After Hacker Exposes Hotel Lock Insecurity, Lock Firm Asks Hotels To Pay For Fix 244
Sparrowvsrevolution writes "In an update to an earlier story on Slashdot, hotel lock company Onity is now offering a hardware fix for the millions of hotel keycard locks that hacker Cody Brocious demonstrated at Black Hat were vulnerable to being opened by a sub-$50 Arduino device. Unfortunately, Onity wants the hotels who already bought the company's insecure product to pay for the fix. Onity is actually offering two different mitigations: The first is a plug that blocks the port that Brocious used to gain access to the locks' data, as well as more-obscure Torx screws to prevent intruders from opening the lock's case and removing the plug. That band-aid style fix is free. A second, more rigorous fix requires changing the locks' circuit boards manually. In that case, Onity is offering 'special pricing programs' for the new circuit boards customers need to secure their doors, and requiring them to also pay the shipping and labor costs."
You know what else can open a lock? A crowbar. (Score:5, Insightful)
Any hack that requires physical disassembly of the lock is just ePeen waving.
Given the choice between a $50 bit of magic juju that might work after 5 minutes of fiddling, and a $20 jimmy that will work 100% of the time in 10 seconds, I know which option 99% of "going equipped" criminals are going to go for.
So, no, I'm not blaming the lock manufacturer here. No security is absolute, it's a question of what's reasonable.
Re:You know what else can open a lock? A crowbar. (Score:5, Informative)
RTFA. No need to disassemble the lock - all you do is plug in a small gadget into a nokia-charger-style plug at the bottom of the lock and volià - open door.
Re:You know what else can open a lock? A crowbar. (Score:5, Insightful)
RTFA. No need to disassemble the lock - all you do is plug in a small gadget into a nokia-charger-style plug at the bottom of the lock and volià - open door.
Not after the "free" workaround (cap that covers connector, and requires lock disassembly to remove) is applied.
And I guess, if you already have disassembled the lock, you won't need the gadget to open it: a short applied directly at the actuator would do the trick too.
So, the "bandaid-style workaround" (cap) might actually make more sense than the improved circuit board (which may only protect against the current intrusion software, but not against enhancend versions that take into account the new memory layoyt).
Re:You know what else can open a lock? A crowbar. (Score:5, Insightful)
Forget applying a "short" "directly at the actuator" (whatever that means): If you've already got the lockset disassembled, you just unlock it mechanically; no electronics needed.
That said, presumably (and I did R most of TFA), neat disassembly also requires access to the locked room, as is the case with most locks which are designed to be secure in only one direction.
But without more data, I'm led to wonder if the "free" workaround cap is actually all that physically secure, anyway: Being both a retrofit and (and again I presume) only having been designed within the past month or so, and then built down to a cost that can be distributed for free, it seems entirely likely that the cap itself might still be vulnerable to defeat from outside.
Re: (Score:2)
That's the problem - If you can just remove a few torx screws and then remove the cap, you've at most increased the time it takes to defeat the lock.
One of the key things here is - People aren't going to notice a few missing screws immediately. An attacker could walk by, remove a screw, then get clear. Rinse and repeat until all screws are removed. In the time in between, most likely NO ONE would notice the lock was missing a screw or two - hell this happens in normal situations all the time.
Re: (Score:2)
Forget applying a "short" "directly at the actuator" (whatever that means): If you've already got the lockset disassembled, you just unlock it mechanically; no electronics needed.
Electric locks will have a deadbolt that's moved by a solenoid. That probably has nothing to grip onto to slide it mechanically, but all you need to do is apply a AA battery to the wires going into the solenoid and it'll slide right back.
Of course you can open it mechanically, otherwise a dead battery would leave the lock permanently inoperable.
These are hotel doors, not bank safes.
Re: (Score:3)
Only if someone was dumb enough to put those wires on the outside of the door.
Re: (Score:3)
Re: (Score:2, Informative)
Isn't the point of the original hack that you can do it through the exposed programming port in seconds and leave no trace? Sounds superior to a crowbar, though my experience is limited.
