Hotel Door Lock Vulnerability

The attack only works sometimes, but it does allow access to millions of hotel rooms worldwide that are secured by Onity brand locks. Basically, you can read the unit's key out of the power port on the bottom of the lock, and then feed it back to the lock to authenticate an open command using the same power port.

Posted on August 2, 2012 at 1:08 PM • 22 Comments

Comments

Harvey MacDonaldAugust 2, 2012 1:35 PM

Or you just wait for the cleaning lady to open the room, then walk in like you own the place.

MaxAugust 2, 2012 2:36 PM

The published code only works sometimes.

My understanding is that he found an issue with his implementation of the communication protocol but hasn't bothered to publish the fix.

elizillaAugust 2, 2012 6:16 PM

So, carry some JBWeld and close up that hole when you check in. How often does the hotel have to plug something in to that power port? Once every couple of months? By the time they discover that access is blocked, how would they ever know which guest did it, or even that it was a guest and not some random vandal?

skreidleAugust 2, 2012 8:32 PM

Elizilla: You recommend surreptitiously vandalizing/destroying a lock that probably costs $100-$200 on the off chance someone might try to break in?

StasAugust 3, 2012 12:41 AM

I tend to see hotels as insecure anyway. Thereby I mean, when I am there I use such a lock that the door does not go fully open (http://www.goedkopesloten.nl/storage_articles/DX%20KIERSTANDHOUDER.jpg) and otherwise I use the safe.

Clive RobinsonAugust 3, 2012 1:40 AM

@ elizilla,

How often does the hotel have to plug something in to that power port? Once every couple of months?

More like once every couple of guests/customers.

Nearly all electronic locks used in hotels have some kind of bypass system be it electronic or mechanical. This is because a Hotel's idea of security is almost the oposite of what a guest/customers idea of security is.

Your room door is an autherization control designed to produce the minimum of hinderance to those who are autherized and a very moderate level of deterance to those who are not authorized.

To a hotel the "security threat" of thieves is many many times less than that of guests/customers as it is in most hospitality industries. This is because the biggesst threat to a hotel is a lack of revenue.

A guest/customer who is upset by being awoken by another noisy guest/customer or not being able to get into their room is someone who's business might well go to a rival down the street and discorage others from coming to the hotel with "horror stories" of how they were treated by the hotel and it's staff.

Thus getting a guest who has spent to long at the bar into their room (because they've lost or cannot use their key) before they wake other guests is a very high priority. Like wise those returning to their room to get changed or get a coat or something else from their room so they can go off and enjoy themselves.

So most hotel staff are authorized to open guest looks with the minimum of fuss and delay.

The second biggest threat to a hotels (revenue) security is not having rooms available to accomadate guests/customers so non functioning or broken door locks are not something they want. As we all know from experiance we don't realy know when a battery is going to run down and the device it powers become non functional. It's just the same for the electronic door lock so a "power up" port is provided as standard and this is generaly by using a small discrete connector that is put on the underside of the external lock facia. Usually this connector is somethin like an RJ45 connector which is also a good place to alow fast override to give hotel staff fast access to "assist guests" to keep the "guest experiance" as positive as possible.

Now you have to realise that the door lock does not know and does not need to know what the room number is nore do nearly all the autherised persons. What they need to know is that when the put in a key or plug in any other autherisation device the door will open with the absolute minimum of fuss and preferably zero damage.

When you start looking at "electronic door lock security" in what are virtually zero "traditional security" environments and understand what their actuall purpose is not "security" but to minimize nuisance, you will realise that it's not the physical or electrical design of this lock the manufacturer got wrong. It was the authorization protocol between the lock and the autherization device.

I've seen this particular SNAFU over and over again and I fully expect to see it continue for the foreseeable future because there are currently no ince55555555555555555555555555555555555555555

AC2August 3, 2012 2:14 AM

@Clive

"... for the foreseeable future because there are currently no ince55555555555555555555555555555555555555555"

Malfunctioning keyboard???

Lemme try:

"... for the foreseeable future because there are currently no incentives for hotels or lock manufacturers to focus on the security of guests rather than revenue security for hotels.

This has led to the development of guest-security focussed locks from other companies, which are add-ons to the existing locks. One example from a poster above.

Of course I had developed my own workarounds for electronic door locks back in the 80s using a custom built EMP device (built using components available from any RadioShack). This scrambled the brains of any electornic lock for a sufficient time that it would reset to its default open state on initialisation."

WaelAugust 3, 2012 2:41 AM

@ AC2

Malfunctioning keyboard???
Lemme try: ...

Brilliant :)

Were there Radio Shacks in England back in the 80's?

FirefoxAugust 3, 2012 4:18 AM

What Clive says - with AC2's help - is valid, except for the "threat to hotel's revenue" stuff implying that profit trumps security (maybe he didn't mean that exactly).

