Edit: Since this thread has blown up a bit, we may as well just do it here for real. If you have any reversing questions or background questions or whatnot, feel free.
All due respect to the work you're doing – I'm a former member of the security industry myself (worked on the IPS engine at TippingPoint).
He posed for a photograph in a hotel.
Even if he didn't have a spare shirt, the gift shop in a hotel generally does. That's if he had thought of that issue. No problem with telling the photographer you had to change. Even if they noted that in the story it's the picture that's worth 1000 words.
I had a story done a number of years ago and they sent a photographer to the office. I took several hours to arrange everything to get a good setup for the photo. It paid off. The photo was good and the photo editor liked and made it the centerpoint of a story where many people were quoted. It ran all over in syndication. My point is simply it's important to think ahead when the media comes knocking. (Along those lines hmm, maybe he did the right thing with that t-shirt publicity wise).
In any case people can now learn from the "nitpick" and decide for themselves if they are ever in the spotlight what they want to do.
Hotel locks with hard keys had their issues as well, and were pretty trivially picked with simple tools. But the key is always that you need to bring the 'simple tools' which is to say that they aren't vulnerable in a way that someone who decides on the spur of the moment to enter the room can easily duplicate. They need the plug that fits the power cord, they need the software which does the JTAG wiggler etc etc.
So if it is 'scary' that people who are not affiliated with the hotel either as guests or as staff can, with pre-meditation, open a hotel room door without damage. Then you need to re-define scary. This has always been true, and will probably always be true by the nature of hotels and motels.
Given the dozens or hundreds of hotel staff that can easily gain access to your room, I fail to see why this is "scary."
This just supports your point that hotel doors are not 100% secure for anyone who really wants to get through.
Edit: Replaced all with some. The doors at the hotels I worked had backup physical keys in case the battery failed. It's cool that Onity locks can be powered externally if the battery fails. Thanks for the correction.
The most important thing was that you gave it thought in advance! That is good. You had your reason for wearing the shirt it might not be the same decisions others would have made but the decision is yours to make based on what you were trying to achieve.
By "scary" did you mean the media attention?
Were or are you able to find out?
I do stand by my general point, though. I think it's worth thinking about how we represent ourselves to the general public. The word "Hacker" has an unfortunate negative reputation, and I don't think messages like this help. It really jumped out at me when I opened the article (otherwise I would have kept this nit to myself).
It's 2012. Your argument is twenty years late to the discussion. Deal with it.
Are these guys "buying up" security flaws in locks similar to others who sell these kinds of things for software?
Thanks from all us who spend our weekdays living in hotels.
While this definitely opens up new bad things, the message is the same: don't trust the software, trust the physical. Then again, after doing this for a few years, I may be a bit on the paranoid side.
Hotel occupancy is a lot lower on the weekend. I'm sure many people living in hotel rooms with more belonging than can fit in the safe will appreciated this information being released on a weekend.
A little hard, maybe, but I've seen a vid of some guy unlocking a door chain using a rubber band, coat hanger wire and a stick.
So I guess that with a little effort locking the door from outside is possible.
Sliding chain locks which can be defeated with a rubber band... :-)
Plus, my large hands wouldn't have been able to do that trick. :/
A lock-picker might say different, no?
Wait until you see the flaws, man. Not being robbed is sort of a matter of being slightly more tedious to pick than the next guy.
The stuff Daeken has worked makes it ludicrously easy.
Also, just because you leaked the details today (yesterday?), how realistic is his worry that evil parties might copy the tech before the weekend? :)
And indeed, doesn't every hotel room have a small safe, I don't just keep my passport there, but also my laptop, camera and phone if I don't take them with me.
And indeed indeed, I never even considered whether the door to my hotel room would be "secure", if maintenance and cleaning have a universal key, it's mostly a privacy measure, rating somewhat above a bathroom stall lock. It might be different if they wouldn't all have a small safe, though.
Now I do wonder how secure those safes are, in general :) Any idea? (edit: whoops I should've read the thread further, this has already been discussed--great discussion though, keep it up!)
This is a long shot, but I was in a chain hotel in midtown recently and heard someone tampering with the lock, and found the door ajar in the morning. I realize you probably can't name specific hotels, but was one by any chance a chain hotel in midtown around the 11th?
Security chains are fairly easy to defeat; a bent clothes hanger will do. Deadbolts are probably pretty hard if there's no external key hole. Someone intending harm to the occupants of a hotel room might just break a window.