Re:You know what else can open a lock? A crowbar. (Score:5, Interesting)
The cheap one is worthless (Score:5, Informative)
"Secure" screws are anything but. You can either print them (wax, photograph) and make matching bits pretty easily. You can even automatize this. Or you can force them with some pre-made approximations. (Yes, that may mean carrying around 50 possibles, and/or a file, but it is not hard.) There are other techniques as well, for example removal tools for broken screws or ice-spray and a hammer. Sawing a slit into the screw-head is also typically pretty easy.
Yes, I have done it a few times. Not for these locks, but I would be surprised if they were any different.
Re: (Score:3)
Re: (Score:2)
or why bother with any of that when a small crowbar will bypass it all.
The damage is too visible, dramatically increasing attacker risk.
Re: (Score:2)
Re: (Score:2)
Not likely on these. That was the whole point of the original hack. Otherwise Hotels would get burglarized this way all the time. They do not.
Anyways, your comment is irrelevant here. Attach it to the original story about the hack.
Re: (Score:2)
Otherwise Hotels would get burglarized this way all the time.
There's personnel (or other guests) walking around all the time. The risk of getting caught is probably too big for most thieves.
Discounting the risk of getting caught, there's a very low tech attack against hotels with old-fashioned mechanical keys. Just walk by the reception desk while the receptionist is temporarily out, and grab a key...
Re:The cheap one is worthless (Score:4, Interesting)
tech overkill.
I use a Gator Grip [endeavorproducts.com] and have done for fifteen years. Yes, they work, no I don't work for them. Yes they're fantastic value and no, they don't charge for replacement in case of bad workmanship, act of Dog, act of Idiot, or jamming. I've only ever had to replace the small one because I managed to break it trying to loosen a disc brake caliper.
Re: (Score:3)
How well does your Gator Grip work on small socket-cap Torx screws, such as those discussed in TFA?
It looks like a lovely tool for removing things that have external facets (common hexagonal nuts and bolts), but from what I see it is a picture of failure and frustration for anything else -- especially if it is very small (which lockset screws typically are).
Re: (Score:2)
as far as I can make out, if the tool can lock more than three pins around the head or in features then it will certainly grip enough to turn. I've seen (but not played with) finework versions of the Gator, and can only assume that they work on the same principle. If you can find one with fine enough pins for the job (I would say generally not to use a socket more than twice the size of the head to ensure proper grip) then sure: if a Gator will grip a rusted screw head (it will) enough to loosen it (if ther
Re: (Score:2)
And if undetected is not a goal, a small crowbar will do the job easyer.
Re: (Score:2)
How often do you think hotels have someone examine the underside of their locks?
Re: (Score:2)
How often do you think hotels have someone examine the underside of their locks?
If something gets reported stolen (or a chambermaid claims to have been raped, ...) sure they will!
Re:The cheap one is worthless (Score:5, Informative)
Secure screw bits are a $20 bucks for an entire set (Made in China) of all the designs.
The only "secure" screw head is one that is custom made for you.
Otherwise, you should be using breakaway heads or one-way screws.
Re: (Score:2)
I've defeated many "one-way" pan-head screws with force-multiplying pliers. Just grab and turn.
Re: (Score:2)
I googled several names but couldn't find out what force multiplying pliers are.
I found a couple questions but no pictures.
Ach.
As far as I can tell they are like Vise-grips.
Or maybe the pliers that multi-knives form when opened.
Having almost an extra pivet.
I still don't know how you would unscrew a one-way though.
Well without a file or drill.
P.S.
Interestingly enough, I found your comment on Google trying this.
P.P.S.
I try to use "PS's" anytime I can.
Re: (Score:2)
SOG calls their Compound Leverage
http://nationalsurvivalcenter.com/sogpos60.html [nationalsu...center.com]
There is supposed to be some gearing in there to make it easier.
Re: (Score:2)
The only "secure" screw head is one that is custom made for you.
Until someone comes with a tiny cordless Dremel and a screw extracting bit attached to the end.
Re: (Score:2)
The only "secure" screw head is one that is custom made for you.
What makes you think that? I work for a company that could not only make the screws for you, but also the bits to remove them for someone else.
(Okay, it'd be a heck of a lot more expensive than some of the other solutions, but...)
Re: (Score:2)
The only "secure" screw head is one that is custom made for you.
... until somebody comes with a Gator Grip [endeavorproducts.com].
