Onity Hotel-Room Lock-Hacking Triviality Becomes an Issue In Texas

Posted on 28 November 2012 by

1


Brocious demonstrates his hack for Forbes

Last July at the Black Hat conference, security researcher Cody Brocious gave a well-attended and much-discussed presentation in which he responsibly, totally reasonably and helpfully demonstrated the complete fail that is the Onity hotel door lock system.

Now, I have skin in this game – I stay in hotels.

A lot.

So much so that, last night at a dinner with a West Texas Constable, Dave said that, when I show up at one of the hotels in the brand I frequent, the desk clerk says, “Oh, Mr Selby…Your sponge bath will be ready shortly.”

Now, lots of people give pretty good lists of safety tips for travelers in hotels. Dave and I do when we consult large organizations on protecting their executives and their data from simple and inexpensive-to-mount attacks like the Evil Maid Attack.

[By the way, 90% of our consulting clients disbelieve that their hotel rooms are subject to random thievery, let alone targeted data theft attacks. It makes them feel icky, and unsafe, and generally they complain to management that we are “scaring” them. Which has the happy and ultimately positive benefit of a whole lot of new, inexpensive and easy-to-buy Chinese versions of expensive products which were once the exclusive intellectual property of American firms.

I digress.]

The main issue is that, when Brocious made his presentation, it was met by a lot of fascination on the part of hackers and a lot of yawning from others.

After all, the hack required computer smartness and expense, right?

Yeah, not so much. As Brocious showed in his detailed paper, the 10 million or so Onity HT locks that are out there comprise about half of the hotel locks installed, and are present in one third of hotels in the world. So it’s not, like, this rare thing.

Here’s a key passage from Brocious’ paper:

The open command takes a 32-bit sitecode and — assuming it matches what’s stored in the lock — causes the lock to immediately open.

In case you missed it, what he’s saying is that, should you manage through some kind of dark alchemy to figure out how to get that 32-bit code, and enter it into the door lock somehow, the door will immediately open.

Gosh! But surely the company, Onity, has assured that getting that code is really, really hard, right?

Yeah, not so much.

Brocious’ research and conference talk showed how, specifically, to reverse the process of creating for under $100 a Portable Programmer  that generates the codes for a given hotel, and how for $20 or so, one could buy from Radio Shack the kit required to communicate with the lock through DC barrel connector at the bottom of the lock mechanism.

This was not a secret.

And it’s not as if hotel locks are all that reliable, anyway.

And then, of course, once that is done, that other lock? The little jammy inside to stop the door opening?

Yeah, not so much.

But Brocious’ talk inspired hackers and, um, others, to test the concepts.

It seemed to go quite well, actually.

Onity, the firm that makes the locks, responded in August, and then removed the statement from their website. Fortunately, Brocious maintained a copy of their statement, which was, in our expert analysis, a bunch of hand-wringing, flack-driven, feel-good buffalo-bagels offering some security-through-obscurity tricks and balderdash and not actually addressing the issue other than to essentially tell people to fill the lock ports with hot glue.

Awesome.

We raise all this because there are now some media reports that law enforcement in Texas is starting to see these hacks appearing. According to the Forbes’ Andy Greenburg, Houston Police have arrested one Matthew Allen Cook for breakins using this method at Houston-area Hyatt hotels.


Action

This is something for CID to be aware of, but also, we raise this as an officer safety issue. Take hotel security seriously for yourself, for others, and recognize that hotel break-ins using this method are likely to become more common. Learn to recognize the vulnerable Onity locks, and when investigating hotel complaints of break-ins, assaults, robberies or burglaries, keep in mind that these locks may have been a contributing factor.

Dave reminds you that you’d be looking for a situation in which there is no apparent forced entry – so don’t just discount your victim’s story. Also, your suspect is unlikely to be a bum. He’s more likely to be a he, young, and tech savvy. But remember: the barrier for entry to this hack is relatively low – one needn’t even have a pocket protector.