At some point I'd love to test the CT side, but 1) the hardware is tough to get hold of, and 2) it's not a very popular system, so it's not that interesting. I think it'd be pretty straightforward, though.
Ving may have security flaws but I'm assuming it will be a bit more expensive to exploit.
In the article you suggest that you don't think they could fix it. Maybe true but shouldn't you (a) give them the oppurtunity to try (just cos you can't spot the fix doesn't mean it's impossible), and (b) give them the chance to say "yep, it's broken - give us 3 months to ship out new locks to all our customers" (yes, highly unlikely I know!).
Given that you sat on this for a year before publishing, there was ample oppurtunity to inform Onity before you publish.
Given that, I felt that they would delay, delay, delay, and delay some more before finally going silent, at which point I would be forced to do this anyway. Simply put, I have zero confidence in their ability to mitigate this properly, and I believe that the only proper course of action is to make this public and let the hotels make themselves secure by whatever means possible.
I know that's a bit of a strange answer, but this is a strange situation; it's taken me a while to figure out the correct course of action, and I feel that this really is the best way for the safety of the public.
Edit: Toned down some of the wording; unnecessary.
If they say they're working on it, you give them a reasonable timeframe for that, and then release it.
That way, you've done everything 'properly', and nobody can say otherwise. With the path you're on, everyone is going to blame you instead of them, even though they're at fault.
Please consider doing this the proper way, even though we both know it's most likely futile.
That's why you _shouldn't_ do it that way.
> Please consider doing this the proper way
"whitehat" != "proper".
That said, there is an easy way to compromise on this one, and is the way I generally go about disclosure:
1.) Email security contact with vulnerability, announce that you will be releasing information in 30 days.
2.) 30 days later, release the information.
If a month isn't enough time to apply a fix (I do 60 days if it's a particularly complex issue), then the organization pretty much doesn't care.
I don't support responsible disclosure because it's "whitehat approved," nor do I do it because I particularly care about the vendors themselves.
I'm a proponent of giving the vendor a chance because of all the sysadmins that would suddenly have an 0day on their hands and be forced into the difficult position of either:
(1) shutting down the effected service
(2) hoping they just don't get targeted, which is unlikely
(3) trying to release a patch themselves.
That is a shitty position to put people, in my opinion.
Daeken, I've chatted with you in #startups once or twice (as 'dshaw'), and I think you're a genuinely cool guy. This research is awesome, but I still think you should give vendors a chance. Assuming that they already know about the vulnerability might actually be giving them too much credit... they did create the issue, after all.
Edit: The only reasons I can think of are laziness or just plain not giving a shit about responsible disclosure.
All the notification would be is a courtesy, allowing them time to start designing and marketing a new product, instead of having the market get handed to their competitors when hotels suddenly have to start replacing their locks with less-flawed ones. And I'm not sure a company that produced a flawed products deserves that.
They can either say "Thanks for telling us. We're fixing the locks. There a X thousand locks, and we expect it to take Y weeks to fix them Please consider delaying release of this informtion until after then" - in which case he's done the responsible thing and can chose what to do.
Or they can say "We know, there's nothing we can do, don't tell anyone" in which case he's done the responsible thing and can decide what to do.
Say I'm a lawyer, and I find out that in order to help a client of mine I have to present evidence that's extremely embarrassing to a close friend of mine. I'm am professionally and ethically obligated to present that evidence.
Now, security professionals don't have, and probably shouldn't have, fiduciary responsibilities like that. However, industries set up codes of ethics for their members precisely because there's a difference between "what's best for me right now" and "what's the right thing to do."
If the idea is to embarrass the industry into fixing these problems, an article in Forbes does a pretty good job of that.
They could plug the access holes, with custom pentalobe screws. That's an under a dollar per lock fix.
edit: source is http://finance.yahoo.com/q/is?s=UTX ('All numbers in thousands' in upper right of the statement). Easy mistake! I just happened to be passingly familiar with United Technologies, which is a large diversified industrial conglomerate that includes Carrier (A/C systems), Sikorsky (helicopters), and Pratt & Whitney (aircraft engines) among other subsidiaries.
(edit) That's not even considering that this cost can be carried by the hotels. I'm sure they can cough up $500 to secure their facilities.
Please don't tell me that you, of all people on HN, think that there's no need for a private disclosure on this guy's part?
"Me of all people"? Am I a spokesperson for "Responsible disclosure" now?
