Hacker News new | past | comments | ask | show | jobs | submit login

It would be interesting to know what type of door locks the hotel used. There's been numerous attacks on hotel door locks recently [1], and the current situation appears to be that a sizeable proportion of hotel door locks are incredibly vulnerable. It's a good reminder that if you have a security requirement, use full disk encryption.

[1]: http://www.extremetech.com/computing/133448-black-hat-hacker...




>It's a good reminder that if you have a security requirement, use full disk encryption

If someone can gain repeated access to your hotel room, full disk encryption is vulnerable to the so-called "evil maid attack". Basically, someone comes to your room, boots from a thumb drive, and installs their own bootloader on the machine. When you return, everything will appear normal to you, but the bootloader can do any amount of mischief. For example, it can log the password you enter to log in and store it. Or they can have the spyware mentioned in the article install once you log in.

Later, they come back, wipe the bootloader, and leave your system apparently in its original state (but with spyware installed). The only difference now is that you may think you've foiled their attack because of the full disk encryption, and fail to investigate further.


Easy: use cloud storage with 2-factor authentication.


That will weaken the attack, make it a little more difficult, but it won't thwart it.


Easy: buy a new computer every day.


  "use another laptop/device for that, they're relatively cheap"


That still won't matter if you leave the important laptop in your hotel room.


Having following this story since July, it was almost certainly an inside job and the perpetrator had access to the rooms (cleaner or other staff).


That was my first thought when I read the story too.

I bet non casino hotels pay way less attention to security I suspect that the vegas hotels would have caught the perp on camera - and in these more enlightend times they might even have survived :-)


not necessarily. since he had to rekey the card... someone just showed up with any for of ID, or not even that, on the front desk and claimed that another random card they acquired by any other means (i collect those when i stay) wasn't opening the door. easy as that.


I came into a Las Vegas hotel one morning around 7am... literally drunk as a skunk and looking really rough... I told the concierge I didn't have any ID or a key to my room... She asked me what was in the room, I said a backpack. She then proceeded to give me a new key and open my door for me.

I could have been any random drunk who stumbled into that hotel that morning.


Security was sent up every time I have been locked out of a hotel room. They're always happy to open the door for me, but won't leave until I satisfactorily identify myself (with ID that is usually locked in the room).


Wow, that never happened to me. I always get the card re-keyed without any kind of security. And that is from low 3 stars to 4 stars hilton and Cliff in SF to name a few.


Maybe I look sufficiently sketchy for enhanced screening!


http://www.youtube.com/watch?v=SWZFY46qqHE


> if you have a security requirement, use full disk encryption

By this do you mean something along the lines of "if you have something worth protecting, do it the right way / all the way"? Interesting phrase.


Yes, basically. Having your computer actually at risk of physical attack is very unlikely for most people (given that most people aren't worth the bother), but if you are in a situation where an attacker could gain physical access to your computer, and that physical access could lead to significant loss (whether of property, money or valuable information) then the hassle involved in full disk encryption is minimal compared to the potential for loss.




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: