Tuesday, July 24, 2012

Hacker says four million hotel keycard locks vulnerable to exploit

It's time for the 2012 Black Hat security conference, and on Tuesday evening, a developer will show hotel and motel travelers that their rooms might not be as safe as they think they are. If you can run your fingers under your keycard lock and find a DC power port, and your lock is manufactured by Onity, that lock is vulnerable.

Mozilla software developer and 24-year old security researcher named Cody Brocious will demo a method that exploits two vulnerabilities in these Onity locks. These Onity locks are installed on the doors of between four and five million hotel rooms around the world, according to the company.

Brocious built his unlocker for less than $50, and although it doesn't work 100 percent of the time, when it does work, it only takes seconds. He said, “I plug it in, power it up, and the lock opens."

In terms of the unreliability of his method, it seems there are some peculiarities to the locks. Brocious can open a lock he ordered from Onity every time. However, in real-world testing his method only worked one out of three times, and that successful try required two tries and software tweaking between attempts.

Brocious’ gadget pretends to be the portable programming device that hotel staffers use to control their locks and set which master keys open which doors. The portable programmer plugs into the aforementioned DC port under the locks, and can also open any door, even if the battery in the lock is dead.

How does his system work? According to Brocious, every Onity lock has memory that is completely exposed to a device plugged into the DC port. There is a cryptographic key necessary to open the lock, but that data is also stored in the lock’s memory. If you know where to find it, you can use it and thus open the door seconds later.

Why then, the inconsistency? Is it possible there are "little differences" between the locks, perhaps akin to "Android fragmentation?" Brocious has his own explanation.

Brocious believes it's all in the timing. In other words, he thinks the unreliability of his method is a result of timing issues between his hacked-together device and Onity’s locks, when attempting to communicate.

He said that he doesn't plan on attempting to foolproof his method, although he does plan to release his research and source code on his website following his Black Hat talk.

One can imagine how this hack could be used by authorities - or spies - to break into hotel rooms unnoticed. It's possible the technology has already reached government hands.

Brocious said that his startup former employer sold the IP behind the hack to the Locksmith Institute (LSI) last year, for a mere $20,000. LSI is a locksmith training company and its students often include law enforcement officials.

“With how stupidly simple this is, it wouldn’t surprise me if a thousand other people have found this same vulnerability and sold it to other governments,” said Brocious. “An intern at the NSA could find this in five minutes.”

The next time you go to a hotel, you might want to check for that DC power port.

No comments: