Hotel Key Cards Vulnerable to Hacking

Holidaymakers may want to check out the key card lock on the outside of their hotel room door, as their room could be easily accessed by a hacker. According to Mozilla software developer and security researcher Cody Brocious (24), all it takes is some cheap hardware and a few hacker tricks to gain access to some hotel rooms. This is due to a DC power port found on the underneath side of the key card lock outside the doors.

Brocious presented the vulnerabilities he found in hotel room locks at the Black Hat security conference on Tuesday. The vulnerabilities are discovered in locks made by Onity, whose devices are installed on doors for some four or five million hotel rooms around the world. The developer/researcher used an open-source hardware gadget built for under $50, which he inserted into the DC port underneath the key card lock. He could open the lock in a matter of seconds sometimes.

This trick works every time on the opening mechanism in a standard Onity lock he ordered online. However, the results were more mixed for three Onity locks installed on doors at franchise and independent hotels in New York. However, his work and ability to open one out of the three locks without a key suggests flaws in the security architecture of Onity locks. He says he plans to release his research on the matter in a paper and source code on his website, potentially allowing others to perfect his methods.

Brocious discovered the flaws while working as the chief technology officer for Unified Platform Management Corporation (UPM), which tried to compete with bigger players in the industry by creating a universal front end system that used common lock technologies. He was hired to reverse engineer hotel locks, and his first target was Onity. The discoveries were completely unintentional.

He says the vulnerabilities arise from the fact that the memory of each lock is completely exposed to whatever device tries to read it via the DC port. The locks have cryptographic keys that are required to trigger the open mechanism, but the data is also stored in the memory of the lock. This is kind of like hiding a spare key under the mat at a door. He says that, with how simple it is to hack the key card lock, it wouldn’t surprise him if thousands of others have found this same vulnerability already and sold it to other governments. A NSA intern could discover it in five minutes, he noted.

Well, he’s certainly not the first to know about the trick. UPM sold the intellectual property responsible for the hack to the Locksmith Institute (LSI), a training company, for $20,000. The students may have the ability to open Onity locks as they will already. Other than that, Brocious has kept his findings quiet until now. He never even contacted Onity or parent company United Technologies Corporation to notify them about the security flaws. He says this was because there isn’t much the company can do about it, as just installing new firmware won’t fix the problem. The company will have install new circuitboards in each affected lock – which will be a logistical nightmare.

Brocious added that he doesn’t want to delay revealing this any longer, and he doesn’t see any way to mitigate this on Onity’s part. The best way to help hotels is to educate them about it – not going through Onity to fix the problem or delaying getting the information out there. Hotels need to develop a plan to install more secure locks.