At the Black Hat hacker conference in Las Vegas in 2012, a hacker prodigy and budding security researcher presented evidence that up to 10 million hotel key card locks were vulnerable to attack and being unlocked with a rigged, handheld device. The key card lock company, instead of fixing the problem, tried to ignore it with rather costly results.
What’s worse is despite it being 5 years later, millions of these locks have not been fixed, leaving a lot of unsuspecting travelers in for a shock.
Security Researcher Finds Serious Security Flaw
In 2012, Cody Brocious, a then 24-year-old security researcher, found a rather serious flaw in the design of lock firm Onity’s key card locks, and the bug would affect an estimated 10 million hotel rooms around the world. The flaw he found wasn’t very high-tech, nor did he have to break through firewalls or bypass encryption: Onity locks all come with a port on the bottom of said locks, and a device called a “portable programmer” could be inserted by hotel staff in order to see which keys had been used to go in and out or even which doors’ locks could be opened with master keys. A hacker can use those ports and a device that manipulates the lock into opening itself, gaining access to millions of hotel rooms without any sign of forced entry. As egregious as this sounds, and it is, in Onity’s defense, hacking was not nearly as big a concern when they were designing these locks. That said, one would hope a company takes security very seriously, especially when they make locks which are protecting our valuables. Getting back to Cody Brocious, he started trying to hack Onity locks in the first place because a small, start-up and potential competitor of Onity hired him to reverse engineer their locks in order to create a competing product. The start-up ultimately failed, but it was not fruitless.
While he was attempting to do the reverse engineering, he stumbled upon something remarkable: the encrypted key used by Onity that triggered the unlock mechanism on all of their locks is storedon the locks themselves. This is akin to saying Onity left spare keys under the welcome mats of 10,000,000 hotel rooms and their guests’ possessions. Armed with this important information, Brocious headed to the Black Hat conference in put on a live demonstration at Caesar Palace, where he successfully opened an Onity lock using a crude device he put together for $50 worth of parts. After this successful demonstration, Cody posted the results and all the code required to duplicate it on his website; and this information slowly made the rounds with amateur hackers. Now normally when a vulnerability is discovered in something as crucial as locks on hotel doors, companies will move to fix it immediately; but only after it is brought to light and they’re forced to do so. There are not many companies out there willing to spend the money to test and refine their own security systems.
Onity was no different in that respect, but they did act differently than the others in another respect: Instead of patching this massive security flaw once it was discovered, they basically tried to ignore it. And they nearly got away with it if it weren’t for one meddling kid. (<--- Scooby Doo reference)
Enter Aaron Cashatt, Stage Right
Aaron Cashatt is not the hero of this story, however. His meddling included making a hand-held device, created with the help of Cody Brocious’ copious notes posted on his website, and robbing over an estimated 100 hotel rooms without any sign of forced entry. (Cashatt hints that it’s more than that, however)
He ended up going on an epic hack-a-thon for years, running from the police, and raiding hotel rooms wherever he went. It got so bad that a multi-agency operation called ‘Operation Hotel Ca$h’ was created with the sole purpose of tracking him down.
All the publicity surrounding this finally forced Onity to fix their locks, only they didn’t do a very comprehensive job, instead relying on a cheap fix: They installed plastic plugs to cover the ports at the bottom.
Onity Locks Could Still Be Vulnerable
Although you have to use a particular type of Torx screwdriver, the bottom panel can still be popped off, and with a little practice, takes a whopping 20 seconds to accomplish. This will again give a hacker access to the ports, and the unlocking mechanism is once again vulnerable.
Onity was asked about the possibility of a persistent lock vulnerability, and the company responded with, “mechanical solutions have been shipped to all known affected customers, enabling them to implement the security upgrade.”
But when talking to his mother when she visited Cashatt in jail in recently, he asked her which hotel she was staying at. Upon giving her answer, he gravely warned her, “Don’t leave anything in that room.”