Hacker Will Expose Potential Security Flaw In Four Million Hotel Room Keycard Locks
The next time you stay in a hotel room, run your fingers under the keycard lock outside your door. If you find a DC power port there, take note: With a few hacker tricks and a handful of cheap hardware, that tiny round hole might offer access to your room just as completely as your keycard.
At the Black Hat security conference Tuesday evening, a Mozilla software developer and 24-year old security researcher named Cody Brocious plans to present a pair of vulnerabilities he’s discovered in hotel room locks from the manufacturer Onity, whose devices are installed on the doors of between four and five million hotel rooms around the world according to the company’s figures. Using an open-source hardware gadget Brocious built for less than $50, he can insert a plug into that DC port and sometimes, albeit unreliably, open the lock in a matter of seconds. “I plug it in, power it up, and the lock opens,” he says simply.
In fact, Brocious’s break-in trick isn’t quite so straightforward. Testing a standard Onity lock he ordered online, he’s able to easily bypass the card reader and trigger the opening mechanism every time. But on three Onity locks installed on real hotel doors he and I tested at well-known independent and franchise hotels in New York, results were much more mixed: Only one of the three opened, and even that one only worked on the second try, with Brocious taking a break to tweak his software between tests.
Even with an unreliable method, however, Brocious’s work–and his ability to open one out of the three doors we tested without a key–suggests real flaws in Onity’s security architecture. And Brocious says he plans to release all his research in a paper as well as source code through his website following his talk, potentially enabling others to perfect his methods.
Brocious’s exploit works by spoofing a portable programming device that hotel staff use to control a facility’s locks and set which master keys open which doors. The portable programmer, which plugs into the DC port under the locks, can also open any door, even providing power through that port to trigger the mechanism of a door lock in which the battery has run out.
The system’s vulnerability arises, Brocious says, from the fact that every lock’s memory is entirely exposed to whatever device attempts to read it through that port. Though each lock has a cryptographic key that’s required to trigger its “open” mechanism, that string of data is also stored in the lock’s memory, like a spare key hidden under the welcome mat. So it can be immediately accessed by Brocious’s own spoofed portable device and used to open the door a fraction of a second later.
Brocious believes that the unreliability of his method stems from timing issues in how his hacked-together unlocking device communicates with Onity’s locks. He doesn’t plan to complete the development and debugging of the technique himself, due to what he says are time constraints and concerns about what a universally effective exploit would mean for the security of millions of hotel guests. But he believes that with more experimentation and tweaking, someone could easily access a significant fraction of hotel rooms around the country without leaving a trace.
In fact, Brocious isn’t the only one who knows his tricks. His former employer, a startup that sought to reverse engineer Onity’s hotel front desk system and offer a cheaper and more interoperable product, sold the intellectual property behind Brocious’s hack to the locksmith training company the Locksmith Institute (LSI) for $20,000 last year. LSI students, who often include law enforcement, may already have the ability to open Onity doors at will.
“With how stupidly simple this is, it wouldn’t surprise me if a thousand other people have found this same vulnerability and sold it to other governments,” says Brocious. “An intern at the NSA could find this in five minutes.”
The ability to access the devices’ memory is just one of the two vulnerabilities Brocious says he found in Onity’s locks. He says the company also uses a weak encryption scheme that allows him to derive the “site code”–a unique numerical key for every facility–from two cards encoded one after another for the same room. By reading the encrypted data off of two cards and testing thousands of potential site codes against both cards until the decoded data displays a predictable interval between the two, he can find the site code and use it to create more card keys with a magnetizing device. But given that he can only create more cards for the same room as the two keys he’s been issued, that security flaw represents a fairly low risk compared with the ability to open any door arbitrarily.
Brocious says he stumbled upon the the flaws in Onity’s locks while working as the chief technology officer for a startup called Unified Platform Management Corporation, which sought to compete with bigger players in the hotel lock industry by creating a universal front end system for hotels that used common lock technologies. Brocious was hired to reverse engineer hotel locks, and Onity was his first target. The discovery of Onity’s security vulnerabilities was entirely unintentional, he says.
UPM failed to find customers or investment and soon folded. With the exception of the sale of his exploit methods to LSI–the biggest sale the startup ever achieved–Brocious kept quiet about his discovery, until now.
“This wasn’t the way we wanted to disrupt the business, exactly,” says Brian Thomason, one of UPM’s founders. “But hey, stuff happens, right?”
In a move that may dismay security practitioners, Brocious never contacted Onity or its parent company United Technologies Corporation to tell the firm about its security flaws, and doesn’t plan to ahead of his talk. But he says that’s because there’s little the company could do: the locks can’t be simply upgraded with new firmware to fix the problem. New circuitboards will have to be installed in every affected lock, a logistical nightmare if millions of locks prove to be vulnerable. “I didn’t want to delay putting this out there any further than I had to. I see no path to mitigate this from Onity’s side,” he says. “The best way to help hotels at this point is educate them about this, not to go through Onity and delay getting the information out longer than I had to.”
When I contacted Onity and provided a detailed description of Brocious’s work, the company responded with this statement: “We have not seen Mr. Brocious’ presentation and cannot comment on the content. Onity places the highest priority on the safety and security provided by its products and works every day to develop and supply the latest security technologies to the marketplace.”
