Arduino, resistor, and barrel plug lay waste to millions of hotel locks

The security flaws on this common hotel keycard lock are nothing short of face-palmingly stupid. Look closely at the picture above. This is a hotel room door swinging open. The device he holds in his hand is an Arduino connected to the OUTSIDE portion of the door lock. It takes approximately 200 milliseconds from the time an attacker plugs the device in, until the door can be opened. Yes, in less than 1/4 of one second an Arduino can open any of the millions of these locks in service.

The exploit in Onity programmable keycard locks was revealed by [Cody Brocious] at the Blackhat conference. Apparently the DC barrel jack on the outside of the lock serves as a one-wire protocol interface. Once communications are established a 32-bit sitecode can be read from any of the locks and immediately used to open the door. There is no authentication or encryption used to obfuscate this kind of attack. To make matters worse, you can even read out master key and skeleton key codes. These codes facilitate ‘magic’ keys used to open a variety of different doors through the system.

We’re no strangers to easy hotel beak-ins. But how can a digital lock possibly be sold with this type of vulnerability present? Really!?

Here’s the white paper on the exploit as well as the slides from his talk (PDF).

[via Reddit]

62 thoughts on “Arduino, resistor, and barrel plug lay waste to millions of hotel locks

  1. Amazing. Scary. Stupid. Yes he should have contacted Onity first, but this is an unimaginable oversight on their part.

    1. The reasoning behind the lack of traditional responsible disclosure is because too many people have been sued into silence over the years long before the error can be made public. If you care about the problem being solved, a little shame is in order.

      For the record this guy could only do it in one out of four tries when put on the spot. That being said, it is not refined and other card systems are even worse.

      1. Correction one in three (not one in four), The reason its not 100% is due to how he wrote the transmit function.

        If you read his documentation, you will find the debugger is not the only bypass he found. He also posted up the crypto used on the magstrip cards. Considering almost all these locks are master keyed (some hotels have a master for every floor, wile others use a master for all the floors). With the encryption algorithm all you need is a card read/writer to gain full access to every floor.

  2. Nothing is secure. Security is an allusion. Even locks with keys can be picked in a matter of seconds. Sometimes you just jam your credit card between the door and the jam and you dont even have to touch the lock at all. Perhaps its because i know how to pick locks but it surprises me more that people are surprised by this , then that the exploit was found.

    1. What is security an allusion to? The fragility of man’s soul? The thin veneer of trustworthiness that humanity puts forward?

      1. If the worst I do is their/there allusion/illusion I think Im doing well. But thanks for noticing. Now you have to wonder if I do that intentionally just to get a rise out of grammar nazis.

      2. Ah, yes, “Incorrect Use of a Homonym” – to a grammar nazi, this is the equivalent of flying the stars and bars at an Obama Rally.

        As a former “But I was only following grammar!” survivor, I should point out that he made those comments not to embarrass you, but to basically salute with a hearty “HH” on behalf of other party members.

        Some of us care – the ones who fear that sloppy language implies a sloppy mind. There will be a strong overlap with the arduino-hating crowd, but we were all raised in a culture where these shibboleths mattered.

        Some of us don’t care – because we can decode what you wrote into what you meant to say, and there will never be enough time to go back and fix (often decades old) bugs in other people’s network code.

        Naturally, I am of both minds.

    2. Security is not an illusion, just because it doesn’t work every time doesn’t mean it isn’t security. For example, if I have a safe with a glass relocker you could prevent someone from drilling your safe, it won’t stop everyone (ie. if you have the drill points for the safe) but it will stop most common attackers and thus it is security. Security is the degree of resistance to, or protection from, harm (there is no guarantee). Don’t say security is an illusion, that is like saying you shouldn’t even try.

    1. They installed glass doors on the offices at my previous job. The first couple of weeks, worker kept locking themselves inside their offices, and we had to open the doors _from the outside_ to get them out.

      Go figure.

  3. Possible counter measures?

    Something across the barrel lug hole to detect if someone has tried to use it to gain access.

    Super glue in the hole to plug it up. (destructive, I know).

    Or perhaps a small piece or tin foil in the hole. That would short out the communication but may not be detectable. Presumably there’s a blocking diode to keep from shorting the internal battery.

      1. You could just connect some capacitor between the DC input contacts, inside that lock, to short circuit just the data, but not the DC. This is still impractical, though, you are not exactly going to do this on each and every single lock. But come on, those doors usually come with a kind of locking mechanism one could open with a piece of plastic bottle or a credit card sized card, by pushing it between the door and the frame.

