Millions of Hotel Room Locks Found Hackable, Now Who Will Pay for the Fix?
- Posted on August 20, 2012 at 2:44pm by
Liz Klimas
- Print »
- Email »
(Image: Shutterstock.com)
Last month, a developer demonstrated how millions of hotel room locks, which should open only to the appropriate keycard, could be hacked in a relatively easy manner. What Forbes describes as an “epic security bug” is fixable, but the lock maker is being criticized for now charging its customers for the equipment to do so.
Forbes reports that Cody Brocious, with only $50 worth of parts to complete the break-in, demonstrated at the July Black Hat security conference that Onity locks were not secure. The company has said it would be issuing by the end of the month two ways to fix the locks. One of the fixes is more rigorous than the other but comes with a “nominal fee” or “special pricing programs.” Forbes notes shipping and labor for the lock upgrades would be incurred by the customer as well.
Here is more specifically what Onity said in a statement:
The deployment of this second solution, for HT series locks, will involve replacement of the control board in the lock. For locks that have upgradable control boards, there may be a nominal fee. Shipping, handling and labor costs to install these boards will be the responsibility of the property owner. For locks that do not have upgradable control boards, special pricing programs have been put in place to help reduce the impact to upgrade the older model locks.
Brocious wrote last week in a blog post that while Onity has taken “a step in the right direction,” there are still many issues with both the company’s update and the cost it plans to direct toward customers. First, here are Brocious’ problems with the update itself:
This is not really a security issue, but it is a credibility and honesty issue. I feel it’s very deceptive to say to customers “we are preparing a firmware update” when you really mean that you’re preparing a hardware update. They may be changing the firmware on the lock, but to make use of this, customers are required to replace the whole main circuit board.
[...]
At BlackHat, I announced two vulnerabilities: an arbitrary memory read and initial work into their flawed cryptography for key cards. The important thing to keep in mind is that neither of these sit in isolation; the arbitrary memory read happens as part of the protocol between the portable programmer and the lock, and the crypto is flawed between the encoder and the lock.
As such, I cannot imagine a fix for both of these issues which does not consist of replacing not only the lock circuit boards, but that of the portable programmer and the encoder.
Brocious writes that because he hasn’t seen or tested the update, his thoughts on it are “speculation based on my knowledge of their system and the vulnerabilities in question. Although he hopes his speculation is wrong and that they could fix it in the manner they describe, he says this is “highly doubtful.”
As for the “nominal fee” and other costs that Onity implies will be put on the customer, Brocious writes that from an ethical point of view he believes Onity has a responsibility to its customers to provide them with the fix that ensures security of the locks:
Even if this were to cost only $5 per lock (between the hardware itself, shipping, and installation), at 4-10 million locks in the wild that means a cost of $20-50MM to the hotel industry as a whole; this will not be insignificant, given that the majority of hotels are small and independently owned and operated.
Brocious assumes, given the cost, some hotels will choose not to update their locks, leaving “customers in danger.”
Who do you think should be responsible for paying for the lock upgrade? Let us know in the comments below.
(H/T: Gizmodo)
Comments (31)
Sign In To Post Comments! Sign In
Popular Stories
Does Misstated Marathon Claim Prove Paul Ryan Is Dishonest? (POLL) 706 Comments
Paper Details Obama Admin’s Alleged Secret Note Sent to Iran: If Israel Attacks, We Won’t Get Involved 557 Comments
‘Made Up Religion’: TV Historian Enrages Muslims, Receives Threats After Producing UK Documentary Questioning Islam’s Beginnings 371 Comments
This Is the Creationists‘ Response to Scientist Bill Nye’s Viral Pro-Evolution Video Claiming They Harm Children 363 Comments
Roseanne Barr: Most Billionaires ‘Violent Pedophiles’ & ‘Heartless’ Cocaine Addicts 362 Comments
Faith
- This Is the Creationists‘ Response to Scientist Bill Nye’s Viral Pro-Evolution Video Claiming They Harm Children 363 Comments
Pakistani Muslim Cleric Accused of Framing Disabled Christian Girl in Koran-Burning Case Read More- ‘Made Up Religion’: TV Historian Enrages Muslims, Receives Threats After Producing UK Documentary Questioning Islam’s Beginnings 371 Comments
Meet the Controversial German Imam Accused of Brutally Beating His Wife & Pushing Sharia Law Read More
‘Self-Proclaimed Messiah’ & Unification Church Leader the Rev. Sun Myung Moon Has Died — Here’s His Life Story Read More
Business
- President Obama Issues Major ‘Green Energy’ Executive Order 288 Comments
- Germany’s Upcoming Court Ruling Will be Huge for the EU Read More
Ford Looks to Beat Toyota for Best-Selling Car in 2012 With This Model 149 Comments
Bernanke & QE3: Here’s What You Need to Know Read More- ‘Extortion’: Why Did the Labor Department ‘Drop the Hammer’ on Oregon Farmers? 302 Comments
Technology
- This Is the Creationists‘ Response to Scientist Bill Nye’s Viral Pro-Evolution Video Claiming They Harm Children 363 Comments
‘TaserDrone’: Hackers Weaponize Quadcopter With Actual ‘Shocking’ Technology Read More
Ever Heard of the Wild ‘Burning Man’ Festival in the Middle of the Nev. Desert? Here’s Your Primer Read More
Stanford Develops Technology ‘Better Than Steroids’ for Athlete Recovery Read More
Have You Pretended to Know What ‘the Cloud’ Is? You’re Not Alone Read More
Submitting your tip... please wait!
lainer51
Posted on August 20, 2012 at 8:53pma picture of dopey was-a-man schultz would keep ALL hackers at bay!!!!!!!!
Report Post »blackyb
Posted on August 20, 2012 at 5:21pmWhy do you think so many politicians are compromised?
Report Post »riseandshine
Posted on August 20, 2012 at 5:04pmAt least we can feel good about electronic voting.
Report Post »lukerw
Posted on August 20, 2012 at 8:13pmROFL :) Right!
Report Post »term limits for congress
Posted on August 20, 2012 at 4:50pmThe electronic locks still beat the old-fashioned physical key, which served us well for 100′s of years. The electronic lock cannot unlock the dead bolt and, of course, there is the manual latch on the inside of the room.
If the lock is over 10 years old, the hotel should pay.
Report Post »If the lock is 5 – 10 years old, the cost should be split.
If the lock is less than 5 years old, the manufacturer should pay.
Midwest Blonde
Posted on August 21, 2012 at 12:25amAs a hotel employee, I can tell you that the dead bolt – if it is part of the whole lock/doorknob system CAN be unlocked with the master management key. This is for the purpose of entering a room for emergencies only – in 4 years, I’ve only seen it used once. The chain was also on the door, and the rescue squad (as in ambluance/fire crew) used bolt cutters to cut the chain. (the guest was having a heart attack, was able to call the front desk for an ambulance but unable to get to the door to unlock it.)
Report Post »Midwest Blonde
Posted on August 21, 2012 at 12:25amas a side note, the locks in our hotel are the same the story is about – Onity.
Report Post »Rum Runner
Posted on August 20, 2012 at 4:37pmAwesome!!! I guess I’m staying at Encore from now on!!! Bye-bye Motel 6.
Report Post »lukerw
Posted on August 20, 2012 at 4:50pmAny Key can be Copied… any Password can be Hacked. Whatever humans make… can be destroyed by humans!
Report Post »Wolfgang the Gray
Posted on August 20, 2012 at 5:45pmThat‘s why my pistol sleeps on the night stand next to my bed whenever I’m in a hotel. Another great gadget is either the floor wedge alarm that goes off when the door is opened, or the capacitance alarm that hangs on the inside door handle and goes off when someone grabs the door on the other side.
Report Post »Kimo9
Posted on August 20, 2012 at 4:30pmOf course the lock maker should pay for it — they made a defective product. If I was a hotel owner and Onity was going to charge me to fix their screw up, I would switch companies even though it would cost a lot more.
Report Post »Kimo9
Posted on August 20, 2012 at 4:27pmAdd your comments
Report Post »pavnvet
Posted on August 20, 2012 at 4:21pmI can see it now on my next hotel bill…security lock upgrade fee. $1.50. Let’s face it, just like a tax, the consumer is the one that will ultimately pay for this through higher room rates because the hotel paid for the upgrade or the lock company is raising their prices to hotels in general.
Report Post »ZAP
Posted on August 20, 2012 at 3:46pmLock company can get money off obama.Then the taxpayer will pay,as rightfully so……
Report Post »HotFixIt
Posted on August 20, 2012 at 3:44pmNO matter what lock you come up with.. someone will figure out how to pick it! Just give them time. These locks were probably considered safe enough initially but technology advances over time as do the theives level of ability to overcome them…… build a better mousetrap… we get smarter mice.