Re: (Score:3)
How about this technique? http://www.youtube.com/watch?v=oG5vsPJ5Tos&t=1m20s [youtube.com]
Re:The cheap one is worthless (Score:5, Informative)
I had to defeat some stainless steel T10 Security Torx [google.com] screws in the process of doing my job, recently, as I was moving old hardware from one place to another.
Normally, I carry a large assortment of cheap "security" driver bits with me, but alas they were not with me at the time (indeed, they were 40 miles away).
Solution: I used a regular-old Klein T10 driver. I smashed it into the head of the screw a few times with the palm of my hand (no hammer needed), and the protruding post neatly bent over and squished itself into the valley of the Torx socket. This left plenty of surface area to neatly grab the fastener in the conventional way (with the same, and now proper driver), and remove it.
I was fairly amused that this worked the first time. And then I repeated it 7 more times for the other screws with similar success. (The Klein screwdriver was unfazed.)
(For the uninitiated: Torx screws intentionally require very little engagement depth to properly mate a driver to the fastener, by design. It is perhaps the singular thing they're very good at, and also the one thing that allowed them to be so easily circumvented in this case of them being modified for "security.")
Re: (Score:2)
The fact that you were dealing with stainless steel screws worked to your advantage here. Stainless is soft enough to deform under the hammer blows, but a proper hardened steel screw wouldn't do so.
Re: (Score:2)
I was moving some PC's that were bolted to the desks they stood on.
Basically, the security plates were a large metal plate, secured with epoxy to the PC, to give a large surface area that then took a stiff 10mm metal cable which tied them to the desks.
I didn't want to damage the PC casing or the desk so I had a look at what the school they were in had. They had a box of unlabelled keys along with some spare cables (so presumably they were the right keys if you could be bothered to try them all in every com
Re: (Score:2)
Well, there's also the fact that Torx screws aren't really that obscure to begin with.
Re: (Score:2)
Re: (Score:2)
Torx is a superior head for a variety of reasons.
Having had to deal with a myriad of the options of screws for server racks I can say without a doubt that torx saves you a ton of time and annoyance.
All the force is applied in rotation and you do not have to keep pushing the bit into the screw-head to avoid slipping (like with positive or phillips heads).
That, and they are a hell of a lot more durable when abused (which will happen in real world situations...)
Use the wrong bit on a phillips head just once an
Re: (Score:2)
Re: (Score:2)
Swiss army quality really has slipped.
Re: (Score:2)
Except they're torx screws, so you can just pull out your screwdriver, change the bit, and out they come.
Double standard (Score:5, Insightful)
Hmmm, we take umbrage that a company charges for a hardware upgrade to a flawed physical device, but we have gotten used to having to pay for software upgrades to get our bugs fixed. It is the second of these that is the real scandal.
Re: (Score:2)
There's a difference between bug fix and feature fix. I didn't realize vendors were charging me for bugfixes probably because they aren't.
Re:Double standard (Score:4, Funny)
Hmmm, we take umbrage that a company charges for a hardware upgrade to a flawed physical device, but we have gotten used to having to pay for software upgrades to get our bugs fixed. It is the second of these that is the real scandal.
How much did you pay for a Windows Service Pack? Personally, I spent $0.00, consisting of a $0.00 deposit, 35 easy monthly payments of $0.00, and a final payment of $0.00 to keep it for life.
Windows upgrades (Score:3)
How much did you pay for a Windows Service Pack?
Windows 7 has been nicknamed Windows Vista Service Pack 3 by the press, and Microsoft charges for it. So to answer your question, search for windows 7 upgrade price on Bing or Google.
Re: (Score:2)
MSN (Score:3)
unless you think Microsoft is my ISP
It's possible [wikipedia.org].
Rural Internet with single digit GB/mo (Score:3)
i paid a fractional amount for the bandwidth (we're talking pennies here)
It's pennies for people who live within range of fiber, cable, or DSL. But if you're stuck on satellite or cellular Internet with its single digit GB/mo cap, it's either a $10 per GB download or a drive into town to find a library or coffee shop that will let you bring in your computer and monitor.
Re: (Score:3)
And how often does your application software vendor supply bug and security fixes? I have to pay HUGE amounts to such software companies as Oracle and still end up with buggy, insecure from day zero software.