        1. Yea, until your card gets wiped or something and they can’t program the lock.

          Meanwhile you’re shits on the other side of the door and you have to wait for the locksmith (or crowbar).

          Totally worth it!

  4. I’ll be honest… this doesn’t really bother me that much.

    I don’t leave valuables in a hotel room when I’m not in it, because I’ve always assumed that theft by employee is just as likely as something like this (if not more so.

    When I am in the room I lock that little swinging lock that they all have.

    1. Much more likely, actually. What this guy did is a proof of concept, he isn’t going to actually steal anything.

    1. So, the barrel plug isn’t for charging at all (the batteries are standard, non-rechargable AAs), but the programming part is correct. It’s not Dallas 1-Wire, but it’s damn close (and predates it) in terms of concept; the full protocol details are in the paper at http://demoseen.com/bhpaper.html

  5. First of all, nice shirt, very appropriate. Second of all, THIS IS AWESOME! If I saw a barrel plug, I would associate it with power, and not give it a second thought. But I’m glad Cody took the time to investigate. Badass hack

  6. All it takes is a few “special” locks with the interface ports wired to the mains. Once word gets out that will deter many of the potential exploiters :p

    1. That would be illegal under booby trap laws. But it does bring up the pertinent counterpoint.

      When somebody that has time on their hands wants in somewhere and can’t find a way to break the security mechanism. The rational thing to do is to repeatedly break it in a plausibly natural way. Eventually the people in charge will either give up spending tons of money and not fix it or put in a new system. Either way is a new window to attempt exploit.

      Happens with employees all the time wanting to take a smoke break outside the ‘Emergency Exit Only’ door.

  7. I have a lock on my screen door. A determined 5 year old could get through it. One day I locked myself out of my house, I grabbed the door handle and my 240 pound 6’3″ muscled self gave a gentle push and I was inside, I barely made a sound and the door really wouldn’t have slowed me down, I could have made it look like I was walking into an unlocked door to a casual observer.(except for the splintered wood). This was a standard front door sold in frame by the millions at lowes and home despot. To me a locked door is just something to keep honest people honest. Now to me a trap door on the other side of the door open to a steel cage in the basement(with suitable padding to cushion the fall) would be better security.

    1. Of course a screen door lock isn’t so much intended to keep honest people honest, as it is to keep your dog and maybe your 3-year-old inside… (probably not your 5-year-old.)

  8. I guess I always figured these were powered through the door hinge or something like that. Why have a I never seen them charging these? What hour of the day can they wire up all the doors in a hallway without causing a bomb scare?

    1. It’s not for power. They have standard alkaline batteries (non-rechargable) in a compartment, usually on the inside (secured side) of the door.

      The ones with electronic strikes or magnetic locks that are usually hooked up to a building security system (HID cards, etc) are usually powered though (through the hinge). AFAIK they have battery backup and cache authorized users in case of power failures though.

    2. As someone else commented they probably have replaceable batteries on the other side. The barrel jack is, imo, to emergency power the device if the batteries run flat so you can still get in.

  9. The real security comes when the battery in the door set dies, and the guy needs about 30min to get into the thing. Apparently they do not have external power/opening capability.

    1. The batteries are in the lower box of the outside of the lock. The keypad lock to my house also has a spot to touch a 9v battery to two terminals and enter the code for a one shot activation.

  10. When I was in the states we did alot of staying in motel 6’s who use a lock similar to this extensively. One of the motels had a lock die on us, the mag stripe reader refused to work with all our stuff in the room. The owner had to come up and, after changing the 4x AA cells (which can be done from the outside) she plugged in a black box via a 6 pin mini DIN connector on the bottom and send it some data which opened the door. I assume the same data the mag stripe would of provided though this makes me thing otherwise. Scary stuff.

  11. either i smell a HUGE party or…

    a prank involving EVERY door becoming unlocked, then fried (while open for legal reasons)

    … or just a huge party, will need sound deaddenning material or a stereo volume limit to avoid arosing suspicion XD

  12. I bet that when changing the batteries the person doing it is supposed to plug a power source into the jack so the lock doesn’t lose its memory.

    What I’ve experienced many times with these locks is sudden failures of cards to work, requiring them to be re-written.

    The common excuse the front desk people give is that cellphones corrupt the cards. I don’t keep my hotel key cards anywhere near my phone so that’s a BS argument.