I would have notified the vendor ASAP, and I might not have put the vendor name into the talk at all. But that's me, and I am super conservative about this stuff. Lots of very reputable security people would do exactly what Cody did.
"You" as a "sensible security guy". Or at least that was my impression of you based on what you post here.
Cool story, bro.
The company can probably come up with a solution faster than a brand new third party can generate all of this guy's work.
While that may be "profit-maximizing", it's not necessarily "rational". I'd sooner call it "short-sighted", "single-minded" or "primitive".
It might be "rational" from the pov of such a corporation as a single organism but it's not from the view of the humans that make up its arms, legs and eyes. And they live in the same society as the hotel owners and hotel guests, unless they choose not to, but it's getting harder and harder to make that choice thanks to people like Daeken.
And about the corporate organism? In its own competitive environment, it's got a primitive predatory intelligence, roughly comparable to that of a big spider (its products may be clever and complex, but its behaviour is not). If that's "rationality", we should probably consider setting the bar a bit higher for ourselves.
There may be lots of things the vendor could do. They could contact their customers so the hotels have a chance to consider their options. There is a good chance the vendor knows the protocol better than the guy who reverse engineered it; maybe there is a kill-code that they could give their hotels.
when hotels suddenly have to start replacing their locks with less-flawed ones. And I'm not sure a company that produced a flawed products deserves that.
You don't know that other products are better. In fact, he's said that there are other products he hasn't tested but still have the port. Maybe they are even easier to hack.
The company is going to have to deal with bad publicity regardless. It's just that know hotel managers are going to be in panic mode because of this guy is giving out all the directions so anyone can make their own skeleton key.
Fool me once, shame on me, fool me twice, and I'm supposed to be a damn mind reader?!
Also see: http://en.wikipedia.org/wiki/The_Scorpion_and_the_Frog
EDIT: And if it weren't for the long history of large companies suing security researchers for blackmail/etc when they try responsible disclosure I'd have probably sided with everyone above.
They might actually have a way to deal with this. Maybe the only thing they need is some time.
The assassination of Mahmoud Al-Mabhouh (http://en.wikipedia.org/wiki/Assassination_of_Mahmoud_al-Mab...) allegedly by Mossad involved attacking an electronic hotel lock to get access to his room:
"A readout of activity that took place on the hotel room's electronic door lock indicated that an attempt was made to reprogram al-Mabhouh’s electronic door lock at this time. The investigators believe that the electronic lock on al-Mabhouh’s door may have been reprogrammed and that the killers gained entry to his room this way. The locks in question, VingCard Locklink brand (Dubai police video, 21:42), can be accessed and reprogrammed directly at the hotel room door."
As for Ving, I think they're going to be next up; spent years honing my skills in reversing this sort of thing, seems like a shame to stop now.
You are cool, you know that?
And thanks, I like to think so.
Very easy experiment: Just go to the front desk an thell them that you sadly seem to have lost your room card. 90% of the time they will just ask for your room number without requiring any kind of proof that it's actually your room.
Anecdotally, I was asked for ID each time my wife or I lost hotel room cards on 4 occasions (3 for me, once for my wife).
I believe they were 2 Courtyard Marriotts, 1 Residence Inn (Marriott), and a Sheraton (don't remember the hotel class).
In hindsight I might have tried asking for a different room number's key to see if she was paying attention and then quickly correct myself "No, just kidding, my room's 208 not 210. I just wanted to see if you'd give people any room key they ask for". Maybe that would've made them see the issue.
Instead, I took the easy route and made sure to never leave my netbook, passport, tickets, etc in the room (all the rest was replaceable and we were travelling light).
I would have probably done differently if I wasn't in a foreign country on a different continent and still getting used to the cultural uncanny valley of NYC being "almost, but not quite like Europe", so I opted for the safe choice of not being a bother to these obviously hard-working people.
Keyless entry cars are mostly crackable ... garage door systems are trivial, you can bump pin tumbler locks, many home security systems have no backup power. rfid skimmers are cheap and easy-to-use. almost every elock I've seen has the bus readily exposed on the outside (secured by a single screw at best).
There's at most 6 things I can think of that actually do not have trivial security issues.
If I knew I would become famous by informing the press that, for instance, a car model only has a handful of key patterns for millions of cars, I would have done it a long time ago, but I thought such things were just stupefyingly obvious.
This reminds me of growing up in Eastern Europe. Story time: Under the Romanian communist regime, there was only one car factory (Dacia) making cars for personal use. Their main model was essentially the same from the '70s until 2004. For the first 10 years or so after the '89 revolution, Dacia dominated the local car market (because their cars were cheap and really easy to fix).
