Millions of Hotel Room Locks Found Hackable, Now Who Will Pay for the Fix?

Last month, a developer demonstrated how millions of hotel room locks, which should open only to the appropriate keycard, could be hacked in a relatively easy manner. What Forbes describes as an "epic security bug" is fixable, but the lock maker is being criticized for now charging its customers for the equipment to do so.

Forbes reports that Cody Brocious, with only $50 worth of parts to complete the break-in, demonstrated at the July Black Hat security conference that Onity locks were not secure. The company has said it would be issuing by the end of the month two ways to fix the locks. One of the fixes is more rigorous than the other but comes with a "nominal fee" or "special pricing programs." Forbes notes shipping and labor for the lock upgrades would be incurred by the customer as well.

Here is more specifically what Onity said in a statement:

The deployment of this second solution, for HT series locks, will involve replacement of the control board in the lock.  For locks that have upgradable control boards, there may be a nominal fee. Shipping, handling and labor costs to install these boards will be the responsibility of the property owner.  For locks that do not have upgradable control boards, special pricing programs have been put in place to help reduce the impact to upgrade the older model locks.

Brocious wrote last week in a blog post that while Onity has taken "a step in the right direction," there are still many issues with both the company's update and the cost it plans to direct toward customers. First, here are Brocious' problems with the update itself:

This is not really a security issue, but it is a credibility and honesty issue. I feel it's very deceptive to say to customers "we are preparing a firmware update" when you really mean that you're preparing a hardware update. They may be changing the firmware on the lock, but to make use of this, customers are required to replace the whole main circuit board.

[...]

At BlackHat, I announced two vulnerabilities: an arbitrary memory read and initial work into their flawed cryptography for key cards. The important thing to keep in mind is that neither of these sit in isolation; the arbitrary memory read happens as part of the protocol between the portable programmer and the lock, and the crypto is flawed between the encoder and the lock.

As such, I cannot imagine a fix for both of these issues which does not consist of replacing not only the lock circuit boards, but that of the portable programmer and the encoder.

Brocious writes that because he hasn't seen or tested the update, his thoughts on it are "speculation based on my knowledge of their system and the vulnerabilities in question. Although he hopes his speculation is wrong and that they could fix it in the manner they describe, he says this is "highly doubtful."

As for the "nominal fee" and other costs that Onity implies will be put on the customer, Brocious writes that from an ethical point of view he believes Onity has a responsibility to its customers to provide them with the fix that ensures security of the locks:

Even if this were to cost only $5 per lock (between the hardware itself, shipping, and installation), at 4-10 million locks in the wild that means a cost of $20-50MM to the hotel industry as a whole; this will not be insignificant, given that the majority of hotels are small and independently owned and operated.

Brocious assumes, given the cost, some hotels will choose not to update their locks, leaving "customers in danger."

Who do you think should be responsible for paying for the lock upgrade? Let us know in the comments below.

(H/T: Gizmodo)