    As demonstrated on a Mythbusters episode it requires at minimum a 700 gauss magnetic field in contact with the card, in motion relative to the card, to scramble the programming.

    I’ve never had a gredit card or any other magstripe card get scrambled, only hotel key cards, which I keep in my wallet with the other cards.

    1. It’s because the hotel key cards are constantly being rewritten with new information.

      It’s the same as any other magnetic storage medium. Cassette, VHS or 3.5 inch floppy disks all wear out and become less reliable each time new data is layered on top of old data.

      Same thing essentially happens to flash drives and solid-state hard drives today. Heavier the use, shorter the life.

    2. The magnetic clasp on purses and phone cases will remove the information on a hotel key. A cell phone will not damage a key. The only information on a hotel key is a code to open the door, when the key was made and by which device. The most information about you found on the key would be your first or last name, or just identify you as “Guest”. It has a time that the key will stop working. If you extend your stay, get new keys. In a lot of cases, two keys are made for you and if they are not made as a duplicate, the second key in the door will cancel the first.

      1. Yes, plus even the OPEN-TOP leather pouch included with my old Blackberry Curve also has a magnet in it – no clasp, just a magnet.

        The Blackberry senses it’s in the pouch by proximity to the magnet, which locks the keyboard to prevent “butt dialing”.

  13. you know you can buy a little black box with the computer that goes with kinds of locks and you could reprogram everylock that uses these with the door number 666 without any password. Hell if you get a programmed black box you can reset the password.
    I work at a hotel. These locks fuck up all the time where I have to do this.

    1. I average over 100 motel stays a a year.
      I never leave anything of value in the room when I am not there.
      If they want my dirty socks and under ware have at it.

      I always set the deadlatch and ecrity chain or bolt when I am in the room.
      I have had the front desk make a mistake and give keys to a guest that is checking in.
      and had people walk in when I was asleep.

    2. This post is showing one of the ways the “black box” you’re talking about works, this is the “mode” the box is most likely set to program these particular locks. And in this case it only costs us less than fifty bucks to do, not the $300-$10,000 bucks these big companies are charging for an fpga, or arduino with a basic 1 wire protocol running as a serial programmer…
      If you have access to one of these programmers you should do some sniffing and see if you can make a low cost arduino clone like this, but for more locks of course.
      Good luck man.

  14. Hotel locks are really only meant as discouragement; anyone truly intentioned to get into your room will, if nothing else by social-engineering (or just pickpocketing) the universal key from the cleaning staff.

    As for safes, they have a universal unlock code that the staff knows. A long time ago, during a cruise, my mom locked her stuff in our room’s safe and promptly forgot the code. The guy who came up to unlock it proceeded to enter a really long string of numbers in an attempt to make us believe the secret code was made of thirty numbers or so. It was a particularly pathetic attempt, as the safe beeped its “HA HA NO” error code every few keys, but the dude kept going. In the end, after a small but conspicuous pause (I assume he was trying to remember the actual code), he entered six keys. The safe opened. I, having watched the entire procedure, now knew the magic numbers to open every safe in the ship. And this was in the Costa Classica, back then the most luxurious ship of Costa Cruises. I can only think the least luxurious has a rickety wooden cabinet with “SAEF” scribbled on it with a permanent marker.

  15. One time I discovered, much to my surprise, that my hotel key card readily unlocked another room’s door. I exited the elevator on the wrong floor and was surprised when I opened the door of the room in the same location on the floor as mine and someone else’s stuff was in the room. It took me about 15 seconds to realize what had happened.

  16. two factor authentication would and could prevent this in the future.

    a key swipe at the front desk approves use of key on specific floor.

  17. Once, a long time ago when I was 13 I discovered my mom somehow had a skeleton key to our local post office. I had forgotten our box number, and tried the wrong one and had mail from someone else. I ended up opening 4 or 5 different boxes until finding my mother’s name on the mail. Also, she definitely was not suppose to have a skeleton key. She didn’t work there or anything. I kind of think that probably everyone had a skeleton key in the post office’s ignorance.

  18. Wow, what a dumb security flaw. I suppose when the lock was designed, the manufacturers thought they could keep the protocol a secret. The dummies shoulda known better.

    I bought a little pistol safe that has a random “master” keycode, which lets you into the safe, and add more combinations. The master keycode is stamped in the instructions, which I locked away.

    Then about 2 years later, I noticed that the “serial number” sticker on the bottom of the safe was actually the same as the master keycode! $%^@@^%^#)(!!!

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s