Unique Security Products and Specialty Locksmith Services

Locks210.com - St Louis Locksmiths for Greater St Louis Missouri
'Securing America - One Door At A Time'314 266 1533
'Keep It Yours... Lock Your Doors!'

August 24, 2012

Hacker Beats The Worlds Most Prolific Hotel Room Door Lock


We found out about this exploit, about a month ago but were reluctant to post about it here because the company had not been informed of the fault in their product that allowed this simple hack to occur. We have since heard that Onity have produced a fix for the locks, however existing lock owners are required to purchase and install complete new hardware.
Cody Brocious estimates there are 4 million Onity HT locks worldwide


What's the password?
If, during your next hotel stay, you're met with a lock on your door like that pictured above, it's time for a conversation with management. This is an Onity HT series lock. Cody Brocious claims that the company has sold 10 million of its various locks to hoteliers, accounting for half of all locks worldwide, and appearing in one in three hotels. Described by Onity as its "flagship product," the HT series lock is its big seller: Brocious reckons there are 4 million HT series locks out there. Why does this matter? It matters because on July 24, Brocious took to the stage at the Black Hat conference in Las Vegas to demonstrate how to unlock one in a matter of milliseconds using gear you and I can buy off the shelf from Radioshack for under 50 bucks.
The problem is this. Each HT series lock includes a DC charger port on its underside. This is used by hotel staff not only to recharge the lock's batteries, but also to program the lock with the hotel's unique 32-bit sitecode. With a self-programmed Arduino board, a 5.6 k pull-up resistor, and a DC connector, you have the gear you need to talk to the lock. Obviously it's not as simple as sending an "Open Sesame" message to the lock—not quite, anyway. For that you'd need to know the 32-bit sitecode. How do you get the sitecode? Turns out you just ask the lock for it.
"Given an address, the lock will send back 16 bytes of memory from that point," Brocious explained on a slide from his July 24 presentation, entitledMy Arduino Can Beat Up Your Hotel Room Lock. And it transpires the the sitecode is stored at the same memory address on every single lock. No authentication is required to retrieve it. Bewilderingly, unlocking the door is as simple as feeding the sitecode back to the lock. Once your home-brew device is connected, Brocious claims the whole process of reading the memory to unlocking the door takes just 200 ms. Given access to spare key cards, the technique can also be used to program duplicate keys.

Practical magic

In practice, the process may not be quite as easy as it sounds. Forbes' Andy Greenberg accompanied Brocious to some New York hotels and found that, of the three locks tested, Brocious was only able to open one (on the second attempt, having jiggered with his software). But one in three is still an unacceptably high success rate, though the few hotels tested are insufficient to draw broader conclusions. The exercise does at least demonstrate that the technique isn't 100 percent reliable—at least not as the research stood at the time.
Though Brocious has stated he does not intend to refine the technique, he has released the paper presented at Black Hat, and made his source code available through his website. At the time of writing, the dedicated IRC channel setup for further research had 25 members (all idling), discounting obvious pseudonyms. Brocious told Forbes that, with refinement, he believes the technique could be used to open a significantly higher proportion of locks.

With great power...

To many, Brocious's work is loaded with ethical questions, but what is beyond dispute is that Brocious has merely exploited and publicized a security flaw that is inherent to the HT series lock. He did not create the security flaw. And Brocious has clearly wrestled with the dilemma of whether and how to release his findings.
"The decision to make this information public has not been an easy one," Brocious writes in his paper. "While it's unlikely we'll ever know for sure, we must suspect that concerns were raised inside of Onity about these issues, given the ten-plus years that these locks have been in development and on the market. However, after much consideration it was decided that the potential short-term effects of this disclosure are outweighed by the long-term damage that could be done to hotels and the general public if the information was held by a select few."
In his presentation, Brocious suggested possible fixes to the vulnerability, but asserted that a physical replacement of all lock circuitboards would be necessary, as well as replacement of the front desk equipment. "The biggest impediment to mitigation is that the locks are not upgradeable," he said.

A case of impOnity?

On July 25, Onity put out a statement that attempted to downplay the issue, apparently contradicting Brocious's assertion that a hardware intervention is necessary. "Onity understands the hacking methods to be unreliable, and complex to implement," it said. "However to alleviate any concerns, we are developing a firmware upgrade for the affected lock-type."
On August 13, Onity issued a new statement (both can be read through that link) offering to send out physical caps to hotels with HT series locks. "To further enhance the security of this fix, we will also supply a security TORX screw with each mechanical cap to further secure the battery cover in the lock," the new statement said. Effective, so long as the would-be intruder forgot to add a Torx screwdriver to their shopping list. These caps will be ready for shipping by the end of the month, Onity claims.
In addition to the physical fix, Onity is also offering to replace the control boards of locks as well as shipping a firmware update. Onity says there will be a "nominal fee" for the control boards, but that's before shipping, handling and labor: three costs which the company says hotels must pay. And the fix only works for upgradable locks. Older locks must be replaced outright, again at the hotel's expense. In essence, though, Brocious was right. Hardware upgrades are required to fix the problem.

