At the Black Hat Las Vegas security conference in July, Cody Brocious showed how “stupidly simple” it was to exploit Onity keycard-protected hotel rooms and that the lockpicking for untraceable access required about the same amount of time that it takes to blink. So now a string of hotel room thefts in Houston have allegedly utilized the keycard hack.
Police arrested 27-year-old Matthew Allen Cook after he pawned a stolen HP laptop, reported Forbes. White Lodgings, a Hyatt franchise that manages the Hyatt House Galleria in Houston, “believes that the rooms were opened using a device that takes advantage of a glaring security vulnerability in keycard locks built by the lock company Onity, specifically a model of lock that appears in at least four million hotel rooms worldwide.” White Lodging added that “Onity only implemented a fix for that flaw in its locks after the September break-ins at the Houston Hyatt.” For now the hotel stuffed glue in the locks' DC port and hired a security guard.
Brocious published his findings on how-to exploit the hotel keycard vulnerability with the hope that Onity would fix the faulty locks. He told Forbes, “It wouldn’t surprise me if a thousand other people have found this same vulnerability and sold it to other governments. An intern at the NSA could find this in five minutes.”
Then other hackers refined the hotel keycard lock picking, with one of the coolest device modifications being pen-sized to appeal to the secret spy in all of us. In October, Matthew Jakubowski, a penetration tester and security researcher with the Trustwave SpiderLabs, and two fellow hackerspace hackers, took a 'boring' black pen and built a very small prototype. “Push the pen into the DC port on the underside of the hotel keycard lock and it instantly pops the lock open.” They dubbed it as “James Bond’s dry erase marker: the hotel pentest pen.” Jakubowski told Forbes that "he and his friends assembled it in about eight hours with $30 worth of hardware."
The Standard published an article discussing FBI warnings about potential espionage risks to “government officials, businessmen and academic personnel” using hotel Wi-Fi networks when traveling abroad. The article then recommended “DIY counter espionage” tactics for protection. Later it asked:
Still worried about spies breaking into your hotel room? A justified concern given a recent report about the security flaw of hotel room locks, manufactured by a company called Onity which supposedly secures millions of hotel rooms worldwide. I suggest you plant a covert camera in the room, focused on the data-less laptop you deliberately left on the table. The FBI would be impressed with your recordings.
There are other DIY counter-espionage suggestions, but it seems like considerable work at a considerable cost. If regular John Doe burglars are now capitalizing on the vulnerable Onity locks, then why isn’t there a very loud outcry from hotels? Or, not that the world needs more lawsuits, but how about a very costly lawsuit to basically force Onity to fix the exploitable vulnerability via supplying and installing new circuit boards at the company’s cost?
You might think that people learned not to kill the messenger back in the Dark Ages, but in 2012 the finger-pointing blame game has sunk to a new low. Instead of blaming Onity with the faulty product, Ken Croston of World Class Installations, aka "the Electronic Locksmith," took the “vulnerable circuit boards out of their stock” and put out some PR that that blames the hackers who discovered and refined the lock picking process. He said, “I would rather spend the time and resources now to make sure that 100% of our locks go out with the best available fix. We will continue to monitor this issue to make sure we are putting out the best possible products. We take this very seriously. It is very sad that the public has been put at risk and many small businesses have been affected by this being put out for everyone to duplicate.”
There might be a reason to debate responsible disclosure, but in the four months since the flawed keycard lock vulnerability went public, Onity still hasn’t stepped up to fully pay for the required new circuit board and installation. Onity did supply plugs for the DC ports and suggested changing the screws, but left their hotel customers to foot the bill for a more secure fix. This likely means it won't be fixed in all hotels. Therefore, it seems there should be no excuse to blame the hackers instead of the company. NetworkWorld has a “screenshot of Onity's original post about the security vulnerability. After that controversial solution, the company then deleted the post and replaced the statement with contact information for its hotel customers.”