Arduino, resistor, and barrel plug lay waste to millions of hotel locks

The security flaws on this common hotel keycard lock are nothing short of face-palmingly stupid. Look closely at the picture above. This is a hotel room door swinging open. The device he holds in his hand is an Arduino connected to the OUTSIDE portion of the door lock. It takes approximately 200 milliseconds from the time an attacker plugs the device in, until the door can be opened. Yes, in less than 1/4 of one second an Arduino can open any of the millions of these locks in service.

The exploit in Onity programmable keycard locks was revealed by [Cody Brocious] at the Blackhat conference. Apparently the DC barrel jack on the outside of the lock serves as a one-wire protocol interface. Once communications are established a 32-bit sitecode can be read from any of the locks and immediately used to open the door. There is no authentication or encryption used to obfuscate this kind of attack. To make matters worse, you can even read out master key and skeleton key codes. These codes facilitate ‘magic’ keys used to open a variety of different doors through the system.

We’re no strangers to easy hotel beak-ins. But how can a digital lock possibly be sold with this type of vulnerability present? Really!?

Here’s the white paper on the exploit as well as the slides from his talk (PDF).

[via Reddit]

Comments

  1. mjrippe says:

    Amazing. Scary. Stupid. Yes he should have contacted Onity first, but this is an unimaginable oversight on their part.

    • charles says:

      The reasoning behind the lack of traditional responsible disclosure is because too many people have been sued into silence over the years long before the error can be made public. If you care about the problem being solved, a little shame is in order.

      For the record this guy could only do it in one out of four tries when put on the spot. That being said, it is not refined and other card systems are even worse.

      • Anon says:

        Correction one in three (not one in four), The reason its not 100% is due to how he wrote the transmit function.

        If you read his documentation, you will find the debugger is not the only bypass he found. He also posted up the crypto used on the magstrip cards. Considering almost all these locks are master keyed (some hotels have a master for every floor, wile others use a master for all the floors). With the encryption algorithm all you need is a card read/writer to gain full access to every floor.

  2. Fritoeata says:

    My HK will prove as a 99.99% secure room, however. (0.01% may be caused by current BAC levels).

  3. Dave says:

    I’d say “use the safe in the closet”, but those are easier to get into than these doors.

  4. addidis says:

    Nothing is secure. Security is an allusion. Even locks with keys can be picked in a matter of seconds. Sometimes you just jam your credit card between the door and the jam and you dont even have to touch the lock at all. Perhaps its because i know how to pick locks but it surprises me more that people are surprised by this , then that the exploit was found.

    • TheJBW says:

      What is security an allusion to? The fragility of man’s soul? The thin veneer of trustworthiness that humanity puts forward?

      • addidis says:

        If the worst I do is their/there allusion/illusion I think Im doing well. But thanks for noticing. Now you have to wonder if I do that intentionally just to get a rise out of grammar nazis.

      • They live by a code, and it's usually SMPTE says:

        Ah, yes, “Incorrect Use of a Homonym” – to a grammar nazi, this is the equivalent of flying the stars and bars at an Obama Rally.

        As a former “But I was only following grammar!” survivor, I should point out that he made those comments not to embarrass you, but to basically salute with a hearty “HH” on behalf of other party members.

        Some of us care – the ones who fear that sloppy language implies a sloppy mind. There will be a strong overlap with the arduino-hating crowd, but we were all raised in a culture where these shibboleths mattered.

        Some of us don’t care – because we can decode what you wrote into what you meant to say, and there will never be enough time to go back and fix (often decades old) bugs in other people’s network code.

        Naturally, I am of both minds.

    • Dave says:

      No, you didn’t do it intentionally. Nice job trying to save face though.

    • Bill Mars says:

      Security is not an illusion, just because it doesn’t work every time doesn’t mean it isn’t security. For example, if I have a safe with a glass relocker you could prevent someone from drilling your safe, it won’t stop everyone (ie. if you have the drill points for the safe) but it will stop most common attackers and thus it is security. Security is the degree of resistance to, or protection from, harm (there is no guarantee). Don’t say security is an illusion, that is like saying you shouldn’t even try.

  5. KMPDigital says:

    Its the same thinking of having a lock on a glass door.

    • M4CGYV3R says:

      Except this doesn’t break anything or leave glaringly obvious evidence of forced entry.

    • g2-8ed267748447e610153a4f183a51b3e6 says:

      They installed glass doors on the offices at my previous job. The first couple of weeks, worker kept locking themselves inside their offices, and we had to open the doors _from the outside_ to get them out.

      Go figure.

  6. bunedoggle says:

    Possible counter measures?

    Something across the barrel lug hole to detect if someone has tried to use it to gain access.

