After Hacker Exposes Hotel Lock Insecurity, Lock Firm Asks Hotels To Pay For Fix 244
Sparrowvsrevolution writes "In an update to an earlier story on Slashdot, hotel lock company Onity is now offering a hardware fix for the millions of hotel keycard locks that hacker Cody Brocious demonstrated at Black Hat were vulnerable to being opened by a sub-$50 Arduino device. Unfortunately, Onity wants the hotels who already bought the company's insecure product to pay for the fix. Onity is actually offering two different mitigations: The first is a plug that blocks the port that Brocious used to gain access to the locks' data, as well as more-obscure Torx screws to prevent intruders from opening the lock's case and removing the plug. That band-aid style fix is free. A second, more rigorous fix requires changing the locks' circuit boards manually. In that case, Onity is offering 'special pricing programs' for the new circuit boards customers need to secure their doors, and requiring them to also pay the shipping and labor costs."
Re:You know what else can open a lock? A crowbar. (Score:5, Informative)
RTFA. No need to disassemble the lock - all you do is plug in a small gadget into a nokia-charger-style plug at the bottom of the lock and volià - open door.
Re:You know what else can open a lock? A crowbar. (Score:2, Informative)
Isn't the point of the original hack that you can do it through the exposed programming port in seconds and leave no trace? Sounds superior to a crowbar, though my experience is limited.
The cheap one is worthless (Score:5, Informative)
"Secure" screws are anything but. You can either print them (wax, photograph) and make matching bits pretty easily. You can even automatize this. Or you can force them with some pre-made approximations. (Yes, that may mean carrying around 50 possibles, and/or a file, but it is not hard.) There are other techniques as well, for example removal tools for broken screws or ice-spray and a hammer. Sawing a slit into the screw-head is also typically pretty easy.
Yes, I have done it a few times. Not for these locks, but I would be surprised if they were any different.
Re:They should act like Kryptonite. (Score:4, Informative)
I suspect Kryptonite had a bit more markup built into their business model, this sort of recall would likely bankrupt the lock company if they offered it for free which would leave the hotels without replacement parts, or locks for new constuction, etc. Remember hotels love standarization and these locks must offer remote programming from the front desk, etc.
Re:The cheap one is worthless (Score:5, Informative)
Secure screw bits are a $20 bucks for an entire set (Made in China) of all the designs.
The only "secure" screw head is one that is custom made for you.
Otherwise, you should be using breakaway heads or one-way screws.
Hotel In room "safe" (Score:5, Informative)
I was staying in Marriott and they have a small in room safe. Its the kind with a digital keypad where you select your own code. I put stuff in there while we went to the pool.
When we got back I guess one of the kids was playing with it and it stopped responding because they pressed too many buttons. So I looked it up online. All I had to do was press "lock" twice to enter supervisor mode then 999999 and it opened the safe bypassing my code.
So don't use those safes for anything real valuable. Next time I have to play around with supervisor mode to see if I can change that password.
Re:You know what? (Score:5, Informative)
1979 (c. 54) provides:
14 Implied terms about quality or fitness.
(1)Except as provided by this section and section 15 below and subject to any other enactment, there is no implied term about the quality or fitness for any particular purpose of goods supplied under a contract of sale.
(2)Where the seller sells goods in the course of a business, there is an implied term that the goods supplied under the contract are of satisfactory quality.
(2A)For the purposes of this Act, goods are of satisfactory quality if they meet the standard that a reasonable person would regard as satisfactory, taking account of any description of the goods, the price (if relevant) and all the other relevant circumstances.
(2B)For the purposes of this Act, the quality of goods includes their state and condition and the following (among others) are in appropriate cases aspects of the quality of goods—
(a)fitness for all the purposes for which goods of the kind in question are commonly supplied,
(b)appearance and finish,
(c)freedom from minor defects,
(d)safety, and
(e)durability.
(2C)The term implied by subsection (2) above does not extend to any matter making the quality of goods unsatisfactory—
(a)which is specifically drawn to the buyer’s attention before the contract is made,
(b)where the buyer examines the goods before the contract is made, which that examination ought to reveal, or
(c)in the case of a contract for sale by sample, which would have been apparent on a reasonable examination of the sample.
emphases mine.
If a lock is described as a lock, and looks like a lock, is it unreasonable to expect it to perform as such? I don't think so.
If a device is described as a lock and does not in fact perform that function, to the point where intervention is required, then is it unreasonable to assume that the defect is by design? I would say not.
Therefore, the effect of the failure of the product to perform *as advertised* constitutes a material breach of contract, one which should be pursued for restitution and remedy.
DISCLAIMER: IAAL.
Re:The cheap one is worthless (Score:5, Informative)
I had to defeat some stainless steel T10 Security Torx [google.com] screws in the process of doing my job, recently, as I was moving old hardware from one place to another.
Normally, I carry a large assortment of cheap "security" driver bits with me, but alas they were not with me at the time (indeed, they were 40 miles away).
Solution: I used a regular-old Klein T10 driver. I smashed it into the head of the screw a few times with the palm of my hand (no hammer needed), and the protruding post neatly bent over and squished itself into the valley of the Torx socket. This left plenty of surface area to neatly grab the fastener in the conventional way (with the same, and now proper driver), and remove it.
I was fairly amused that this worked the first time. And then I repeated it 7 more times for the other screws with similar success. (The Klein screwdriver was unfazed.)
(For the uninitiated: Torx screws intentionally require very little engagement depth to properly mate a driver to the fastener, by design. It is perhaps the singular thing they're very good at, and also the one thing that allowed them to be so easily circumvented in this case of them being modified for "security.")