Lock Out: the Austrian Hotel That Was Hacked Four Times (bbc.com) 53
AmiMoJo shares a BBC report: Christoph Brandstatter is managing director of the four-star Seehotel, Jagerwirt, in Austria's Alps. His hotel's electronic door locks and other systems were hacked for ransom four times, between December 2016 and January 2017. "We got a ransomware mail which was hidden in a bill from Telekom Austria." His hotel's door keys became unusable after he clicked on a link to his bill. So was his hard drive. "Actually, as a small business you do not really think that anybody's interested in you for hacking, so we had no plan what to do," he recalls. He paid a ransom of two bitcoins, saying "at that time it was about $1,882." He has now installed firewalls and new antivirus software, and has trained his staff to recognise phishing emails that may seem genuine but actually contain malware. And he's moved back to traditional metal keys.
get doors offline idiots! (Score:2)
all who want everything they have online, for no or trivial reasons, are asking for it. feel no sympathy for such idiots.
Re: (Score:2)
Agreed. Way too many things are becoming "smart" just for the same of it, but with almost no real increased utility.
Why do I need my meat thermometer to be WiFi connected?!? Worse yet, why is it unusable without a connection. WTF?
Re: (Score:3)
Re: (Score:2)
You are right on this. The simple concept of attack surface is the issue here. Offline, it takes physical access to a reader (which can be done), or physical access to the hotel network or the admin PC. Online, anyone in the world can attack it. Offline, police are relatively excellent at finding traces of a physical intruder and nailing them, while online, unless the person is extremely sloppy or they ticked off someone with enough money to hunt them down, they won't get caught.
Physical security device
Re: (Score:2)
Re: (Score:2)
The doors weren't online, the computer that was writing to the keys was online. That should have been offline too, but whatever.
All the hotels I've been to lately have what seems to be a standalone machine that programs the keys. Or are those hooked up to computers as well?
Re: (Score:1)
Most systems are interfaced to the hotel's property management system. This is generally by serial, but now systems are IP based. The newer card encoders are also IP based. The workstations that are running the encoders and the key database should be dedicated workstations, but these are usually networked for support and management. Some vendors are better than others, the ones that don't let use join these to our domain cause the most issues because we loose the ability have have these centrally manage
Re: (Score:2)
Because non-electronic doors are worse. With electronic door, you kill the key if it isn't turned in, and they can't get back into the room. With a physical key, you can trivially make a copy which will allow you access later- when someone else is renting the room. Electronic keys are safer for guests.
Re: (Score:2)
Both mechanical and electronic locks have good and bad points. A good mechanical system, if done by a locksmith who knows what they are doing with software to allow for proper keying, a lock mechanism that is reasonably high security [1] and allows a ton different keys, and quick responsiveness (if a guest leaves with a key, change the lock.) If this is done, the lock mechanism can be simple, yet very secure. I remember one place where when you closed the door, it threw the deadbolt, which was easily ope
Re: (Score:2)
The guest doesn't need to leave with the key, they just need to make a copy. Are you going to change the lock between every 2 customers? No? Then electronics are more secure, for hotels (homes/businesses are a different set of problems).
Re: (Score:2)
If entering a hotel room that isn't the one you're renting is your goal, the average electronic lock is more dear to you than the average mechanical one. Mostly because you don't even have to remake a key. All you really need in most cases is a strong magnet and knowing a thing or two about the lock.
Re: (Score:2)
Re: (Score:2)
You think they have computers. No. They have computer. Singular. They have one computer handling the door keys, the room booking, the emails and most likely the bookkeeping, too.
Why would you assume that a small hotel would have more than one computer?
Magnets! (Score:2)
Many electronic locks contain an old school relay. These can almost all be opened by putting a good strong magnet it the right spot.
Hotels should keep a supply of rare earth magnets, as backup keys.
Re: (Score:3)
Re: (Score:2)
Most actually aren't powered - they've got a pack of AA batteries in the back (facing inside the room) that powers the whole unlock mechanism. Presumably they send a signal back to the key controller if the batteries start to run low so guests don't encounter a lock that doesn't work.
That way the cable that runs to each door is just a low voltage signalling cable that's incapable of carrying enough power for all the door l
Re:Magnets! (Score:4, Funny)
That's a good idea but... how do they fucking work?
Re: (Score:3)
Many electronic locks contain an old school relay. These can almost all be opened by putting a good strong magnet it the right spot.
Hotels should keep a supply of rare earth magnets, as backup keys.
I once demonstrated this to a hotel staff member who couldn't get into the room next door. The irony was that I was staying at the hotel because there was a lock manufacturer's conference downstairs and half the people in the hotel were capable of bypassing the locks. I suspect the hotel member couldn't get in the door because the occupant had disabled the electronic lock. Spend a few hours with an electronic lock in a fixture on your desk and a screwdriver and you will learn how secure they are.