And if Onity’s locks are in fact as insecure and unsecurable as Brocious says, how does he suggest hotels and their guests protect themselves? “Hotels need to come up with a plan to move to more secure locks,” he says.
At the Black Hat security conference Tuesday evening, a Mozilla software developer and 24-year old security researcher named Cody Brocious plans to present a pair of vulnerabilities he’s discovered in hotel room locks from the manufacturer Onity, whose devices are installed on the doors of between four and five million hotel rooms around the world according to the company’s figures. Using an open-source hardware gadget Brocious built for less than $50, he can insert a plug into that DC port and sometimes, albeit unreliably, open the lock in a matter of seconds. “I plug it in, power it up, and the lock opens,” he says simply.
In fact, Brocious’s break-in trick isn’t quite so straightforward. Testing a standard Onity lock he ordered online, he’s able to easily bypass the card reader and trigger the opening mechanism every time. But on three Onity locks installed on real hotel doors he and I tested at well-known independent and franchise hotels in New York, results were much more mixed: Only one of the three opened, and even that one only worked on the second try, with Brocious taking a break to tweak his software between tests.
Even with an unreliable method, however, Brocious’s work–and his ability to open one out of the three doors we tested without a key–suggests real flaws in Onity’s security architecture. And Brocious says he plans to release all his research in a paper as well as source code through his website following his talk, potentially enabling others to perfect his methods.
Brocious’s exploit works by spoofing a portable programming device that hotel staff use to control a facility’s locks and set which master keys open which doors. The portable programmer, which plugs into the DC port under the locks, can also open any door, even providing power through that port to trigger the mechanism of a door lock in which the battery has run out.
The system’s vulnerability arises, Brocious says, from the fact that every lock’s memory is entirely exposed to whatever device attempts to read it through that port. Though each lock has a cryptographic key that’s required to trigger its “open” mechanism, that string of data is also stored in the lock’s memory, like a spare key hidden under the welcome mat. So it can be immediately accessed by Brocious’s own spoofed portable device and used to open the door a fraction of a second later.
Brocious believes that the unreliability of his method stems from timing issues in how his hacked-together unlocking device communicates with Onity’s locks. He doesn’t plan to complete the development and debugging of the technique himself, due to what he says are time constraints and concerns about what a universally effective exploit would mean for the security of millions of hotel guests. But he believes that with more experimentation and tweaking, someone could easily access a significant fraction of hotel rooms around the country without leaving a trace.
In fact, Brocious isn’t the only one who knows his tricks. His former employer, a startup that sought to reverse engineer Onity’s hotel front desk system and offer a cheaper and more interoperable product, sold the intellectual property behind Brocious’s hack to the locksmith training company the Locksmith Institute (LSI) for $20,000 last year. LSI students, who often include law enforcement, may already have the ability to open Onity doors at will.
“With how stupidly simple this is, it wouldn’t surprise me if a thousand other people have found this same vulnerability and sold it to other governments,” says Brocious. “An intern at the NSA could find this in five minutes.”
The ability to access the devices’ memory is just one of the two vulnerabilities Brocious says he found in Onity’s locks. He says the company also uses a weak encryption scheme that allows him to derive the “site code”–a unique numerical key for every facility–from two cards encoded one after another for the same room. By reading the encrypted data off of two cards and testing thousands of potential site codes against both cards until the decoded data displays a predictable interval between the two, he can find the site code and use it to create more card keys with a magnetizing device. But given that he can only create more cards for the same room as the two keys he’s been issued, that security flaw represents a fairly low risk compared with the ability to open any door arbitrarily.
Brocious says he stumbled upon the the flaws in Onity’s locks while working as the chief technology officer for a startup called Unified Platform Management Corporation, which sought to compete with bigger players in the hotel lock industry by creating a universal front end system for hotels that used common lock technologies. Brocious was hired to reverse engineer hotel locks, and Onity was his first target. The discovery of Onity’s security vulnerabilities was entirely unintentional, he says.
UPM failed to find customers or investment and soon folded. With the exception of the sale of his exploit methods to LSI–the biggest sale the startup ever achieved–Brocious kept quiet about his discovery, until now.
“This wasn’t the way we wanted to disrupt the business, exactly,” says Brian Thomason, one of UPM’s founders. “But hey, stuff happens, right?”
In a move that may dismay security practitioners, Brocious never contacted Onity or its parent company United Technologies Corporation to tell the firm about its security flaws, and doesn’t plan to ahead of his talk. But he says that’s because there’s little the company could do: the locks can’t be simply upgraded with new firmware to fix the problem. New circuitboards will have to be installed in every affected lock, a logistical nightmare if millions of locks prove to be vulnerable. “I didn’t want to delay putting this out there any further than I had to. I see no path to mitigate this from Onity’s side,” he says. “The best way to help hotels at this point is educate them about this, not to go through Onity and delay getting the information out longer than I had to.”
When I contacted Onity and provided a detailed description of Brocious’s work, the company responded with this statement: “We have not seen Mr. Brocious’ presentation and cannot comment on the content. Onity places the highest priority on the safety and security provided by its products and works every day to develop and supply the latest security technologies to the marketplace.”
And if Onity’s locks are in fact as insecure and unsecurable as Brocious says, how does he suggest hotels and their guests protect themselves? “Hotels need to come up with a plan to move to more secure locks,” he says.