    Super glue in the hole to plug it up. (destructive, I know).

    Or perhaps a small piece or tin foil in the hole. That would short out the communication but may not be detectable. Presumably there’s a blocking diode to keep from shorting the internal battery.

  7. bemis says:

    I’ll be honest… this doesn’t really bother me that much.

    I don’t leave valuables in a hotel room when I’m not in it, because I’ve always assumed that theft by employee is just as likely as something like this (if not more so.

    When I am in the room I lock that little swinging lock that they all have.

  8. wardy says:

    A barrel plug for charging and programming? So it’s a Dallas 1-Wire bus or something similar?

  9. Destate9 says:

    First of all, nice shirt, very appropriate. Second of all, THIS IS AWESOME! If I saw a barrel plug, I would associate it with power, and not give it a second thought. But I’m glad Cody took the time to investigate. Badass hack

  10. Giles says:

    All it takes is a few “special” locks with the interface ports wired to the mains. Once word gets out that will deter many of the potential exploiters :p

    • charles says:

      That would be illegal under booby trap laws. But it does bring up the pertinent counterpoint.

      When somebody that has time on their hands wants in somewhere and can’t find a way to break the security mechanism. The rational thing to do is to repeatedly break it in a plausibly natural way. Eventually the people in charge will either give up spending tons of money and not fix it or put in a new system. Either way is a new window to attempt exploit.

      Happens with employees all the time wanting to take a smoke break outside the ‘Emergency Exit Only’ door.

  11. Trollics says:

    I have a lock on my screen door. A determined 5 year old could get through it. One day I locked myself out of my house, I grabbed the door handle and my 240 pound 6’3″ muscled self gave a gentle push and I was inside, I barely made a sound and the door really wouldn’t have slowed me down, I could have made it look like I was walking into an unlocked door to a casual observer.(except for the splintered wood). This was a standard front door sold in frame by the millions at lowes and home despot. To me a locked door is just something to keep honest people honest. Now to me a trap door on the other side of the door open to a steel cage in the basement(with suitable padding to cushion the fall) would be better security.

  12. whizbo says:

    I guess I always figured these were powered through the door hinge or something like that. Why have a I never seen them charging these? What hour of the day can they wire up all the doors in a hallway without causing a bomb scare?

    • Drake says:

      When they are cleaning

    • draeath says:

      It’s not for power. They have standard alkaline batteries (non-rechargable) in a compartment, usually on the inside (secured side) of the door.

      The ones with electronic strikes or magnetic locks that are usually hooked up to a building security system (HID cards, etc) are usually powered though (through the hinge). AFAIK they have battery backup and cache authorized users in case of power failures though.

    • Eirinn says:

      As someone else commented they probably have replaceable batteries on the other side. The barrel jack is, imo, to emergency power the device if the batteries run flat so you can still get in.

  13. Rich says:

    The real security comes when the battery in the door set dies, and the guy needs about 30min to get into the thing. Apparently they do not have external power/opening capability.

  14. Alex says:

    When I was in the states we did alot of staying in motel 6’s who use a lock similar to this extensively. One of the motels had a lock die on us, the mag stripe reader refused to work with all our stuff in the room. The owner had to come up and, after changing the 4x AA cells (which can be done from the outside) she plugged in a black box via a 6 pin mini DIN connector on the bottom and send it some data which opened the door. I assume the same data the mag stripe would of provided though this makes me thing otherwise. Scary stuff.

  15. NewCommentor1283 says:

    either i smell a HUGE party or…

    a prank involving EVERY door becoming unlocked, then fried (while open for legal reasons)

    … or just a huge party, will need sound deaddenning material or a stereo volume limit to avoid arosing suspicion XD

  16. Stephen Smith says:

    What about Kaba Ilco keycard locks?

  17. Kris Schneider says:

    What I want to know is, where can I get one of those shirts?

  18. Galane says:

    I bet that when changing the batteries the person doing it is supposed to plug a power source into the jack so the lock doesn’t lose its memory.

    What I’ve experienced many times with these locks is sudden failures of cards to work, requiring them to be re-written.

    The common excuse the front desk people give is that cellphones corrupt the cards. I don’t keep my hotel key cards anywhere near my phone so that’s a BS argument.

    As demonstrated on a Mythbusters episode it requires at minimum a 700 gauss magnetic field in contact with the card, in motion relative to the card, to scramble the programming.

    I’ve never had a gredit card or any other magstripe card get scrambled, only hotel key cards, which I keep in my wallet with the other cards.

    • saul_goode says:

      It’s because the hotel key cards are constantly being rewritten with new information.

      It’s the same as any other magnetic storage medium. Cassette, VHS or 3.5 inch floppy disks all wear out and become less reliable each time new data is layered on top of old data.

