Top 5 Stories


Hackers target hotel room key-card security

28 August 2012

Think twice before not dead-bolting your room next time you stay at a hotel: Hackers have taken to the internet with a series of videos demonstrating how to compromise the information security within hotel room keycard locks, in order to make them open themselves.

At the recent Black Hat security conference, Mozilla software developer Cody Brocious demonstrated a simple hack on locks from Onity, which owns 50% of the hospitality market, supplying more than 4 million locks in the US. The locks don’t encrypt their communications data, and the memory can be arbitrarily accessed, so it was a relatively easy process to tap in using a portable programmer – created with about $40 worth of commercially available hardware – to reverse-engineer the communications protocol.

Brocious’ hack was, however, successful only part of the time. And Onity was quick to seize on the lack of ubiquitous success, saying that it "understands the hacking methods to be unreliable, and complex to implement.”

Hackers seem to have been busy working on the kinks, as the videos show, seemingly taking Onity’s words as a challenge.

Onity did say that it was working on the issue. “To alleviate any concerns, we are developing a firmware upgrade for the affected lock-type,” it said. “The upgrade will be made available after thorough testing to address any potential security concerns that you may have."

The fixes, released this week, include a hardware cap that can prevent a portable programmer from being inserted in the first place, and a so-called “firmware” update that is actually just a new chip to replace the compromised silicon in the electronics of the lock. “For locks that have upgradable control boards, there may be a nominal fee,” the company said. “Shipping, handling and labor costs to install these boards will be the responsibility of the property owner.”

In both cases, intruders have an easy way to get around the obstacle. For the former, those with mal intent need only pop off the face of the lock to gain access – albeit a suspicious-looking activity. For the latter, the new chip can simply be reverse engineered again.

Brocious took to his blog to point out that the only way to truly fix the issue is by encrypting all communication data.

This article is featured in:
Encryption  •  Malware and Hardware Security


Comment on this article

You must be registered and logged in to leave a comment about this article.

We use cookies to operate this website and to improve its usability. Full details of what cookies are, why we use them and how you can manage them can be found by reading our Privacy & Cookies page. Please note that by using this site you are consenting to the use of cookies. ×