Contrition? Not so much

Remarkably, neither of Onity's statements show a hint of compunction. Arguably more worrying for a security firm: there's no recommendation that clients take up the offer of fixes. "If you are interested in pursuing this solution…" is about as close as it gets.
It's worth reiterating the potential scale of the problem. Assuming the figure of 4 million affected locks is accurate, that's 4 million potentially vulnerable hotel rooms. Even if we assume only half of those rooms are typically occupied, and those that are by a maximum of one resident at a time (staying on average 1.6 nights), that equates to 37.5 million travelers affected in the last 30 days alone.
The role of technology in the security sector is fundamental, but despite the rapid technological progress, one thing has remained constant: the importance of trust. Whether hoteliers wising up to the fact that they've bought what could be called a flawed security system will be willing to trust the supplier of said equipment for a fix… well, that remains to be seen.
Source: Cody Brocious, via Forbes

(source...) we found this article at Gizmag and copied it in full from there.

No comments:

Post a Comment

Locks210 encourages public discussion on articles of interest. Please feel free to post your opinion.
Posts are subject to moderation.

Home Advisor (formerly Service Magic) Testimonials And Sites That Recommend Us

Powered by ServiceMagic

Testimonials

Danny was very professional and friendly at the same time. He not only gave me the quote and fixed the exterior door and explained his work. He was prompt and upfront about the work and did the work. He came in time took care of it on the same day. (Sasheethn K St Louis MO) June 2018d out problems but assured not urgent. Please feel free to have Danny pass out my number for my total experience review 314-351-5553

Charlie M. (St Louis, MO) November 2015


Danny was pleasure to meet and was very knowledgable. He explained several lock replacement options but I decided none of them were a good fit for a storm door, however, I did replace a lock on my entry door with a type of lock I had never seen before. I would highly recommend this company.
Patricia J (Bridgeton, MO) March 2014
They were prompt and showed up when he said he would show up. He knew his stuff. I had ordered new handles and he was honest enough to say that we don't need them that he can fix the doors and he did. Made me lock and unlock my doors to his satisfaction so that I knew what to do. Am very, very pleased with the service and cost.
Joyce K (Glencoe, MO) May 2015

Showed up on time for appointment. Was very knowledgeable about the project and offered a solution beyond what I asked to be done.
Stephen G (Chesterfield, MO) May 2015


Daniel was right on time, assessed the problems I had with two doors, made the repairs, and explained what caused the problems to begin with .... He is a "door expert" and a true professional. I highly recommend him.

Vince V (St. Louis MO) May, 2015




Danny was fabulous! He went over my concerns and he provided me with more than a fair quote. He was there when he said he was going to be there. I would highly recommend Danny. Cheers!
Denise S (Imperial, MO) May 8, 2014

Hired Danny to re-key locks on "new" house purchase. He advised to replace with new deadbolts & door knobs on 3 entry doors instead which I agreed with. All doors have 1 matching key & the safety of excellent quality product & workmanship. He also added new strike plate to door frame to complete project.. I recommend as your 1st & only call to a Locksmith.

Denise F (St. Louis, MO) April 3, 2014


Danny was very helpful in solving a pretty complex problem involving many lock.
Scott C (Eureka, MO) March 27, 2014




Needed patio door track to run smoothly. Arrived early, fixed door and explained what he was doing during repair. Quick and easy. Door works great, my wife will now speak to me, and I've become a better dancer.

Mike W. (Arnold/Oakville MO) July 2013


The owner spent a longtime with me on the phone helping diagnosis the problem. He was on-time, friendly and helped resolve my issue. I will definitely use him again!

Chris C (Lake St Louis, MO) July 2013


I had a very pleasant experience with Master Key Systems. They came out, did the job (which took longer than expected) and they did not change the price they quoted me. Now, I am not certain that it was a great value for the money because I don't have a comparison, but they did what they said, when they said, for the price they said. Enough said!!!

Antonio B (Saint Louis, Missouri) March 2013


Professional.. Upfront about charges. Fixed the sticky door within 20 minutes. I will recommend Master Key for exterior door issues.
Muthu R (Ballwin, MO) July 2012


Danny was a master craftsman, knowledgable and professional. I will be calling on him again in the future as well as passing on his services to friends and family.

