a price
they will not use the technology. How many businesses can justify spending
more and more resources on security, consultants and fighting off
extortionists.

------
imode
hah!

I feel sorry for those who were caught up in this through their stay, but I
feel no sympathy for any company that ties their door locks to a vulnerable,
non-isolated network.

I have to wonder if they considered breaking down the doors with a fire axe...
if they were booked, would replacing the doors outweigh the cost of the
ransom?

~~~
scott_karana
The ransom was 1500€, so no. Doors are pricy.

You realize it would have been a contractor who installed the systems? This is
a single, family-run hotel. I suspect the incompetent contractor was unable to
properly fix the systems after the first request, and the hotel didn't have
the experience to confirm the fix.

------
joatmon-snoo
Reminds me of the Onity breaches demoed at Blackhat 2012.

[1] [https://media.blackhat.com/bh-
us-12/Briefings/Brocious/BH_US...](https://media.blackhat.com/bh-
us-12/Briefings/Brocious/BH_US_12_Brocious_Hotel_Key_WP.pdf)

------
nrjdhsbsid
I can't help but think this is actually kind of funny.

~~~
cooper12
A normal person would have some empathy for people locked in/out their rooms
and held ransom. It could be especially dangerous if any of them have medical
conditions. I doubt it was a laughing matter for them at the time. The only
thing laughable is that hotel's security and setup,

~~~
mhluongo
Neither feeling need be mutually exclusive.

~~~
cooper12
Sure you can comment on the absurdity of it, but it's only funny at the
expense of the victims.

------
cube00
> Brandstaetter said: "We are planning at the next room refurbishment for old-
> fashioned door locks with real keys. Just like 111 years ago at the time of
> our great-grandfathers."

So we go from a poorly secured internet connected security system to physical
keys, any chance they could consider the common sense air gaped medium instead
as the permanent solution?

------
charlesetc
> Using Bitcoin for cybercriminal activities is becoming increasingly
> commonplace, as tracing payments is much harder due to the way the
> cryptocurrency works

"Cryptocurrency" is a large set of currencies, each of which work differently.
Also, Bitcoin is a public log. It's much easier to trace bitcoin than to trace
cash.

~~~
tom_mellior
> "Cryptocurrency" is a large set of currencies, each of which work
> differently.

That's true, which is why the sentence you quoted said "the way _THE_
cryptocurrency works", not "the way cryptocurrency works". The "the" is a
back-reference to the particular cryptocurrency that is being discussed here
(Bitcoin). This differentiates it from a general statement about all
cryptocurrencies.

------
basicplus2
Some systems should never be on common networks, they should be air gapped,
totally separate from all other networks.

~~~
grzm
Indeed. Not everything needs to be connected to the internet. Plus, gotta be
ever vigilant against Cylons! (It's been a long day.)

------
WheelsAtLarge
I think this is a good warning true or not. LoT is here and security is very
lax. Incidents like this one will only get more serious.

------
cpncrunch
"One of Europe's top hotels has admitted they had to pay thousands in Bitcoin
ransom to cybercriminals who managed to hack their electronic key system"

"Hotel management said that they have now been hit three times by
cybercriminals"

"we had no other choice. Neither police nor insurance help you in this case."

Do they not see the problem here? Perhaps they should have paid the thousands
of euros to a security expert to fix their crappy system, rather than paying
the hacker to do the same thing again.

~~~
dredmorbius
At a few thousand Euro each instance, vs., say, EUR50k to EUR500k for a full
re-specification and implementation of all hotel security systems, that's a
bargain price.

(Of course, they're also a piggy bank every time the hackers need cash.)

(This assumes the hackers aren't, say, hotel management or employees skimming
the operation themselves via hack threats, say, for money laundering
purposes.)

~~~
cpncrunch
No they dont need to rebuild it. Just get the original developer to fix it if
its a problem with the system. Or secure their network. Neither will cost
anywhere near 50k.

------
mmbaghdad
Sometime I thank god that terrorists aren't technical savages.

------
domoritz
What happened if somebody used this hack against a Trump hotel?

------
crystalPalace
"Honey I bricked the locks!"

------
nietzscha

      Build your cities on 
      the slopes of Vesuvius.
    

\--Nietzsche