Now that we have the oh-so-important context, your comment reminded me that when I was a kid, my parents bought a Dacia. What confused me at a time was that random people would periodically ask to borrow the key.
It turns out that for 30-something years, Dacia only used a few models of keys. In fact there were so few that if you locked your keys inside (doors were unlocked by key and they locked automatically) it was feasible to try keys from random cars until one worked.
To be fair, the engine key was different from the door key, and it didn't have this problem. But, getting back to your comment, if you're talking about a recent card model then that's just crazy.
Also, I would have thought that keyless entry systems use correctly implemented public key cryptography. Is that not the case?
Just to be perfectly clear, what you have is a synchronized incrementing number usually using some in-house block-cipher with a 2^16 period. When the car receives a PRN from the RKE, it checks the locality of its current sequence (usually about 2^8) and then if the PRN matches one of them, you are in. So if you have the 2^16 sequence, just skip over every 2^8 and see if it unlocks. That's 2^8 tries; under a second.
If you don't have that, with a few sequences you can deduce the key pretty easily; each PRN is 32 bits; providing you up to 32 bits of information.
Since the payload is an incrementing 16 bit number you have probably 3 bits of entropy on the 32 bits (8 PKE commands between your sniffing). Anyway, assume you have 29 bits from the 32. You also have to toss the 16 bit sequence on the 64 bit source key calculations since it is effectively a salt.
Therefore, you can conservatively get the magic 64-bit key in 6 transmissions assuming there are no sequence collisions of that length. And even if there are, the solution space of the collisions would be quite modest.
Since each transmission has a plaintext serial associated with it (usually a subset of the VIN ... available on the windshield and all), you are not at a loss as to which transmission is which car.
So install your sniffer in an office-building parking structure on Monday, assume codes before 1100 are locks, after 1400 are unlocks, and you are in the car of your choosing by Thursday.
Pretend you don't have this. Pretend you want to do brute force on the 32 bit key-space. There's something called guard time. The idea is that there's a backoff period before another code can be tried. That's usually about a millisecond or two; if at all.
The transmission of the payload is on the order of tens of microseconds.
So generally speaking you can presume that you can do about 1.5m keys an hour.
Now let's say you are a car thief and you go to a lot of new cars ... there's 64 of them (2^6) just to make our lives easy. You have a wonderful consequence of the birthday-problem.
A 2^32 key space with a 2^8 tolerance over 2^6 vehicles ... means (32 - 8 - 6) = 2^18 keys until you should have a match.
Now let's see, you can generate about 2^21 keys per hour ... oopsie daisy. Look what we just did ... Your mean time to unlock one of the cars passes a 50% threshold in all of 4 minutes.
And that's the naive approach, without doing any predictive plaintext attack.
Now let's assume you use both methods together. We aren't talking about much waiting time here.
So I mean yes, the rolling code means you can't just do a replay. Ok, fine ... right ... you have to do a napkin full of math and a little programming. It's not real security.
Edit: just read below that these things are battery powered, which raises two questions, first, ok, how are they reprogrammed, and second, how does a hotel not go bankrupt replacing thousands of batteries all the time?
A microcontroller in sleep state (or similar) draws extremely low power, micro or nano Amps. It only wakes up when it sees data on the card reader, reads the card reader data, and decides if it should open the lock. The motor that unlocks the door only runs for less than a second. Then the whole thing goes back into sleep state.
Hotel doors are only opened 10s of times per day, at most. A pair of couple Amp-hour batteries will last quite a while. Maybe replace them once a year. Tech with an electric screw driver maybe takes 1 minute per door, even a 600 room hotel only costs 2 days of labor once per year (max 1 week, if the tech is slow). That's not that expensive. And the tech's time is 10x the cost of the batteries, coin cells in bulk are dirt cheap.
(Note: This is all specific to Onity locks)
Also, is it the housekeeping staff that reprograms the lock after they clean the room? It seems like it would be very inefficient to send a special person around to reprogram the lock after every check out.
As for reprogramming the doors, that only happens very rarely. The cards have an expiration date and a code that cycles, meaning that when a new card is introduced, the old ones won't work anymore. So really it only needs to be reprogrammed when the clock gets out of sync or the batteries die (there's no non-volatile storage, just RAM).
How interesting. Does that mean that you could theoretically have access to an empty room if there's no new occupant? It seems like you need some sort of expiry to prevent that from happening, but I can't imagine how that would work without some signal passing between the front desk and the lock.
