Network Computing is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them. Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Hotel Keycard Lock Hacker Questions Firmware Fix

11 Security Sights Seen Only At Black Hat
11 Security Sights Seen Only At Black Hat

(click image for larger view and for slideshow)

The demonstration of a real-world hardware security flaw in hotel room keycard locks at this year's Black Hat information security conference in Las Vegas saw guests literally reaching for their deadbolts.

Last month, security engineer Cody Brocious demonstrated his attack against hotel locks made by Onity, which commands 50% of the hotel lock market, comprising somewhere between 4 million and 10 million locks. The attack capitalized on two flaws involving Onity's hotel keycard locks: Their memory could be arbitrarily accessed by an attacker, and the related communications data wasn't encrypted. As a result, once someone such as Brocious reverse-engineered the underlying communications protocol, they could trick the keycard lock into opening itself, using a bit of programming and $40 in parts available via sparkfun.com or Radio Shack.

"This isn't something complex; the vulnerability itself is very, very simple," Brocious said in an interview at Black Hat. "The only thing preventing people from finding this ... was that [Onity] used simple obfuscation. And it's very possible that someone malicious may have used this in the past--it wouldn't surprise me in the least."

In a statement released earlier this month, Onity told customers that it was working on fixes for the "alleged vulnerability" demonstrated by Brocious. "Onity understands the hacking methods to be unreliable, and complex to implement," according to the statement. "However to alleviate any concerns, we are developing a firmware upgrade for the affected lock-type. The upgrade will be made available after thorough testing to address any potential security concerns that you may have."

[ Don't get your life hacked. See 5 Ways To Solve The Password Reset Problem. ]

According to Onity's statement, the company is preparing two fixes. First, for its HT series locks, it's going to offer--free of charge, and beginning later this month--a mechanical cap, which can be inserted into the data-port plug on the lock and secured with a TORX screw. "This will prevent a device emulating a portable programmer from hacking the lock," said the company--referring to a programming device that can be used on the hotel locks themselves, as Brocious had done--unless the attacker takes time to partially disassemble the lock and remove the cap.

That patch earned plaudits from Brocious. "This--as much as it is security-through-obscurity--is actually a great temporary fix," he said in a blog post. "Don't get me wrong, it will not take long at all to open the panel and use an opening device to pop the lock open, but it will raise the bar and make it more likely that the attacker is caught in the process."

The second fix, meanwhile, involves a firmware upgrade for Onity's ADVANCE locks, when possible, or else replacing the chip that stores the firmware, for HT series locks. "Shipping, handling, and labor costs to install these boards will be the responsibility of the property owner," said Onity, which said it may also charge a "nominal fee" for the firmware upgrade. Customers can instead purchase new locks outright, and Onity said it's put "special pricing programs ... in place to help reduce the impact to upgrade the older model locks."

But the hardware-replacement program isn't really a firmware update, per se. "This is equivalent to Apple telling customers 'we're releasing a software solution for this issue,' and then going on to say that they're doing it by replacing your laptop's motherboard," he said.

In addition, Brocious noted that the two vulnerabilities he found--an arbitrary memory read, and nonexistent cryptography--likely couldn't be fixed by just replacing firmware. "Neither of these [flaws] sit in isolation; the arbitrary memory read happens as part of the protocol between the portable programmer and the lock, and the crypto is flawed between the encoder and the lock," he said. Truly fixing the memory-read issue would require altering the protocol to encrypt all communications. But doing so then would make existing keycard encoders and portable programmers incompatible with the keycard locks.

Since Onity isn't replacing all three of those types of devices, Brocious suggested that the company's fix may be "shifting data around in memory or something along those lines, which would serve to break existing opening devices but not hold up to even the slightest scrutiny," since the communication protocol could again be reverse-engineered.

Accordingly, he called for an independent security audit of Onity's proposed hotel lock firmware fix. "It's simply the only way to know that they aren't releasing another horribly vulnerable product onto the market," Brocious said.