      Same thing essentially happens to flash drives and solid-state hard drives today. Heavier the use, shorter the life.

    • Michael says:

      The magnetic clasp on purses and phone cases will remove the information on a hotel key. A cell phone will not damage a key. The only information on a hotel key is a code to open the door, when the key was made and by which device. The most information about you found on the key would be your first or last name, or just identify you as “Guest”. It has a time that the key will stop working. If you extend your stay, get new keys. In a lot of cases, two keys are made for you and if they are not made as a duplicate, the second key in the door will cancel the first.

      • Charlie Barrett says:

        Yes, plus even the OPEN-TOP leather pouch included with my old Blackberry Curve also has a magnet in it – no clasp, just a magnet.

        The Blackberry senses it’s in the pouch by proximity to the magnet, which locks the keyboard to prevent “butt dialing”.

  19. daqq says:

    So I guess I’ll be staying at Kempinski after all!

  20. t&p says:

    you know you can buy a little black box with the computer that goes with kinds of locks and you could reprogram everylock that uses these with the door number 666 without any password. Hell if you get a programmed black box you can reset the password.
    I work at a hotel. These locks fuck up all the time where I have to do this.

    • KG4MXV says:

      I average over 100 motel stays a a year.
      I never leave anything of value in the room when I am not there.
      If they want my dirty socks and under ware have at it.

      I always set the deadlatch and ecrity chain or bolt when I am in the room.
      I have had the front desk make a mistake and give keys to a guest that is checking in.
      and had people walk in when I was asleep.

    • The Geekiest Guy says:

      This post is showing one of the ways the “black box” you’re talking about works, this is the “mode” the box is most likely set to program these particular locks. And in this case it only costs us less than fifty bucks to do, not the $300-$10,000 bucks these big companies are charging for an fpga, or arduino with a basic 1 wire protocol running as a serial programmer…
      If you have access to one of these programmers you should do some sniffing and see if you can make a low cost arduino clone like this, but for more locks of course.
      Good luck man.

  21. Fallingwater says:

    Hotel locks are really only meant as discouragement; anyone truly intentioned to get into your room will, if nothing else by social-engineering (or just pickpocketing) the universal key from the cleaning staff.

    As for safes, they have a universal unlock code that the staff knows. A long time ago, during a cruise, my mom locked her stuff in our room’s safe and promptly forgot the code. The guy who came up to unlock it proceeded to enter a really long string of numbers in an attempt to make us believe the secret code was made of thirty numbers or so. It was a particularly pathetic attempt, as the safe beeped its “HA HA NO” error code every few keys, but the dude kept going. In the end, after a small but conspicuous pause (I assume he was trying to remember the actual code), he entered six keys. The safe opened. I, having watched the entire procedure, now knew the magic numbers to open every safe in the ship. And this was in the Costa Classica, back then the most luxurious ship of Costa Cruises. I can only think the least luxurious has a rickety wooden cabinet with “SAEF” scribbled on it with a permanent marker.

  22. cplamb says:

    One time I discovered, much to my surprise, that my hotel key card readily unlocked another room’s door. I exited the elevator on the wrong floor and was surprised when I opened the door of the room in the same location on the floor as mine and someone else’s stuff was in the room. It took me about 15 seconds to realize what had happened.

  23. Ryan Vasquez says:

    I knew the details would be on hack a day :)

  24. Ragnar says:

    The three letter agencies needed easy access, so they got it, there is really nothing more to it.

  25. ct0 says:

    two factor authentication would and could prevent this in the future.

    a key swipe at the front desk approves use of key on specific floor.

  26. earlz says:

    Once, a long time ago when I was 13 I discovered my mom somehow had a skeleton key to our local post office. I had forgotten our box number, and tried the wrong one and had mail from someone else. I ended up opening 4 or 5 different boxes until finding my mother’s name on the mail. Also, she definitely was not suppose to have a skeleton key. She didn’t work there or anything. I kind of think that probably everyone had a skeleton key in the post office’s ignorance.

  27. PJ Allen says:

    Now it’s in the news.
    It couldn’t happen here they said.

    http://www.bbc.co.uk/news/technology-20507908

  28. Charlie Barrett says:

    Wow, what a dumb security flaw. I suppose when the lock was designed, the manufacturers thought they could keep the protocol a secret. The dummies shoulda known better.

    I bought a little pistol safe that has a random “master” keycode, which lets you into the safe, and add more combinations. The master keycode is stamped in the instructions, which I locked away.

    Then about 2 years later, I noticed that the “serial number” sticker on the bottom of the safe was actually the same as the master keycode! $%^@@^%^#)(!!!

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

Follow

Get every new post delivered to your Inbox.

Join 96,443 other followers