As he rightly points out, customers often say they want high security, but in reality, as soon as security gets a tiny bit inconvenient they want to drop it or bypass it.  Try getting a senior vice-president in a non-technical business to memorise and use even one strong password...  It's not about revenue, it's about customers and what they'll put up with.

In most hotels, multiple staff have access to rooms, and unless I trust every one of them I'm not going to leave anything valuable lying about anyway, even before I've considered the risk of guys exploiting lock vulnerabilities.  So for me, this story doesn't change anything.

RickyAugust 3, 2012 5:54 AM

@Wael,

Yes there were Radio Shacks back in the 80s UK, they were known as "Tandy".

Dirk PraetAugust 3, 2012 7:03 AM

@ Max

My understanding is that he found an issue with his implementation of the communication protocol but hasn't bothered to publish the fix.

Which is not really a prerequisite for publishing a vulneraribility. The fact that Brocious didn't bother to inform the vendor first before going public is another thing, especially because a patch/upgrade doesn't seem to be simple. What I liked most about this technique however is that the hardware used reminded me of a young John Connor hacking an ATM in - I believe - Terminator II.

@ Clive

for the foreseeable future because there are currently no ince55555555555555555555555555555555555555555

Every time you do that, I imagine you walking in the street, concentrating on your smartphone, then falling into some construction hole in the pavement you hadn't noticed. Stop scaring me.

martinoAugust 3, 2012 7:19 AM

LOL @ your comment to clive @dirk praet, exactly what I think (or he's laying in bed and drifts of to sleep like I sometimes do while reading some of his more technical posts hehe)

Clive RobinsonAugust 3, 2012 9:29 AM

@ Firefox,

"threat to hotel's revenue" stuff implying that profit trumps security (maybe he didn't mean that exactly).

What I ment is that "they know upsetting their customers/guests" is a revenue losser, and they also know that they have different security metrics.

But the security of their revenue (not their profit if any) is what keeps the hotel in business as amongst other things an employer of people in the local(ish) community and thus in theory as a social good.

That is you could take the view "profit is for shearholders and revenue is for the social good" of employees, suppliers, and associated businesses and is part of "economic churn which is good for the rest of us all be it indirectly through taxation.

The hotel also know that the security of their guests is not just from those unauthorised persons off the street who could in theory do the guests some harm, but also from the guests themselves be it directly (smoking in bed) or indirectly from ill health both of which require quick and easy access for autherized hotel staff and first responders and occur way way more frequently than theft/attacks from unauthorised persons.

If you have ever had to sit through a meeting with large hotel managment on what they want from security products you might at first hearing think they are mad bad and callous, the reality is they are using a risk based methodology and the sort of "security" things you might expect a home owner to list mostly don't make it onto their lists.

For example on a home for home basis how many people have actually been attacked in their home compared to the number of homes that have had fires? Then consider how few home owners fit even smoke detectors as opposed to window locks etc?

As I indicated there is security and then there is security you have to know which security is more important and why...

And yes as some long time readers know I used to design electronic locks for the various parts of the hospitality industry and other organisations with significantly different security requirments.

@ AC2, Dirk, martino,

Yes it was a keyboard hang up yet again.

As for lying in bed I must put my hand up to that on this occassion, I'm back in hospital trying to charm the nurses and others who have my wealfare in their hands including the porters. A short while after the keyboard locked up a very nice young Italian lady (named Anna) came to take me down for a bit of surgery, so I put off correcting the post. Unfortunatly they have decided not to chop bits off today at the last minute due to unfavourable blood work, so I missed lunch :( and I'm here for the weekend and they will re-run Monday morning.

@ Wael,

Yes there were Tandy stores back then, but there was also Radio Spares (RS these days) but you did not need to make anything fancy to open most battery powered electronic locks, a large magnet would do it probably better.

One of the real issues with battery powered locks is taking a CMOS logic output measured in nano/micro watts and converting it to the sizable fraction of a horse power required to pull back the door strike/latch. In most cases they elect not to do this but put in a keyed drive chain between the handle and latch mechanism and activate the keyway with a very very lowpowered transducer such as a small electromagnet. If you know where in the lock facia it is and it's orientation it's fairly easy to place a large magnet such that the transducer gets activated.

This opens not just the door but a large security hole as well... Most locks have a "log" which shows when a door was opened and by whom. But the relity is somewhat different the little micro controler is compleatly oblivious to the door being opened it has no way to tell. All it shows is who was authenticated or when somebody tried to authenticate. Thus a smart thief goes unrecorded if they use a magnet.

Now let us assume you are an insider to the hotel and you want somebody else to "take the wrap" you simply wait for them to come out of the room go out of sight then slip into the room steal something and leave quickly but cautiously and go use your card on another floor way out of the way as an alibi... After a few episodes of doing this you have the person kind of falsely accused by the lock logs without any way to defend themselves whilst you have an alibi provided by the logs...

martinoAugust 3, 2012 12:43 PM

@clive:
I'd not be inclined to try the old switchroo trick as surely the security cameras (where applicable!) Would catch you darting around, eh? ;o)
I've lurked here for a while and only recently started commenting but I knew you were in care so I figured that was a likely scenario (well, not falling asleep but being bed-ridden and drugged or distracted by the staff ;oO)

Hopefully you're well and on your way soon!