If you're complaining about paying too much for Oracle stuff, you'll get no sympathy from any of us. It's not like we didn't warn you.
Re: (Score:2)
IANAL. But I've been corrected on this issue by someone who is, and who happened to be my boss at the time.
If you're talking about the UK (my version of "over here") most of the stuff to do with refunds and longer-term fitness for purpose only apply to individual consumers. As long as the Cisco device is supplied in a fit state at purchase time then a purchasing company has no come-back if bugs are revealed later and require a paid fix. And in general, a Cisco router, for example, will route packets as adve
Re:Double standard (Score:4, Insightful)
IANAL. But I've been corrected on this issue by someone who is, and who happened to be my boss at the time.
If you're talking about the UK (my version of "over here") most of the stuff to do with refunds and longer-term fitness for purpose only apply to individual consumers.
The Sale of Goods Act requires the retailer (*not* the manufacturer) to warrant a product for its "reasonable" life expectancy to be free of manufacturing and design defects and fit for purpose. Within the first 6 months the burden of proof is upon the retailer (if they don't want to refund/fix then within the first 6 months they have to prove that there was no defect or that its "reasonable" life expectancy has been exceeded). After the first 6 months the burden of proof is upon the consumer (you prove that there was a defect and that it is within its life expectancy).
No one sane expects a lock to be completely secure, but this sounds like gross negligence (sticking what is effectively a JTAG port on the outside of the door - that isn't an obscure mistake, anyone involved with security who looked at the design and thought it was ok to make a programming port accessible to the outside with no kind of hardware or software security and didn't spot a problem is incompetent), which would fall into the "not fit for purpose" category. And since this defect was clearly there at the of manufacture, rather than having developed over months/years of use, the case looks quite winnable.
I have often wondered how this applies to software... I think someone once informed me that software was explicitly excluded from the act, although I haven't checked myself. This seems a bit wrong - defects in software are easier to fix than defects in hardware (at least, on a large scale), so it seems more reasonable to ensure they are fixed rather than giving software vendors a free pass.
so far as I know, no-one's ever tried to use "the law" to resist paying for ongoing maintenance fees on computer hardware, or at least nobody's succeeded in such a venture. And again - IANAL.
Maintenance fees usually get you something over and above the law. For example, it might get you an no-questions-asked same-day engineer callout to replace whatever hardware has failed, rather than requiring you to prove that a failure was caused by a defect (possibly involving the courts). Yes, without a maintenance contract, you could probably get that failed motherboard replaced by the retailer, but would it be done immediately and without any hassle, or would you be left without a server for weeks? (This isn't just a case of the vendor being difficult when there is no maintenance contract in place - the vendor may genuinely believe that the problem wasnt caused by a defect, but having a maintenance contract is likley to make them sweing the benefit of doubt in your favour).
Really a story? (Score:5, Insightful)
They should act like Kryptonite. (Score:5, Insightful)
Many slashdotters and/or cyclists remember the whole Kryptonite debacle where their locks could be opened with a Bic pen. Kryptonite offered free replacements, with free shipping, without requiring the receipt. They ate a huge cost but saved their company's reputation. People still buy their locks.
This company is making its customers pay for their poor design. They are done.
Re:They should act like Kryptonite. (Score:4, Informative)
I suspect Kryptonite had a bit more markup built into their business model, this sort of recall would likely bankrupt the lock company if they offered it for free which would leave the hotels without replacement parts, or locks for new constuction, etc. Remember hotels love standarization and these locks must offer remote programming from the front desk, etc.
Re: (Score:2)
There is a difference here:
Kryptonite: Large number of customers with little knowledge of the issues protecting something cheap with something cheap, this warranty will likely not be taken up enmasse assuming the locks aren't already lost or rusting in a shed.
Onity: Relatively small number of customers with large numbers of locks and highly likely to find out about the flaw who also likely pay for maintenance contracts.
Re: (Score:3)
You know what? (Score:2)
Fuck your company, I'll go someplace else for my locks. Maybe to a company that knows the LAW when it comes to selling hardware that is FIT FOR PURPOSE!
Re: (Score:2)
Maybe to a company that knows the LAW when it comes to selling hardware that is FIT FOR PURPOSE!
