Wednesday, July 25, 2012

Security: it wasn't an afterthought

It wasn't thought of at all:

Bad news: With less than $50 of off-the-shelf hardware and a little bit of programming, it’s possible for a hacker to gain instant, untraceable access to millions of key card-protected hotel rooms.

This hack was demonstrated by Cody Brocious, a Mozilla software developer, at the Black Hat security conference in Las Vegas. At risk are four million hotel rooms secured by Onity programmable key card locks. According to Brocious, who should be scolded for not disclosing the hack to Onity before going public, there is no easy fix: There isn’t a firmware upgrade — if hotels want to secure their guests, every single lock will have to be changed.
Seems that it's trivial to read the Hotel master key code out of the lock and then play it back to open sesame.  The idiots who designed this have cost their customers perhaps a billion dollars, because each of the four million hotel room locks installed today will have to be upgraded or replaced.

But I must say that this sort of attention whoring on Brocious' part is bad juju in the security industry.  Hopefully people will remember his name, and refuse to work with him in the future.  It's one thing to go public when the vendor blows you off after you report the vulnerability, it's another to not even give them the courtesy of a heads up.

In the meantime, use the slide latch when you're sleeping in a hotel, and don't leave any valuables there when you're not in the room.

8 comments:

Anonymous said...

You don't need this device as a recent robbery in my wonderful city showed. About half the residents of a mid range hotel left their doors unlocked or had them propped open. The thieves helped themselves. The hotel guests blamed the management for this lapse in security.

Richard Blaine said...

Yikes - I'd call it a design flaw but it sounds more like a lack of design flaw.

And Yikes on Brocious too - Not cool. Good that he found it. But it's much better to make it public when it's already been fixed. Does he think the word won't get out to people who will use the hole?

kx59 said...

This happened with Knox boxes about ten years ago. Some guy posted an IRL hack for a particular Knox box which negated analog security for many many buildings in this country.
Knox box? A little "safe" that holds the master keys to your building, for which the fire department has the knox box key.
...so they don't use the universal key (fireman's axe) to open your $20,000 custom ceramic frit tempered glass entry doors.

R.K. Brumbelow said...

Richard, someone already posted the vector, not the theory, the whole shebang inc hardware in at least 4 forums. I did think it was funny to see it on /. before astalavista though.

Ken said...

Slide latch and a rubber door wedge, less than $2 just about any old place. I pack one when I travel.

Donulld said...

I agree with the idea of responsible disclosure, however with the number of court ordered injunctions against researchers at previous Black Hat and DefCon conferences, I can understand his "surprise" presentation.

Borepatch said...

Donulld, I can understand that point of view. IIRC, it was Black Hat 2005 where Cisco had one session's materials ripped out of the conference notes. I was at Cisco then, and we were all horrified at that decision.

Chitown said...

I also remember the cash machine hack was delayed a year to give the company time to fix the vulnerability.