You can't make cards out of nothing, though, so that helps mitigate it.
thanks for answering those 3 little questions.
My stack now is a Lenovo W520 running Ubuntu and KDE, and Sublime Text as my editor. Over the years when I did this, I was running everything from a cheapo, hacked-together box to a 13" Macbook Pro, all running Windows Vista/7.
Also, did you switch from Windows to Linux because of the available tools and development environment, or because the Linux desktop had matured enough you could get sh*t done without worrying about driver compatibility issues or other common complaints about Linux [lap|desk]tops?
As for switching OSes, the primary reason I did so is that my work for my day job all requires Linux. In terms of reversing, Windows is really the only way to fly; the tools just aren't there otherwise.
Curious, why is that, and what tools are those then?
I am all about exposing vulnerabilities but I honestly think there needs to be a dialog with the vendor first. Specially for exploits like this where there is a lot at stake.
I find the excuse of 'there is nothing they can do anyway' very poor. I have no doubt that this technique is known to locksmiths and law enforcement and maybe a smaller group of criminals. But making this public and exposing it to the world will allow any criminal with a soldering iron and an Arduino to start exploiting this.
Daeken, you have done an awesome job making this known. Maybe that it enough to get the ball rolling. Or do you just want to do damage for fame and profit?
Upon discovering the vulnerability, the only real action he could take which would be universally considered unacceptable would be to use that research to go around breaking into hotel rooms (which is illegal).
If he decided to go into business selling devices to bypass hotel room locks, there would also probably be a majority opinion that that isn't really "above-board". Even that isn't necessarily universally agreed on though (as there are a lot of people who argue that providing access to tools isn't criminal)
But he didn't do that either.
He decided that this was a pretty severe vulnerability (made worse by the fact that remediating it isn't trivial), and that he wanted people to know about it.
Hoping that the vendor will sue him to prevent that information from being disseminated is about the worst possible outcome from research of any kind; ignoring the fact that you don't seem to posit any rationale for what exactly they'd be suing about (protected trade secrets? violation of a license agreement?)
The thing about "responsible disclosure" is that it isn't something that exists by fiat. It's an intentional reframing of disclosure policies by vendors to attempt to steer the research community towards doing what's in the vendors best interests.
I understand their desire to reframe that policy, but that doesn't make it "the only ethically responsible way to conduct vulnerability disclosures".
Recently, there's been a lot of news about BMW's being able to be stolen trivially through access to the OBD port on certain models. There's an OSVDB entry for it and everything‡.
That's another example where providing information to the public was considered to be very important (like the issue Cody discovered, it's also not something that can be easily fixed. It's also been ignored by the vendor).
In virtually all other regards, making research public is considered the responsible thing to do.
While I'm not a card-carrying member of the full-disclosure sentiment, I strongly disagree that releasing research publicly is boolean irresponsible.
Full disclosure is a lot of fun, and it increases the status of geeks like us, so it's really to approve of it. I did when I was in college.
I wonder if any HN readers have access to an Onity lock to check whether this method works on them?
And you can still have a DC power port on the outside in case of a powered-down door, just no programming access.
Why have they not done it that way???
In terms of reversing the actual lock protocol, that was a bit more tricky. First step was tapping the line between the portable programmer and lock with an o-scope (a 70s-era HP scope; only thing I could afford at the time, haha) to figure out the voltage levels involved and the basic properties of the communication. From there, I hit it with the Saleae Logic to see what the communication actually looked like.
From there, I wrote some Python scripts to walk over the data from the logic analyzer and attempt to decode the data. With some tweaking, I managed to finally see some data that I knew, specifically the site code (which I knew from other parts of the system).
After I knew all that, it was a matter of figuring out the actual hardware level. Given that I have effectively no experience with this level of things, this was a lot of asking questions, googling, and experimenting. I knew that it was a one-wire protocol, so by reading up on other one-wire protocols I managed to figure out a lot. Once that was done, everything just fell into place; making the opening device work initially took maybe a day given all the info I had.
You have my attention...
> security flaw in 4m
sounding really interesting...
> hotel room keycard locks.
Oh. Well, still pretty cool.
EDIT: Actually, this kid of thing needs to get a lot more attention and awareness. I could suggest a certification of some kind, but there's often a reaction against that. But a certification that just indicated:
- No passwords in plaintext
- Not vulnerable to replay attacks
- No "toy" encryption