Wednesday, November 28, 2012

Hotel Room locks not secure

I posted a couple months ago about how some security researchers demonstrated that they could open hotel room electronic locks.  That was a proof of concept exploit, but it looks like this is being done in the wild:
Whoever robbed Janet Wolf’s hotel room did his work discreetly.

When Wolf returned to the Hyatt in Houston’s Galleria district last September and found her Toshiba laptop stolen, there was no sign of a forced door or a picked lock. Suspicions about the housekeeping staff were soon ruled out, too—-Wolf says the hotel management used a device to read the memory of the keycard lock and told her that none of the maids’ keys had been used while she was away.

Two days after the break-in, a letter from hotel management confirmed the answer: The room’s lock hadn’t been picked, and hadn’t been opened with any key. Instead, it had been hacked with a digital tool that effortlessly triggered its opening mechanism in seconds. The burglary, one of a string of similar thefts that hit the Hyatt in September, was a real-world case of a theoretical intrusion technique researchers had warned about months earlier—one that may still be effective on hundreds of thousands or millions of locks protecting hotel rooms around the world.
You should assume that your lock is insecure.  When you are in the room you should engage the deadbolt and the door chain/bar.  When you leave, you should take valuables like computers and jewelry, leaving them in the car trunk.

The manufacturer of these locks is looking to get some stormy weather.  Not only was there no thought given to the security of the devices, but the "fix" offered their hotel customers is to replace all the locks.


Miguel said...

You really do not need a semi sophisticated electronic device. A piece of metal and fishing line will defeat any Hotel Lock out there right now.

The Czar of Muscovy said...

Most of the hotel security market relies on a product called SafLok, which is a reverse access control system. In a typical system, the reader gets the card's ID, and sends it to a centralized computer to verify the credentials. In a SafLok system, the card is programmed to tell the reader to open the door.

As a result of there being no centralized system, you have to audit the individual door lock to see if a door was accessed at a given time. And then, you don't know who did it.

Getting a SafLok system to reveal its numbers is quite easy: you just need to spoof the reader to get some valid sequences. This is a problem with SafLok systems going back as far as the 1990s. With millions installed, it's not going to go away. Follow BorePatch's advice. Your hotel room is NEVER locked.

Mr.B said...

Actually, that is not true. Many hotel locks are significantly more secure than Onity locks. Onity is the brand of lock referred to in the article. they were cheap, and many properties used them for that reason. This vulnerability has been known in the motel industry for several years.

Most hotel locks use a keycard that is keyed to the individual motel's code (typically 8-12 digits) then the room (and possibly section) number, then the keycard has an expiry date (and sometimes time). Ilco locks are, at this time, extremely secure, even their older systems. Once the lock is programmed, there is (generally) no communications back to any central database to determine if any keycard is valid, only the information contained on the keycard is communicated to the lock, and that is via the keycard.

Onity locks have a easily accessible data port that allows hackers to open the lock without a keycard. (and no record of the opening taking place)

But in any hotel, you have many people with access to your rooms. Bellboys have a master, most managers do as well, the maids have masters, as do security guards and maintenance personnel.

Sadly, most hotel management is very lax about the control of all these master keycards. They are lost or stolen with little accountability.

So yes, you should expect that your room will be opened. and unsecure. Treat your personal security accordingly. Never leave valuables in your room, even in a hotel safe.

Demosthenes Locke said...

There's a story running around about a guy who built the hack tool into a dry erase marker.