Maybe they are perfectly within the law. In the UK, consumers cannot waive protections given by the Sales of Goods Act, but businesses can. It's not as black and white for businesses as it is with consumers. Exactly which law do you think the lock company should know, and how do you know they're breaking it?
I do agree though - go elsewhere for locks. Even if not contractually or legally obliged to do so, with such a sloppy and blatant design issue, Onity should be picking up the tab. Hopefully the bigger ch
Re:You know what? (Score:5, Informative)
1979 (c. 54) provides:
14 Implied terms about quality or fitness.
(1)Except as provided by this section and section 15 below and subject to any other enactment, there is no implied term about the quality or fitness for any particular purpose of goods supplied under a contract of sale.
(2)Where the seller sells goods in the course of a business, there is an implied term that the goods supplied under the contract are of satisfactory quality.
(2A)For the purposes of this Act, goods are of satisfactory quality if they meet the standard that a reasonable person would regard as satisfactory, taking account of any description of the goods, the price (if relevant) and all the other relevant circumstances.
(2B)For the purposes of this Act, the quality of goods includes their state and condition and the following (among others) are in appropriate cases aspects of the quality of goods—
(a)fitness for all the purposes for which goods of the kind in question are commonly supplied,
(b)appearance and finish,
(c)freedom from minor defects,
(d)safety, and
(e)durability.
(2C)The term implied by subsection (2) above does not extend to any matter making the quality of goods unsatisfactory—
(a)which is specifically drawn to the buyer’s attention before the contract is made,
(b)where the buyer examines the goods before the contract is made, which that examination ought to reveal, or
(c)in the case of a contract for sale by sample, which would have been apparent on a reasonable examination of the sample.
emphases mine.
If a lock is described as a lock, and looks like a lock, is it unreasonable to expect it to perform as such? I don't think so.
If a device is described as a lock and does not in fact perform that function, to the point where intervention is required, then is it unreasonable to assume that the defect is by design? I would say not.
Therefore, the effect of the failure of the product to perform *as advertised* constitutes a material breach of contract, one which should be pursued for restitution and remedy.
DISCLAIMER: IAAL.
Re:You know what? (Score:5, Insightful)
It is common knowledge that locks only keep out honest people.
Corollarily, a lock which allows entry by dishonest people is still a lock.
If it were a mechanical lock with pins and tumblers, it would be defeatable by dishonest people. This lock happens to be electronic, and is also defeatable by dishonest people.
I don't see the difference in the context that you specify.
Re: (Score:2)
Therefore, the effect of the failure of the product to perform *as advertised* constitutes a material breach of contract, one which should be pursued for restitution and remedy.
Absolutely — provided that this term is actually incorporated into the contract, which is the key issue here. (Let's assume that English law applies here.)
Although the term is an "implied term," and thus can exist even if it is not written into a contract (if there is a written contract) or expressly stated as part of the agreement, there's no general principle of law which says that implied terms cannot be excluded. Instead, we have to look to specific laws on this.
For this particular term, sect
Re: (Score:2)
DISCLAIMER: IAAL.
Of course you are. This is blatantly an advertisement for your services against lock makers of the world given how every house in America can be broken into with a lockpick. Does that make it defective by design?
I smell a class action.
Re: (Score:2)
Shopping around may be a good idea for a new set-up, but this has to do with existing hotels.
Replacing the lock means purchasing a complete new set of locks, purchasing a complete new set of key cards and programming equipment, labour cost of replacing all these locks plus probably adaptations to the existing doors and door frames, possibly even the need to replace all the doors because there is no way to fit the new lock in the existing space in a good looking way.
Going with the upgrade option on offer sou
Re: (Score:2)
Security is all about raising the cost of intrusion beyond the value of intrusion ; the cost of intrusion for these locks will decrease rapidly as the knowledge of how to build the lock-cracker spreads. At first it will only be people with the time to reproduce the hack ; then when one of these is unscrupulous enough to spread this information, it will be enough to be merely proficient with a computer and a soldering iron. Then people will start selling them and anyone who just knows it's possible will be a
Say what? (Score:5, Insightful)
Torx? Obscure? What decade do they think this is?
