Black Hat: Hotel keycard lock picking in less time than it takes to blink

Las Vegas -- If you are currently in Las Vegas for the Black Hat or Def Con security conferences, or any hotel for that matter, when you closed and locked your hotel door, heard it click, then you probably believed that you secured your hotel room. Eeenk! It, and four to five million other Onity keycard-protected hotel rooms, can be hacked with open-source hardware costing about $20. What’s more, any hacker, thief, stalker . . . or someone from the government, only needs 200 milliseconds for such untraceable access.


Tuesday night at the Black Hat security conference, Cody Brocious, a Mozilla software developer, presented My Arduino can beat up your hotel room lock. “I plug it in, power it up, and the lock opens,” Brocious said. Onity locks have a DC power port under the keycard lock, so Brocious plugged his Arduino microcontroller into that port and was able to read the 32-bit key stored in the lock’s memory location. There’s no easy fix either, short of Onity physically changing every single lock as the lock is insecure by design.

Need another reason to care about this hack? How about privacy and security? “With how stupidly simple this is, it wouldn’t surprise me if a thousand other people have found this same vulnerability and sold it to other governments,” Brocious told Forbes. “An intern at the NSA could find this in five minutes.”

Brocious explained in his Black Hat research paper:

While there are a number of special cards, the most important ones for this discussion are the programming card and spare card. When a programming card is introduced into a door followed by a spare card, the spare card becomes the guest card for the door.

Programming cards and spare cards are generally created in case of encoder failure, so that guests can continue to check into the hotel when normal keycards cannot be made. However, they introduce a new risk in that if programming cards can be created, any door in the hotel can be entered.

It should be noted that while programming cards are encrypted with the sitecode of the property, much like any other card, the spare cards are not encrypted whatsoever and simply contain an incrementing value.

You don’t need the big bucks to exploit this vulnerability; it’s low budget lock picking as the hardware only costs about “$20 or less from Radioshack.” There’s no firmware upgrade, so until Onity takes action by changing these insecure-by-design locks, anyone can pull off this high-tech hack in about 200 milliseconds which is less time than it takes to blink. It does not work on all keycard locks, but Onity better get on it and fix it. While Brocious doesn't intend to take it further and figure out how to make it work on all hotel keycard locks, that doesn't mean someone else won't or doesn't already know how. 

Brocious suggested possible fixes so the next round of Onity locks will hopefully not be so easy to exploit for voila instant hotel room access. You can read more about this hack since Brocious has posted his research paper and slides [PDF]. “Happy hacking,” he said.

Copyright © 2012 IDG Communications, Inc.

7 inconvenient truths about the hybrid work trend
Shop Tech Products at Amazon