Perhaps he should try ... (Score:3)
Re: (Score:2)
In all likelihood, he only has no extra computer to spare. The Lock system is also booking, and email, and ....
Bet that 2 Bitcoin ransom was about the cost of a new system that he was trying to no buy.
"Good IT is expensive, bad IT is costly"
Re: (Score:1)
He should have brought the two Raspberry Pi Zero Ws instead. Maybe there could be a small business technology user association of sorts that would collaborative create solutions for problems, architectures and use cases for the "real-world" users like farmers, hotel and shop owners and the like.
Re: (Score:2)
And you will go and make a system that the average computer illiterate can use? Because that's what you're dealing with here.
You can rest assured that some clever markedroid sold him this system for lots of Euros and he bought it because it was one of the few where he actually understood at least the basic concept of how it works. Unless you have some neatly designed plastic boxes that house those RasPis so they don't look like scary computer stuff, he won't touch them.
Re: (Score:2)
So, he didn't even have a firewall BEFORE?!?!?! That's your problem right there.
Uh, go with another Telecom company then? (Score:1)
If the telecom company is so incompetent that they managed to send out bills with viruses, it's probably time to find another telecom company... OR if you are too incompetent to tell the difference between a legitimate telecom bill and a virus, you probably shouldn't have doors on the internet.
Re: (Score:2)
If it seems to be coming from the same email address as usual, the text of the email is the same as usual, the filename of the PDF is the same as usual... why would he be incompetent?
Do you check the raw email log of EVERY SINGLE EMAIL that is sent to you?
Because you paid the ransom (Score:3)
He paid a ransom of two bitcoins, saying "at that time it was about $1,882."
There's your mistake. Once your hack results in profit, it's easier to keep a 'customer' than find new ones
just wait for some to copy the metal key and some (Score:2)
just wait for some to copy the metal key and some bad to happen.
Re:Javascript to the rescue again! (Score:4)
Re: (Score:2)
Some banks seem to see JavaScript as a security enhancement. My banks both use the same off the shelf web interface, and it asks you for numbers from a secret code when you log in. That page maxes your CPU and responds very slowly to input, because of some JavaScript that is trying to break key loggers and browser exploits.
Fortunately it works with JavaScript disabled.
Just in case I'm the only one keeping track . . . (Score:3)
Are we done now berating him? (Score:5, Interesting)
I happen to know this case. And I happen to know security in hotels in general, and even in some in Austria in particular. Here's the problem, you're cordially invited to provide a solution.
You're dealing with people that are total computer illiterates. And I mean total. They maybe learned a thing or two about using them, they might even have managed to navigate an ECDL [wikipedia.org] course which is basically a glorified way of saying "I can turn on a computer without it instantly exploding", but their expertise and actual training is in something completely different. Many of them actually do not like computers AT ALL. They much prefer dealing with people, else they would not have chosen that occupation.
These people are now chronically understaffed, overworked and stressed. They're supposed to greet people, hand them their keys, do bills, handle the phone and of course email. And no, simply hiring more people isn't possible, there are no more people you could hire. We're talking about a highly seasonal business where there are either too many or too few people available, hence no more want to go into the profession while at the same time during season you can't get anyone. Not even for obscene amounts of money.
On top of all this, you're dealing with ... how do I put this nicely... a rather mafia-like system in place that keeps the number of companies that could actually offer solutions low. Most hotel software is crap. And most hotels would gladly choose something else, if they could. But for some odd reason those systems that are offered can be offered surprisingly cheap (it MIGHT have to do with some semi-public agencies (an Austrian concept, don't ask) that curiously prefer to fund and subsidize those products), while you would certainly not qualify for such subsidies. The cynic in me would add "at least 'til you find the right politician to pay the kickback to", but no, there is no corruption in Europe. None at all. Maybe in Italy, Spain and Greece, but certainly not in the "good" states in central Europe.
So, now you have the basics in, let the rest sink in too. Like a fluctuation that's CRAZY. Average tenure of your workers is measured in weeks. Months if you're lucky. Training them is money you throw into the chimney, for the benefit of whoever they work for next. So if you think that you could raise awareness and give your workers an idea what to look for, ponder whether you'll still have that receptionist after the season is over. There is zero security awareness among your workers.
Then the fact that you pretty much HAVE TO open every email you get, and that crappy spelling is something that doesn't faze you anymore because you're dealing with people from all over the planet, many of them wanting to boast just how well they speak your language when they actually don't. Some of them required to actually send you attachments for legal reasons, with the oddest formats you will ever encounter. In other words, the chance that some viewer for an esoteric format is installed and WAY out of date because nobody had a minute of time to update it in the past 3 months is likely.
The situation is not easy and I was actually involved in a similar case where pretty much every solution we came up with ended up being shot down for one of these reasons (and some more, but I don't want to bore you more than necessary). Hotels are rather complicated beasts to secure. Twice so in Austria with its very ... special circumstances, legal oddities and seasonal requirements.