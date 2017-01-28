Hacker News new | comments | show | ask | jobs | submit login
Hotel ransomed by hackers as guests locked in rooms (thelocal.at)
74 points by lando2319 1 hour ago | 29 comments





Any lock that can't be opened from the inside should be illegal as a fire hazard.

I'll amend that to say "can't be opened without the application of unreasonable force". The possibility of a power outage causing the same scenario also worries me.

That's called pushing on the crash bar or twisting the handle/knob so it opens. It's fire code for a reason.

A previous employer's office had electronically locked doors (magnetic, I think?). The studio head said that they were designed to 'fail open' (i.e. unlocked) in the case of a power outage. Then the power went out a couple weeks later, and the doors were locked.

Oops.

Our emergency exits were old-fashioned analog doors and still worked, at least.

I once worked somewhere with magnetic locks and a decent shove easily opened the door. We did this for smoke breaks as our magstripe cards noted every time we left the control room.

Where I come from, not being able to exit your hotel room is a very serious safety breach and this hotel would be looking at very significant fines, and probably ordered closed immediately until they fix this "feature".

While this may be fine for high-security bank vaults, it is completely unacceptable for hotel room doors to operate in a fail-secure mode without a backup non-electrical unlocking mechanism as is the case here.

We'll start seeing this becoming more common, until the best-practices suggest that IoT/embedded frameworks have to be on a network completely separate from the common/public internet.

(This will not just mean a network to VPN into, but physically separate, with no device-intermingling.)

Electronic locks have been around for a long time, and the earlier systems were not Internet connected because it would've been additional cost at essentially no advantage. Now it seems like hardware/software has become so cheap (and unfortunately more complex, thus more likely to contain non-obvious bugs and misfeatures) that in some ways it's easier to develop products based on Internet standards than isolated proprietary protocols, putting the "does this really need to be connected to the Internet?" question mostly out of mind.

I don't think it's about "best practices" or any sort of dogma, but more of a common-sense evaluation: do you really need your lock systems accessible from anywhere on the planet, which connecting to the Internet enables?

> it's easier to develop products based on Internet standards than isolated proprietary protocols

Building on TCP/IP is just fine (in-fact recommended) -- just keep that network physically isolated to the location it's implemented at.

That will never become best practices, simply because there is too much benefit in being able to control IoT/embedded devices through the web. The only realistic solution is to develop technology (and associated practices) that are more secure against hacking- And yes, there will be lots and lots of pain on the way to reaching that goal.

They only wanted 1,500 EUR? That seems like an awfully low number for something this serious.

I believe the strategy is usually to demand an amount that is enough to be annoying but not so much that it is prohibitive. Ideally, the target is willing to quickly pay the money to unlock their systems.

> The manager said it was cheaper and faster for the hotel to just pay the Bitcoin.

If you ask for too much you'll have serious law enforcement coming after you. Ask for only a little bit and the focus is more on the fact that the hotel was idiotic for letting this happen then it is on the hackers.

Especially with the standard policy of "we do not negotiate". That policy is really hard to justify when the amount is so small compared to the damage of delaying payment.

Seemed low as as well, but making it too high would have meant the hotel might have just called a locksmith to break the locks and then decided to replace the system.

Any good parasite knows not to disturb the host system too much.

That's my first reaction too. While I'm not condoning this action... 10x that.

> Hotel management said that they have now been hit three times by cybercriminals who this time managed to take down the entire key system.

> Yet according to the hotel, the hackers left a back door open in the system, and tried to attack the systems again.

I think that answers probably why the ransom was only a 1K EUR or so. It was turning to be into some kind of a rent or protection scheme.

I can't help but think this is actually kind of funny.

A normal person would have some empathy for people locked in/out their rooms and held ransom. It could be especially dangerous if any of them have medical conditions. I doubt it was a laughing matter for them at the time. The only thing laughable is that hotel's security and setup,

Neither feeling need be mutually exclusive.

Sure you can comment on the absurdity of it, but it's only funny at the expense of the victims.

it's not like emergency services will have any trouble getting into locked rooms. This was a giant inconvenience rather than any real danger.

It would take them a while to get to every guest, and it would require them to break the doors. Not exactly a small inconvenience and likely to ruin many vacations.

In that hypothetical, every guest is simultaneously having a medical emergency. Even if the doors worked, that unlikely situation spells disaster.

Monthly reminder to self: never get a self-driving car.

  Build your cities on 
  the slopes of Vesuvius.
--Nietzsche

How in the world could guests be locked in to their hotel rooms? That sounds like a major unacceptable design flaw and fire hazard.

Yeah, really. How could anyone possibly design, sell, buy or install a door lock that can't mechanically override the lock from the inside.

Hopefully the local fire chief has shut the hotel down.

Not quite the same situation, but in my travels abroad, I've encountered a pretty significant number of places that require a key to leave the room/apartment/house. Lose that key, and you are effectively locked inside. I think it is mainly done to prevent break-ins (e.g. you can't just break the window next to it and reach in to unlock the door), but it's always concerned me from a fire safety standpoint.

Anyway, at least in some countries, this is pretty common. Not that's it good. But, common? Yes.

No need, the hackers beat him to it.