Marsha L (Saint Louis, MO) July 2012


Danny was excellent! I called him on a Monday to fix a sliding glass door. He happened to have the exact part we needed (and it was not an easy find - we had looked everywhere) and he came over Tuesday evening. He stayed until 8:00 until the job was done, and cleaned up afterwards. He was courteous, professional, and efficient! I could not be happier!

Rachel P Maryland Heights, MO (July 2012)


He did an excellent job. Got there on time and quickly solved the issue. Was very pleasant and explained the situation and how to keep the door from sticking in the future. Would definitely use Master Key LLC again!

Neil F. (Saint Louis, MO) April 2012


Danny was very friendly and knowledgeable, although his apprentice seemed to do most of the work, Danny kept an eye on him to make sure it was done right. He had very reasonable pricing for re-keying.
Greg D (St Louis, MO) October 2011


He was extrememly fabulous and helpful and did a wonderful job. He was very professional.
Shannon M. (Arnold, MO) October 2011


Growing up spending so much of my time in Italy, the uniqueness of the Nova Classico left quite an impression on me. To be able to have and enjoy them in my own home here in the states is a nostalgic indulgence I'm enjoying beyond words. Thank you Danny for coordinating this transaction.

Joseph M (Chicago, IL) September 2011





great job. hired on the spot and he did job right then at great price

Ron B (Arnold, MO) July 2011







I searched the internet and found your services. I received three phone calls within several days. A service call was scheduled. Two gentlemen arrived promptly, analyzed the problem and fixed it.
James & Florenc M Saint Louis, MO July 2011

The repairman was on time and did an excellent job of fixing a very stubborn door lock. He was persistent and cleaned up the work area afterwards. I would use this service again.

Brenda F (Saint Peters, MO) June 2011


Danny at Master Key Systems has succeeded in making the purchasing of our Meroni door locks, from Italy, an absolute breeze. Even though I live in Australia with a 16hr time difference and was ordering door knobs from Italy that weren't in stock, the whole process was faultless. Danny was prompt and efficient with all his emails and made sure we had covered every possible variable so that the product I received was exactly as required. I would have no hesitation in recommending Danny for your next purchase.
Patrick Carr (Canberra, Australia)


Your product really helped because I needed to secure a nurse's station adjacent to a waiting room and needed a pocket door. Unfortunately, no real options were available to lock a pocket door effectively that would keep me compliant with HIPAA and secure an area that stores medical supplies. This was vitally important as this particular waiting room was for "waiting detox patients". Thank you very much.
Randall R The Fritz Clinic (Birmingham, Al) March 2011


Danny was very polite and knew what the problem was and how to fix it. He also gave me some information about other issues that could arise with my door and locks. Will hire again if I ever need that type of work done.
Jason M Imperial, MO March 2011




I had an exterior basement door that dragged when opening and closing. The hinges were not fitting properly and the door frame had shifted, probably due to the age of the house.The screwswould not go far enough into the wall without hitting stone...even using a special drill bit. Dan worked a long time drilling and sanding to shore up the door as best as possible. I know it will never be perfect. He could have easily sold me a new door and the same issue would happen. He was honest, thorough, and did an excellent job without charging me a fortune. I'm satisfied with the door now. If you want an honest, experienced man, Then Dan is the man

Roger M Saint Louis, MO March 2011


I purchased the Cowdroy P697 Pocket door lock with key over the internet. I emailed questions before my purchase and was provided with the answers quickly by return email. The purchase was quick and easy and the lock was shipped immediatly. Installation is quick and easy. But you do need to convert millimeters to inches (use the internet) in the installation instructions. And the lock looks great and works great. I will do business with them again. THANK YOU

Ed D (February, 2011)





Who Are We?





Welcome to Locks210.com.
This site is to inform about historical and modern approaches to Keys and Physical Security products and services.
Locks210.com, established in 2006, offers residents and businesses of St Louis Locksmith premium quality products and services. As the Premier Bilock Extreme Security Dealer in The Mid-West,
Our conveniently located workshop and service vehicles are uniquely designed to offer trade qualified, bonded, insured tradespeople with knowledge and experience spanning multiple countries and product lines.

Shipping and Returns

All products are sent in manufacturers condition.
All products are subject to sales tax where applicable.
All products are dispatched within 10 business days of remittance.
All products are subject to manufacturers warranties.
All products returned within 30 days, will be 95% refunded less shipping.
Prices are subject to change without notice.
googlec1e9e17d377a46fe.html
My Zimbio
Top Stories