Black Hat hacker gains access to 4 million hotel rooms with Arduino microcontroller
Bad news: With less than $50 of off-the-shelf hardware and a little bit of programming, it’s possible for a hacker to gain instant, untraceable access to millions of key card-protected hotel rooms.
This hack was demonstrated by Cody Brocious, a Mozilla software developer, at the Black Hat security conference in Las Vegas. At risk are four million hotel rooms secured by Onity programmable key card locks. According to Brocious, who should be scolded for not disclosing the hack to Onity before going public, there is no easy fix: There isn’t a firmware upgrade — if hotels want to secure their guests, every single lock will have to be changed.
The hack in its entirety is detailed on Brocious’s website
but in short: At the base of every Onity lock is a small barrel-type DC power socket (just like on your old-school Nokia phone). This socket is used to charge up the lock’s battery, and to program the lock with a the hotel’s “sitecode” — a 32-bit key that identifies the hotel. By plugging an Arduino microcontroller into the DC socket, Brocious found that he could simply read this 32-bit key out of the lock’s memory. No authentication is required — and the key is stored in the same memory location on every Onity lock.
The best bit: By playing this 32-bit code back to the lock… it opens. According to Brocious, it takes just 200 milliseconds to read the sitecode and open the lock. “I plug it in, power it up, and the lock opens,” Brocious says. His current implementation doesn’t work with every lock, and he doesn’t intend to take his work any further, but his slides and research paper make it very clear that Onity locks, rather ironically, lack even the most basic security.
I wish I could say that Brocious spent months on this hack, painstakingly reverse-engineering the Onity lock protocol, but the truth is far more depressing. “With how stupidly simple this is, it wouldn’t surprise me if a thousand other people have found this same vulnerability and sold it to other governments,” says Brocious, in an interview with Forbes. “An intern at the NSA could find this in five minutes.
That is how he justifies his public disclosure of the vulnerability: If security agencies and private militias already have access to millions of hotel rooms, then this is Brocious’s way of forcing Onity to clean up its act. By informing the public, it also means that we can seek out other methods of securing our rooms — such as chain- or dead-locks on the inside of the room.
As for how Onity justifies such a stupendously disgusting lack of security, who knows. Generally, as far as managerial types go, securing a system seems like a frivolous expense — until someone hacks you. In non-high-tech circles, hacks like this are par for the course — usually, a company doesn’t hire a security specialist until after its first high-profile hack. For a company that is tasked with securing millions of humans every night, though, it would’ve been nice if Onity had shown slightly more foresight.