Millions of Hotel Room Locks Found Hackable, Now Who Will Pay for the Fix?
Last month, a developer demonstrated how millions of hotel room locks, which should open only to the appropriate keycard, could be hacked in a relatively easy manner. What Forbes describes as an “epic security bug” is fixable, but the lock maker is being criticized for now charging its customers for the equipment to do so.
Forbes reports that Cody Brocious, with only $50 worth of parts to complete the break-in, demonstrated at the July Black Hat security conference that Onity locks were not secure. The company has said it would be issuing by the end of the month two ways to fix the locks. One of the fixes is more rigorous than the other but comes with a “nominal fee” or “special pricing programs.” Forbes notes shipping and labor for the lock upgrades would be incurred by the customer as well.
Here is more specifically what Onity said in a statement:
The deployment of this second solution, for HT series locks, will involve replacement of the control board in the lock. For locks that have upgradable control boards, there may be a nominal fee. Shipping, handling and labor costs to install these boards will be the responsibility of the property owner. For locks that do not have upgradable control boards, special pricing programs have been put in place to help reduce the impact to upgrade the older model locks.
Brocious wrote last week in a blog post that while Onity has taken “a step in the right direction,” there are still many issues with both the company’s update and the cost it plans to direct toward customers. First, here are Brocious’ problems with the update itself:
This is not really a security issue, but it is a credibility and honesty issue. I feel it’s very deceptive to say to customers “we are preparing a firmware update” when you really mean that you’re preparing a hardware update. They may be changing the firmware on the lock, but to make use of this, customers are required to replace the whole main circuit board.
At BlackHat, I announced two vulnerabilities: an arbitrary memory read and initial work into their flawed cryptography for key cards. The important thing to keep in mind is that neither of these sit in isolation; the arbitrary memory read happens as part of the protocol between the portable programmer and the lock, and the crypto is flawed between the encoder and the lock.
As such, I cannot imagine a fix for both of these issues which does not consist of replacing not only the lock circuit boards, but that of the portable programmer and the encoder.
Brocious writes that because he hasn’t seen or tested the update, his thoughts on it are “speculation based on my knowledge of their system and the vulnerabilities in question. Although he hopes his speculation is wrong and that they could fix it in the manner they describe, he says this is “highly doubtful.”
As for the “nominal fee” and other costs that Onity implies will be put on the customer, Brocious writes that from an ethical point of view he believes Onity has a responsibility to its customers to provide them with the fix that ensures security of the locks:
Even if this were to cost only $5 per lock (between the hardware itself, shipping, and installation), at 4-10 million locks in the wild that means a cost of $20-50MM to the hotel industry as a whole; this will not be insignificant, given that the majority of hotels are small and independently owned and operated.
Brocious assumes, given the cost, some hotels will choose not to update their locks, leaving “customers in danger.”
Who do you think should be responsible for paying for the lock upgrade? Let us know in the comments below.
Benghazi, IRS, AP...What's next? Only TheBlaze TV offers the truth from Glenn Beck, Andrew Wilkow, and Real News from TheBlaze. Get instant access and a free trial here.
- Why Were DHS Agents Seemingly Monitoring Multiple Tea Party IRS Protests Across the Country on Tuesday? 429 Comments
- Confusion Erupts in IRS Hearing After Lois Lerner Tries to Plead the 5th — Watch It All Unfold 390 Comments
- CNN’s Wolf Blitzer Has Awkward Moment With Okla. Tornado Survivor After Asking If She ‘Thanked the Lord’ 313 Comments
- Shock Video Surfaces: Meat Cleaver-Wielding Man Shouts ‘You People Will Never Be Safe!’ Moments After Gruesome London Attack 279 Comments
- More Than $1 Million Raised Through Mercury One for Oklahoma Tornado Relief 266 Comments
- Anti-Gay Bias or Fair Punishment? New Details Emerge About High School Student’s Lesbian Relationship With a Minor Read More
- Comedian’s New Anti-Muhammad Video Excoriates Islamic Prophet, Juxtaposes Him with Jesus: ‘Very Wrong and Twisted’ 118 Comments
- Teacher Admits She ‘Prayed Out Loud’ During Violent Tornado: ‘I Did the Teacher Thing that We’re Probably Not Supposed to Do’ 115 Comments
- Farrakhan Talks of ‘Satanic Jews’ and ‘Synagogue of Satan’ at Detroit Church Speech — but Wait Until You Hear Who Was in Attendance 223 Comments
- Biden Praises Jewish Leaders for Helping Change Americans’ Views on Gay Marriage Read More
- Foreign Banks Operating on U.S. Soil Have Just Set a Record Read More
- The Tense Exchange Between Rep. Trey Gowdy and the Former IRS Head You’ve Been Waiting for…and It Doesn’t Disappoint 213 Comments
- Report: No IRS Workers Have Been Disciplined & Union Says It Hasn’t Been Contacted on Personnel Read More
- Ex-Cincinnati IRS Manager: This Was Not the Work of ‘Low-Level’ Employees Read More
- China Sets off What Could Be the World’s Longest Demolition Read More
- The Incredible Role Facebook Played in the Aftermath of Devastating Okla. Tornado Read More
- Tech Company Demonstrates Remote Disabling of a ‘Smart Gun’ 114 Comments
- Meet the Blind Man Nicknamed ‘Midnight Gunslinger’ Who Has 80% Shot Accuracy Read More
- How a $4.5 Million Network of 181 Sirens Helped Save Lives in Oklahoma Twister Read More
- See the Record-Setting Python a Man Caught With His Bare Hands (and Guess How Much It Weighed) Read More
- School storm protection is spotty in tornado zones
- Obama threatens veto of House student loan plan
- House committee passes Iran sanctions legislation
- London terror attack leaves 1 dead near barracks
- Facebook posts: Suit filed over vet's detention
- 4 Americans killed since 2009 in US drone strikes
- Target's 1Q profit drops 29 pct on weak sales
- Am. Samoa to keep flier miles of govt travelers