Re: (Score:2)
Well, insofar, it's not one that I have in my toolbox. That's how obscure and uncommonly used they are.
It's also not one that I couldn't buy at the local hardware shop, if I'd need one.
Re: (Score:2)
Well, insofar, it's not one that I have in my toolbox. That's how obscure and uncommonly used they are.
It's also not one that I couldn't buy at the local hardware shop, if I'd need one.
Yet the standard screwdriver set I keep in one of our overseas offices cost under USD10 and contains 4 different sizes
Re: (Score:2)
Re: (Score:2)
You have both a crappy toolbox and a crappy hardware shop.
I have to admit, I'm not exactly sure where my T10 is at the moment, because people keep borrowing it because they're used in all sorts of things. But you can generally find cheap torx sets at the local dollar store and sometimes convenience and gas station stores. No need to even go to a hardware store.
Re: (Score:2)
Torx? Obscure? What decade do they think this is?
Exactly what I was thinking! I picked up one of these nice "100 piece security bit" sets from a local store for $10. Even at Amazon it's only $13 plus shipping.
http://www.amazon.com/Neiko-100-Piece-Security-Bits-Storage/dp/B000O5XDOG [amazon.com]
Product Description
100 pc. Security Bits Set Security bits set contains many of the most common tamper proof type security bit sizes, including tri-wing bits, torx bits, spanner bits, and hex bits. Security bits set contains: 1 - wing nut driver. 1 - magnetic bit holder. 1 - socket bit holder. 1 - 1/4" sq. x 1/4" hex x 1" extension. 1 - 1/4" sq. x 1/4" hex x 2" extension. 3 - clutch bits (# 1, 2 & 3). 3 - torq bits (# 6, 8 & 10). 3 - spline bits (M-5, 6 & 8). 4 - tri-wing bits (# 1, 2, 3 & 4). 4 - square recess bits (# 0, 1, 2 & 3). 4 - spanner bits (# 4, 6, 8 & 10). 6 - metric hex tamper proof bits (2, 2.5, 3, 4, 5 & 6). 6 - SAE hex tamper proof bits (5/64, 3/32, 7/64, 1/8, 9/64 & 5/32). 8 - phillips bits (0, 1, 2{5} & 3). 8 - pozi drive bits (0, 1, 2{5} & 3). 9 - slotted bits (3, 4, 4.5, 5, 5.5, 6, 6.5, 7 & 8). 9 - metric hex bits (1.5, 2, 2.5, 3, 4, 5, 5.5, 6 & 8). 9 - torx bits (T-8, 10, 15, 20, 25, 27, 30, 35 & 40). 9 - torx tamper proof bits (T-8, 10, 15, 20, 25, 27, 30, 35 & 40). 10 - SAE hex bits (1/16, 5/64, 3/32, 7/64, 1/8, 9/64, 5/32, 3/16, 7/32 & 1/4). Set includes plastic storage / carry case.
Re: (Score:3)
Torx? Secure? (Score:2)
Torx? Secure? Is this some kind of security through obscurity that this company are obviously so good at?
I've lost count at the number of torx screwdriver sets I have.
Sweet. (Score:5, Funny)
> "as well as more-obscure Torx screws to prevent intruders from
> opening the lock's case and removing the plug"
Because nobody capable and determined enough to rig up the electronic interface for $50 can handle the mental and financial stresses of a $10 Torx set from the hardware store.
"Well, we got the device. Open it up."
"Whoa! What kind of screws are these?"
"Lemme look -- MY GOD, IT'S FULL OF STARS!"
Master key systems can be hacked too (Score:3, Interesting)
I remember reading years ago about Matt Blaze, a security researcher at AT&T Labs-Research who discovered how to create a master key from a key and a lock which is opened by it. His method was a trade secret used by many locksmiths, which pissed them off when he publicised it.
http://it.slashdot.org/story/03/01/23/0359230/att-identifies-widespread-security-hole---in-locks [slashdot.org]
http://www.nytimes.com/2003/01/23/business/many-locks-all-too-easy-to-get-past.html [nytimes.com]
Hotel In room "safe" (Score:5, Informative)
I was staying in Marriott and they have a small in room safe. Its the kind with a digital keypad where you select your own code. I put stuff in there while we went to the pool.
When we got back I guess one of the kids was playing with it and it stopped responding because they pressed too many buttons. So I looked it up online. All I had to do was press "lock" twice to enter supervisor mode then 999999 and it opened the safe bypassing my code.
So don't use those safes for anything real valuable. Next time I have to play around with supervisor mode to see if I can change that password.
Now that's what I call... (Score:5, Funny)
All I had to do was press "lock" twice to enter supervisor mode then 999999 and it opened the safe bypassing my code.
"six-nines" availability!
Re: (Score:2)
*5*
Re: (Score:3)
I was staying in Marriott and they have a small in room safe. Its the kind with a digital keypad where you select your own code. I put stuff in there while we went to the pool.
When we got back I guess one of the kids was playing with it and it stopped responding because they pressed too many buttons. So I looked it up online. All I had to do was press "lock" twice to enter supervisor mode then 999999 and it opened the safe bypassing my code.
So don't use those safes for anything real valuable. Next time I have to play around with supervisor mode to see if I can change that password.
If I'm staying in a dodgy city for a period of time, I spread the risk. £100 and passport copy in the safe, normal wallet and passport on me, and I always keep a credit card in my dirty laundry in the suitcase just in case.
Re: (Score:3)
I forgot. I took a video of it. It's a Safemark safe.
http://youtu.be/UYjJuE7l7VM [youtu.be]
Re: (Score:3)
Additional Information:
It was a Safemark Safe.
It was displaying an error ebar.
I used those to look up the information.
Also sites suggested to try 000000, 123456, 999999 as the supervisor password.
The point I'm making is that hotel maintenance has a supervisor password and most likely it's something very easy to guess or share. I'm not claiming 999999 will unlock everyone.
Not exactly Inconspicuous (Score:2)
In other words I doubt many people would find this to be a practical hack to employ. They'd likely me more succe
Re: (Score:2)
I can remove two security torx screws in five seconds or less with some practice and the right screwdriver. That is a non-fix.
This isn't necessarily the end of the world (Score:2)
The thing about any security issue is you've got to weigh up the cost versus the benefit.
First off: The hotel doesn't really care about the fact your digital camera might have holiday snaps from your once-in-a-lifetime holiday on there. Nor do they care that you brought your laptop (complete with the only photographs you have of your recently-deceased granny) and haven't backed it up lately.
All they care about is "How much is failing to fix this going to cost us? Will it be more than the cost of fixing it?"
Doesn't matter (Score:2)
I don't remember seeing anything in the reports (Score:4, Insightful)
Lock (Score:2)
That hack needs access to a debug/programing interface. Shouldn't that interface have been protected by a _mechanical_ lock in the first place?
Is there any guarantee on the new circuit board? (Score:5, Interesting)
The real question is not whether the lock company should charge for fixing the bug
The real question is whether there is a guarantee that the new circuit board (the upgrade) that the lock company provides is hack proof
Or put it another way ---
Will any e-lock company dare to guarantee that their e-lock for hotel room will be hack-proof?
Of course they won't be (Score:4, Funny)
I can hack any hotel room door.
With an axe.
Re: (Score:2)
Wendy, I'm home [youtube.com]
Re: (Score:3)
http://img200.imageshack.us/img200/336/motivationalposterlockp.jpg [imageshack.us]
Sorry about the imageshack link, but every devotevational website seems to have removed this one. Someone must have gone on a DMCA rampage or something
Re:Is there any guarantee on the new circuit board (Score:5, Insightful)
Of course not. Nobody has ever guaranteed such a thing, except for shady dealing liars with the worst security of all. Anybody who works in security knows that any system which protects something sufficiently valuable, or is sufficiently widely deployed will eventually come up against some lock pick or safe cracker who has enough intelligence, free time, and interest. it's just a question of how long it takes to happen, and how inconvenient it is when he shows up. Adding such a guarantee would just be a giant banner attracting more interest from such people.
Besides, this isn't software. If the guarantee is disproven, and you have to push out patches, you can't just put them on an FTP server. you have to build physical hardware, ship it out, etc. It would be unreasonable to expect any company to do all of that for free. In some cases a company will do a free, voluntary recall out of pocket for the sake of good PR. But, it's hardly something you can demand.
Re: (Score:2)
Of course not. Nobody has ever guaranteed such a thing, except for shady dealing liars with the worst security of all. Anybody who works in security knows that any system which protects something sufficiently valuable, or is sufficiently widely deployed will eventually come up against some lock pick or safe cracker who has enough intelligence, free time, and interest. it's just a question of how long it takes to happen, and how inconvenient it is when he shows up. Adding such a guarantee would just be a giant banner attracting more interest from such people.
Besides, there's always the social engineering approach to lockpicking, namely holding the person with the key at gunpoint/knifepoint until they open the door. I'm not going to link to the obvious XKCD.
Besides, this isn't software. If the guarantee is disproven, and you have to push out patches, you can't just put them on an FTP server. you have to build physical hardware, ship it out, etc. It would be unreasonable to expect any company to do all of that for free. In some cases a company will do a free, voluntary recall out of pocket for the sake of good PR. But, it's hardly something you can demand.
I imagine there's probably going to be at least one lawsuit out of this, and if it reaches discovery and there's evidence that the lock manufacturer was aware of the flaw and didn't fix it (because it would be too expensive, for instance) then they may wish they'd replaced the circuit board component for free
Re:Is there any guarantee on the new circuit board (Score:5, Insightful)
In you think about it, this is all common practice. Some bugs in hardware and software NEVER get fixed. Instead new versions are released for sale. That recall fixes happen from time to time is a careful balance of deciding whether the public outcry will result in loss of business.
That said, the locks aren't much more insecure than they were prior to the revelation. It requires tools and expertise to accomplish this feat. It's not like some dumb thief off the street will be any more of a threat than they were before.
The added protection; is it worth the effort? Even if it was free to put out the update is it worth the effort? Tough question. Is it worth the manufacturer updating the design to thwart the new hack? Surely. I think the right choices have been made in this case.
If, someone markets a hotel hacking kit with instructions to the public and they somehow get away with it, that might be another matter. But are traditional metal key locks out of style or use in light of lock picking kits? Nope...
Re: (Score:2)
Will any e-lock company dare to guarantee that their e-lock for hotel room will be hack-proof?
And preferably do so a atleast few weeks before the next Black Hat convention.
Re:Is there any guarantee on the new circuit board (Score:5, Insightful)
At the worst you can just turn up with a drill and drill straight through the lock if you're really determined to gain entry.
Really, for most locks, and most doors, it's about providing an approximately equal amount of protection from all points of entry. Allowing a subtle entry is considered worse than an obvious entry.
Locks are already generally to the point that you don't try to physically defeat them - you go after the door instead. If you want in and don't care about being obvious, a small sledge will get you into most hotel doors with one whack, ~5 seconds. If the pins are on the outside, you pop those out and remove the door ~30 seconds. Put the pins back in and you have a covert entry.
$50 worth of parts and technical knowledge required is actually a fairly high bar.
Re: (Score:3)
Immediately thought of this:
From Sneakers [youtu.be]
Re: (Score:2)
Re: (Score:3)
A lighter and a bic pen can make a suitable conforming screwdriver for most security bits of appropriate size. For other sizes, other sizes of polycarbonate pens / barrels / rods will do.
Re: (Score:2)
the lock to the safe is usually equally worthless, too bad. better to just stash the stuff under the drawers.
Re: (Score:3)
So, how about cutting wires to the port, and wiring a new port on the other side of the door. Presumably this could be done fairy neatly.
Seems to fundamental flaw is that the access port is on the outside of the door.
The fundamental flaw in your comment is that the port needs to be on the outside of the door so that it can be used in cases where the door cannot otherwise be opened.
Re: (Score:2)
that is why most electronic locks still have physical keys. otherwise how would you open the door when the battery goes dead on the lock? most hotel locks operate off a battery. also what happens if the solenoid that engages the lock breaks? without a physical key, it would be impossible to open the door without breaking the door down.
They really should put the programming ports on the inside.
note: i work with various kinds of electronic locks. however i do not work for a hotel.
Re: (Score:2)
most electronic doors still have physical keys to allow access for when the lock malfunctions. there is no need to put the port on the outside of the door other than laziness.
i work with various kinds of electronic locks. however i do not work for a hotel.