Seems that it's trivial to read the Hotel master key code out of the lock and then play it back to open sesame. The idiots who designed this have cost their customers perhaps a billion dollars, because each of the four million hotel room locks installed today will have to be upgraded or replaced.
Bad news: With less than $50 of off-the-shelf hardware and a little bit of programming, it’s possible for a hacker to gain instant, untraceable access to millions of key card-protected hotel rooms.
This hack was demonstrated by Cody Brocious, a Mozilla software developer, at the Black Hat security conference in Las Vegas. At risk are four million hotel rooms secured by Onity programmable key card locks. According to Brocious, who should be scolded for not disclosing the hack to Onity before going public, there is no easy fix: There isn’t a firmware upgrade — if hotels want to secure their guests, every single lock will have to be changed.
But I must say that this sort of attention whoring on Brocious' part is bad juju in the security industry. Hopefully people will remember his name, and refuse to work with him in the future. It's one thing to go public when the vendor blows you off after you report the vulnerability, it's another to not even give them the courtesy of a heads up.
In the meantime, use the slide latch when you're sleeping in a hotel, and don't leave any valuables there when you're not in the room.