Photo by Luca Predellini via Flickr Creative Commons
Forbes reports that a potential security flaw affecting millions of hotel room locks will be revealed Tuesday at a security conference.
Cody Brocious, a 24-year-old security researcher, intends to present at the Black Hat security conference a pair of vulnerabilities he found in Onity locks, a keycard reader installed on four to five million hotel room doors worldwide.
Quieter than a spare key shoved in a fake rock and hurled through a kitchen window, access to countless hotel rooms could be tracelessly available to anyone with a few hacker tricks and low cost hardware up their sleeve. Through the DC port on the underside of the reader, Brocious can open a lock, though inconsistently, in a matter of seconds using a device he built for less than $50.
The system’s vulnerability arises, Brocious says, from the fact that every lock’s memory is entirely exposed to whatever device attempts to read it through that port.
Though each lock has a cryptographic key that’s required to trigger its “open” mechanism, that string of data is also stored in the lock’s memory, like a spare key hidden under the welcome mat. So it can be immediately accessed by Brocious’s own spoofed portable device and used to open the door a fraction of a second later.
Though imperfect, Brocious' research suggests real compromises to Onity lock security. He intends to release his findings via his website following the talk. Though he doesn’t plan to continue developing the trespass tchotchke, he believes someone else easily could. And someone may have already. Last year, the intellectual property behind Brocious’s hack was sold to a locksmith company that trains law enforcement.
"With how stupidly simple this is, it wouldn’t surprise me if a thousand other people have found this same vulnerability and sold it to other governments," says Brocious. "An intern at the NSA could find this in five minutes."
A weak encryption that allows for creation of multiple keys is another potential security issue, though lower risk compared to a lock buster. The flaws were unintentionally discovered, says the hacker, while reverse-engineering devices for a failed startup that wanted in to the hotel lock industry.