WaelAugust 3, 2012 10:35 PM

@ Dirk Praet

for the foreseeable future because there are currently no ince55555555555555555555555555555555555555555
Every time... Stop scaring me.

Every time Clive Robinson does that, I imagine a cute nurse snatching the phone out of his hand. Some time later I hear her voice saying "Oh! Cliiiiiive!"... Just like in a James Bond movie :)

RogerAugust 5, 2012 8:41 AM

@Stas:
"...and otherwise I use the safe."
If you mean the room safe then unfortunately, quite a lot of hotel room safes are just as bad, if not worse. (The concierge safe is usually pretty good at decent hotels, but inconvenient for casual usage.)

Generally the only advantage is that nearly every member of staff can get into your room, but (depending on the hotel's policies) only managers have access to the code or device that overrides the room safe lock. So, it's a lot better than just leaving stuff lying around.

However in terms of resistance to attack, they are mostly poor quality. This will be emphasised in fine print somewhere, that tells you not to keep valuables in the safe, and the hotel accepts no liability if you do.

First, forget any room safe that doesn't have an electronic lock. If it uses a conventional key or a specially shaped card, then any number of previous guests or staff could have copied it. But even the electronic ones usually have only very modest security.

Common problems include:


  • Just as with room doors, many hotels have weak protocols to verify a guest's identity before overriding the safe door, because they don't want to annoy tired, possibly intoxicated guests. The one time I had to ask for an override, the night manager simply assumed that anyone in the room was authorised to access the safe;
  • Just as with electronic hotel doors, safe overrides are secret protocols, not verified by any competent authority, and marketed to organisations that value guest convenience and reliability far above security;

  • In some regions it is apparently common for dishonest managers to ransack safes of rooms occupied by several people such as backpackers. When there are alternative suspects and all are foreigners, the police don't investigate at all;

  • Some have electromechanical overrides that can be tripped by inserting a thin wire through a "secret" hole;
  • Lightweight safe attached to chipboard furniture by woodscrews, so it is easily removed and carried away;

  • Factory default override codes not changed on installation;

  • Lightweight boltwork that can be pried open with a heavy screwdriver or small jemmy;

  • In some shoddy brands, gently wiggling the handle whilst slapping or shaking the safe will cause it to unlock, because the pin that interrupts the boltwork is only pushed forward by a very weak spring;

  • Some Spanish crooks apparently filmed their own safes with a hidden camera when they asked the manager to override it, and thereby obtained the override code;

  • Supposedly some dishonest staff smear a light film of oil or talc on the keypad, so they can later see which numbers are in the combination. However I have never heard a verified account of this rumour.

Personally I rarely travel with anything seriously valuable, and I am happy to use the room safe for most things (maybe not in Spain, which seems to be a hot-bed for room safe theft.) But when I have had to carry confidential documents on company business, I secure a lock box to an immovable object using an alarm cable -- that is, a locking steel cable that sounds an alarm if it is cut or the lock opened without the combination being entered first. (Unfortunately, in nearly every modern hotel room the only reasonably immovable object you can get a cable around, is the loo.)

StasAugust 6, 2012 11:56 PM

@Roger:
Thanks for your comment. I always assumed that most hotels do take responsibility for the safe, but it seems I was wrong in that assumption. Some how, I feel like trying to break the first hotel safe I will encounter on my next journey...

If I may ask this: what makes you more sure about your personal lock box and who will hear the alarm when it goes off?

RogerAugust 8, 2012 7:03 AM

@Stas:
"If I may ask this: what makes you more sure about your personal lock box..."

That's a very good question. To be fair, I don't have any objective assessment of its security, other than my own examination (which I admit is a very poor substitute for formal testing.)

However unlike the room safe, I am fairly confident that it has no (intentional!) overrides, and very confident that no-one in the hotel has privileged access to it. I also expect it to be a surprise to any intruder who has not been specifically following me around and serially breaking in to my hotel rooms. (The housekeeping staff won't know it's there unless they enter at night; during the day papers and box accompany me to the meeting.)

"and who will hear the alarm when it goes off?"

Oh, it's pretty darn loud. Even if you put a couple of pillows over it (which I did when testing it) it's uncomfortable to be nearby. No doubt there are some hotel rooms so sound-proof it wouldn't wake the neighbours, but I can't afford to stay in them. And no, I've never had a false positive.

Leave a comment

Allowed HTML: <a href="URL"> • <em> <cite> <i> • <strong> <b> • <sub> <sup> • <ul> <ol> <li> • <blockquote> <pre>

Photo of Bruce Schneier by Per Ervland.

Schneier on Security is a personal website. Opinions expressed are not necessarily those of Co3 Systems, Inc..