After Hacker Exposes Hotel Lock Insecurity, Lock Firm Asks Hotels To Pay For Fix

Sparrowvsrevolution writes "In an update to an earlier story on Slashdot, hotel lock company Onity is now offering a hardware fix for the millions of hotel keycard locks that hacker Cody Brocious demonstrated at Black Hat were vulnerable to being opened by a sub-$50 Arduino device. Unfortunately, Onity wants the hotels who already bought the company's insecure product to pay for the fix. Onity is actually offering two different mitigations: The first is a plug that blocks the port that Brocious used to gain access to the locks' data, as well as more-obscure Torx screws to prevent intruders from opening the lock's case and removing the plug. That band-aid style fix is free. A second, more rigorous fix requires changing the locks' circuit boards manually. In that case, Onity is offering 'special pricing programs' for the new circuit boards customers need to secure their doors, and requiring them to also pay the shipping and labor costs."

Is there any guarantee on the new circuit board?

[Taco Cowboy]

The real question is not whether the lock company should charge for fixing the bug

The real question is whether there is a guarantee that the new circuit board (the upgrade) that the lock company provides is hack proof

Or put it another way ---
Will any e-lock company dare to guarantee that their e-lock for hotel room will be hack-proof?
 

Re:The cheap one is worthless

[Tastecicles]

tech overkill.

I use a Gator Grip [endeavorproducts.com] and have done for fifteen years. Yes, they work, no I don't work for them. Yes they're fantastic value and no, they don't charge for replacement in case of bad workmanship, act of Dog, act of Idiot, or jamming. I've only ever had to replace the small one because I managed to break it trying to loosen a disc brake caliper.

Master key systems can be hacked too

[twosat]

I remember reading years ago about Matt Blaze, a security researcher at AT&T Labs-Research who discovered how to create a master key from a key and a lock which is opened by it. His method was a trade secret used by many locksmiths, which pissed them off when he publicised it.

http://it.slashdot.org/story/03/01/23/0359230/att-identifies-widespread-security-hole---in-locks [slashdot.org]

http://www.nytimes.com/2003/01/23/business/many-locks-all-too-easy-to-get-past.html [nytimes.com]

Re:You know what else can open a lock? A crowbar.

[dead_user]

I can attest that hotel room doors are pretty crowbar-resistant. During Katrina I was "essential personnel" and was "evacuated" to the hotel near City Hall so I could be at the ready once the storm passed. About $70k worth of equipment came with me to the hotel room to get it more protected. (Backup servers and their ilk.) The next evening when the national guard guys took us back to our rooms to get our stuff, there were three giant gouges in my door. But the door held. I was both impressed and disgusted. These people also beat up the hotel staff because they were upset that the hotel generators didn't also run the A/C's. Eventually, the hotel was abandoned and left to them. It was just too dangerous to the staff to stay. By the second night, they had defaced much of the hotel with spray painted signs declaring the hotel the "New 4th Ward", a project (slum) from New Orleans. Granted, their homes were flooded, but so was mine. So sad.