I can appreciate that hotels now exclusively use key cards to open doors. They can be deactivated if lost and can’t be picked like a traditional lock. Safety is the name of the game here and hotels are the safest place you can be – or so we thought.
Cody Brocious, a software developer at Mozilla, showed off his latest hack at the Black Hat Security Conference in Las Vegas. He has found a way to hack over four million hotel rooms that are locked by Onity programmable key cards. What’s even worse is that the hack only costs a little under $50 in supplies.
So how does this particular hack work? Brocious has identified a 32-bit key that identifies the hotel’s “sitecode.” The worst part is that every Onity lock has this key. By reading the key back to the lock, the lock opens. The hack is so simple that he’s surprised more people haven’t found out about it yet.
Like most hackers, Brocious doesn’t intend people to use this information maliciously. He exposed the security flaw to make Onity change the locks. When an electronic lock can be opened so easily, it’s only a matter of time before something bad happens.
Brocious has created a hypothetical scenario that we hope never happens:
Given the ability to read the complete memory of the lock, it is possible to gain access to the master key card codes. With these — in combination with the sitecode for encryption — it is possible to create master cards which will gain access to locks at the property.
Let’s look at a hypothetical situation:
An attacker uses the beforementioned vulnerabilities to read the memory of the lock Attacker uses the sitecode and master key card codes to generate one or more master cards Attacker uses a master card to enter a room Attacker murders the victim in the room Attacker escapes
During the course of investigation, it’s quite possible that the criminal investigators may look at the audit report for the lock, to see who entered the door at what time. Upon doing so, they will see a specific member of the staff (as the key cards are uniquely identified in the ident field) using a master key card to gain access to the room near the time of death.
Such circumstantial evidence, placing a staff member in the room at the time of death, could be damning in a murder trial, and at least would make that staff member a prime suspect. While other factors (e.g. closed circuit cameras, eyewitnesses, etc) could be used to support the staff member’s case, there’s no way we can know whether or not the audit report is false.
Will this happen? Probably not. It’s all just a hypothetical scenario to get security experts to replace these locks with better ones. If it’s electronic, it can be hacked. I think I’ll stick with my old fashioned keys for now. At least I can protect against lock pickers.[h/t: ExtremeTech]