Wednesday, November 28, 2012

Burglars exploit known security flaw in keycard readers

Thieves are apparently exploiting a security hole in a popular hotel keycard reader, one that was reported months ago at the Black Hat Security Conference. At least one thief has been arrested for using a tool that circumvents the security on Onity locks.

A report issued Monday showed how that "theoretical" hack was turned into a real-life theft. Houston police have arrested 27-year-old Matthew Allen Cook and charged him with theft in an earlier break-in at the Hyatt House Galleria. Cook was caught after a laptop he sold to a pawn shop was connected with the burglary.

White Lodging, the franchisee that manages the Houston Hyatt, told Forbes that it believes the doors opened using a device that took advantage of the aforementioned vulnerability in Onity keycard door locks. Researcher Cody Brocious demonstrated the vulnerability at the 2012 Black Hat security conference. Brocious showed how, with a homemade device built for less than $50, he was able to open hotel doors.

Brocious’ gadget spoofs the portable programming device that hotel staffers use to control their Onity locks and set which master keys open which doors. The portable programmer plugs into a DC port on the underside of the locks, and can also open any door, even if the battery in the lock is dead. The hacking tool demonstrated at the conference was not 100 percent certain though, and only worked some of the time.

While Onity now has a fix, it requires replacing a circuit board in the reader, not the easiest or most expensive thing to do. Since the September report of the break-ins, the Houston Hyatt has resorted to an old-school remedy for the problem: it has plugged the power port with epoxy.

Interestingly enough, reports are that Onity is asking hotels to pay the cost of the replacements, rather than covering the expenses itself. While we can see why they would do that (the bottom line), making hotels pay for the cost of a manufacturer flaw may not be a good PR move.

No comments: