Thieves use 'complex', 'unreliable' exploit to rob hotels

A vulnerability found in locks used throughout hotels is contributing to a string of thefts, even though the lock manufacturer previously considered the vulnerability to be "unreliable" and "complex to implement."
Written by Michael Lee, Contributor

A string of recent thefts at hotels has been traced back to a vulnerability in electronic door mechanisms, demonstrated earlier this year in July.

Cody Brocious, also known online as Daeken, demonstrated that Onity HT locks, commonly installed at hotels, are susceptible to an attack via its communication port. In his paper, he revealed that communication via this port is "unauthenticated and enables direct memory access, which allows arbitrary reading of memory" and that, "combined with basic knowledge of the system, this can allow an attacker to open doors directly, create master keys, and create programming cards for whole properties."

Brocious had said that the decision to disclose the vulnerability was a difficult one, especially as fixing the problem would require an update to all of the estimated ten million locks installed in the world, but felt that the short-term effects would be less damaging than the long-term damage a few individuals could do if they were the only ones that knew.

At first, Brocious' discovery was considered to be low risk and unlikely to work. On July 25, the day after Brocious' demonstration, Onity issued a statement acknowledging, but downplaying the vulnerability:

"Onity understands the hacking methods to be unreliable and complex to implement. However, to alleviate any concerns, we are developing a firmware upgrade for the affected lock-type. The upgrade will be made available after thorough testing to address any potential security concerns that you may have."

However, it is now believed that thieves are using the vulnerability in hotel thefts in Houston, Texas. Forbes reported that police have arrested and charged Matthew Allen Cook with a break-in at a Houston hotel. How he gained entry is still not known, but Cook is also a suspect in two other hotel break-ins. One of the owners of the hotel confirmed that the door mechanism was not forced or picked, and a readout of the lock's memory reveals that no other keycards had been used to gain entry, leading him to suspect that it was the vulnerability that was being exploited.

The reliability of the exploit has also been further refined by many interested hackers, including Trustwave SpiderLabs' Matt Jakubowski. Jakubowski has managed to miniaturise the hardware necessary to exploit the vulnerability and package it inside a whiteboard marker.

Onity has removed statements formerly made about the locks from its website, instead replacing it with a message stating that it has "developed and started to deploy improvements for our locks."

Its original statements, as preserved on Brocious' blog and mirrored by Security Info Watch, showed that Onity would freely provide a mechanical cap to block the port from access.

"This mechanical cap will be inserted into the portable programmer plug of the HT series locks. With the existing battery cover in place, the mechanical cap will not be removable without partial disassembly of the lock. This will prevent a device emulating a portable programmer from hacking the lock. To further enhance the security of this fix, we will also supply a security TORX screw with each mechanical cap, to further secure the battery cover in the lock," it said at the time.

It also offered a more permanent fix in the form of an upgraded circuit board for the locks or an upgrade to locks that are immune to the vulnerability, but at the hotel owners' cost.

Editorial standards