Report Post »KevINtampa
Posted on August 20, 2012 at 3:44pmThe hotels/motels should absorb the costs. Buyer beware. Those who buy snake oil are the ones responsible for buying snake oil. Of course, the people renting the rooms will ultimately pay for it, but they will be the ones paying ultimately anyways; unless of course a government program pays or subsidizes the costs which means even those who don’t use the locks will overpay for it.
Report Post »Bobj_1960
Posted on August 20, 2012 at 5:43pmHow is buying a defective product the same as snake oil? If car makers put out a defective product they are responsible for having the fix applied. Manufacturer is responsible for the products they produce.
Report Post »billrow
Posted on August 20, 2012 at 3:19pmIf the company doesn’t fix their product, they will probably be sued.
Report Post »The bad publicity for charging customers for fixing these locks will probably put them out of business.
Nervous Investor
Posted on August 20, 2012 at 3:13pmTripe. When one buys a regular Key Lock and then learns that skilled people are able to pick the lock with simple tools …. is one entitled to a refund from the Lack Manufacturer? Of course not ! So this “digital” locking system is hackable by an expert hacker with some tools ….. so what? There is nothing DIGITAL that cannot be hacked. I may not be able to do it but there are experts out there that can …. and do ….. hack all sorts of secure systems ……. This is NOT a sensible news item at all.
Report Post »woodyee
Posted on August 20, 2012 at 3:04pmThey sell a defective product and then want to charge for the fix?
Time to find another supplier is
Report Post »JMHO.
Angel_light
Posted on August 20, 2012 at 3:58pmWOODYEE- exactly what I was thinking
Report Post »Darmok and Jalad at Tanagra
Posted on August 20, 2012 at 3:03pmGreat, not only do I have to worry about bed bugs, dirty sheets, and the bathroom being disinfected, now I can catch a “Virus” or lose my identity through the door lock. Whats next, my light bulb becoming sefl-aware and killing me, oh, that’s right, the bulbs do contain mercury.
Report Post »TommyGuns
Posted on August 20, 2012 at 3:03pmDumb question Blaze! It‘s all about ’caveat emptor’ – let the buyer beware. The hotels or the other facilities should have done some due diligence before installing the locks in the first place. Conversely, there is an implied warranty of merchantability – that the mechanism is reasonably fit for its purpose. That would likely make the manufacturer and/or the contractor who installed the locks liable for the replacement or upgrading/repair. Now that the problem is widely known, i’d think the proprietors of the facilities using the locks would have an obligation to repair or replace them unless they want to be held liable for losses by people who reasonably relied on the locks as security for their possessions.
Report Post »Big Media Bias
Posted on August 20, 2012 at 3:02pmProstitutes and Johns should be held accountable…. Spitzer needs to pay up.
Report Post »lukerw
Posted on August 20, 2012 at 2:54pmFREEDOM or SECURITY… you cannot have Both… unless you are a FREE and have a GUN!
Report Post »progressiveslayer
Posted on August 20, 2012 at 3:04pmAmericans have willingly given up their civil liberties to be ‘secure’ ie TSA DHS and I‘m sure there’s many more alphabet agencies keeping us ‘safe’ at the expense of our liberty.As you point out if you’re armed you have a measure of security,as to our freedom we’re not really all that free,it’s just an illusion.
Report Post »lukerw
Posted on August 20, 2012 at 3:10pm@
Report Post »We cannot PREVENT any Attack… We can only DEFEND!
progressiveslayer
Posted on August 20, 2012 at 2:52pmThe company that produced the locks should stand behind their product,if they don’t then maybe their competitor can gain new customers.
Report Post »JRook
Posted on August 20, 2012 at 3:01pmPerhaps unless of course the locks met the hotel company specifications. Most hotels are either directly or through franchise arrangements controlled by large hotel companies. They have intelligent IT and security people who established the specifications and can test these locks. As far as ” Brocious assumes, given the cost, some hotels will choose not to update their locks, leaving “customers in danger.” It is a classic case of whether profits will win over safety and security.
Report Post »progressiveslayer
Posted on August 20, 2012 at 3:21pmIt could be that onity‘s quality control isn’t up to par if they have a lock that’s so easily hacked,someone at the company dropped the ball here.
Report Post »Radiant.Simplicity
Posted on August 20, 2012 at 2:51pm100% the lock company should incur the cost of repairing/replacing the locks. They are solely responsible for the faulty product and highly liable for injuries/theft resulting from the faulty locks.
Report Post »