Dry erase marker opens all hotel room doors

If you’re carrying around an exposed circuit board and a bunch of wires people are going to notice you. But a dry erase marker won’t turn any heads. And this one holds its own little secret. It acts as a master key for hotel room door locks.

This is really more of a repackaging hack. The exploit is already quite well-known. The Onity brand of key card locks most commonly used in hotels have a power jack on the bottom that doubles as a 1-wire communications port. The first published proof of concept used an Arduino board and a simple adapter to unlock any door in under one second. Now that hardware has been reduced in size so that it fits in the hollow shell of a dry erase marker. Even better, the felt tip has been replaced with the appropriately sized barrel jack. Check out the ultra-fast and inconspicuous use of it after the break. We think using this is no more obvious than actually having the key card.

Comments

  1. [ZF] says:

    You can defend against this attack by checking in to your hotel room but just staying out at the clubs all night. If criminals break in, you are not there. Solved.

  2. Corrosion says:

    Very clever, I love the idea of how concealable this is now

  3. The only thing I could think of was “Sonic Screwdriver”. Awesome!

  4. William says:

    I wonder when someone will do this with a lilypad and have nothing extra to carry.

  5. I was waiting to see when someone would stick it on a smaller device and hack with it….

    ….but the dry erase marker is fucking BRILLIANT! The cap is absurdly perfect!!!

  6. Treehouse Projects says:

    Super cool!

  7. nes says:

    Onity released a free hardware patch for their locks: actually a ‘patch’ of metal which fits inside the casing and covers the jack.

    Bottom line is you need a screwdriver to get the lock apart before you can plug anything in. So ultra-conspicuous again unfortunately.

    • ChalkBored says:

      Just stick a screwdriver in another marker.

    • jafpcu says:

      You’re assuming that every hotel has actually installed the “patch”. I bet many wait until a door lock is scheduled for service, then install the guard plate. Wouldn’t surprise me if many fail to install it ever.

    • redrocket says:

      The likelihood that a majority of the hotels, and motels out there with Onity locks will actually install this “patch” is slim to none. Don’t get me started on servicing working units. Preventative maintenance is not a word that is in a facility managers vocabulary at these places.

      I am speaking from the perspective of a Commercial door and hardware technician. I work in the service department and our company has many hotels and motels as clients. I’ve seen locks falling apart from loose screws and can’t fix them as they are not on my service ticket. Go back to the same business 3 weeks later, lock still falling apart.

  8. n0lkk says:

    Good work. My guess is that law enforcement and national security type have tools smaller yet. Now this made widely known I wouldn’t was to be at convention where there has been a crime with no apparent means of entry can’t be found. not going to be a marker to be found if you need one.

  9. Scott says:

    I’m an electronics novice. Can someone explain to me why the 12v battery doesn’t damage the micro-controller? I thought they could only handle around 5 volts? Does it have something to do with the zener diode?

    Thanks!

    • giacomo says:

      Yes, the 3.3v zener acts as a crude regulator. Personally I’d have just used a 3v lithium cell, but I suppose this is sufficient.

    • ibespecial says:

      essentially the output voltage will equal (about) the reverse breakdown voltage of the zener which are available in a huge range. The resistor is there to limit the maximum current through the zener which happens when there is no load connected (12-3.3)/20 = 290 mA. This type of regulator is far from power efficient so you wouldn’t want to use it for most other applications, but since there is only power when the button is pressed it will work fine.

    • giacomo says:

      Yeah thanks ibespecial, I wasn’t really clear. Scott: If you add an opamp, you can actually make a decent supply using the zener as a reference. Many high-end supplies actually use a high-precision zener reference. If you want to learn about power supplies, I highly recommend this EEVBlog series: http://youtu.be/cM7t1Mpu7s4

      You’ll notice at around the 2 minute mark, he’ll put up a diagram with a [Ref] block. If you stick the zener in there, you’ll have something close to an lm317 (in reality, those don’t use zeners as references, but the concept is the same).

  10. sonicdude10 says:

    Goes and stays at motel for a week. Checks out.

    “SHIT!! I left my medication inside and I’ve already shut the door with keys in room!”

    Wips out handy door hack marker.

    “SUCK IT BITCHES!!!”

    • citizenjapp says:

      Yes, and I can only think of noble uses for this device too.

      Has the whole world gone completely amoral and someone just forgot to email me the memo?

      When someone steals something from the hotel rooms of people using this devious doohickey to feed their need for greed, I would love to see a CAT scan of their neurons flailing about trying to deal with the hypocrisy of their outrage.

      • 112358 says:

        There is a different approach to this question of morality and sharing device flaws. If they weren’t shared quickly then it may take even longer for the flaw to be noticed before any real damage was done. Letting the public know of security flaws contributes a lot.

      • citizenjapp says:

        To anonymous, who said “If they weren’t shared quickly then it may take even longer for the flaw to be noticed before any real damage was done.”..

        This post is all about how to make an already existing thief’s tool easier to use in public by rendering the device undetectable. I am not quite sure why you would think that this is an efficient way of fighting crime.

        Marco

        • eazy e says:

          It doesn’t fight crime, however, it makes people aware of what criminals are capable of doing. It’s good to know what criminals have at their disposal and reminds people of the flaws of the world and technology

  11. TechByTom says:

    I saw @Jaku with this at the last BurbSec. Really cool to check out.

  12. “You cannot just dry erase marker hack your way into Hotel-door.” -> Nah. It’s just not the same.

  13. roccobass says:

    I’m reading this from a hotel in Pittsburgh. I just went and checked the lock on my room door and there is no metal patch. In fact there are two ports at the bottom of the lock.

  14. pinkertron says:

    FIXED IT! Just went and epoxied the one on my door.

  15. bill says:

    A close look at the circuit diagram and the build photos posted on the linked site suggests there are two errors on the schematic. The first is the 30 ohm resistor from the battery to the zener which is clearly too small. The photo suggests it is 3k3 which is, arguably, too small. The correct value should be around 470 or 560 ohms IMHO. Using 30 ohms would probably seriously stress that zener and the (small) batteries suggested.

    The second error is the connection between the connector barrel and the 3.3V rail which does not match the original designer’s description. It should instead go directly to pin 5. A close look at the build photo suggests that was actually the arrangement used.

    Of course, perhaps these were just intentional errors intended to confuse beginners in the black art of microprocessors.

    • Dan says:

      Bill,

      You seem to be correct on the second error. The 5.6K should be used to pull the barrel high, with the barrel inner connected directly to PD3. The circuit diagram is wrong. I don’t seem to be able to comment on his page.

  16. tim says:

    Maybe shrink it down to use a SMD ATiny85 and you could have an even less suspicious biro…

  17. curious_minds_007 says:

    Is there an updated schematic anywhere? one that is ‘truly’ correct? correct values and correct connections? I know this is old….and yes I read Onity has released hardware/software patches.. I have a Atmega328 DIP sitting here.. and I want to make one…. but dont want to use bogus/fake/erroneous schematic plans?

    so errors/fixes:

    1.) 30Ohm resistor is KAKA.. needs to be.?? what (not 3.3k…too small?) but a 470 Ohm is ok/correct? (bigger? than the 3.3k which is arguable too small?)…huh?

    2.) 3.3v to pin 3? or pin 5? (which is it?) :)

    3.) the 5.6k resistor? ‘should be used to pull the barrel high’.. which means what? That the 5.6k resistor should NOT be between the barrel and pin3.. but between barrel and +3.3v source/trace? and the trace/connection from barrel should go BETWEEN the 5.6k resistor and barrel. to >>>> pIn 5?

    Would this be a more ‘accurate’ schematic then?

    Also.. Im curious as to how they are getting a 16MHz Arduino to work @ only +3v?

    thanks!

  18. xl97 says:

    I also do not see/understand several things:

    1.) a 16MHz crystal? running at 3.3v? huh? thought it had to run @ +5v to be @ 16MHz clock?

    2.) If you are running a 16MHz clock/crystal… wheres the caps? Arent those needed for precise timing?

    3.) Is D3 or D5 used? if you read comments all over.. it differs..??

    Schematic shows D3… but comments says ‘error’…should be D5?

  19. Baso says:

    PD3 is correct, which is pin number 5
    30 Ohm will work, not ideal
    16Mhz will work.
    It’s basically a shrunk down complete arduino on a 3V regulator. Use a full arduino if u want.

  20. Rick says:

    I have built two of these just using ardunio’s both work great — I have bought black hobby boxes from radio shack to house them.. I really wanted to make one of these marker builds but no one can come up with/make the correct schematics

  21. nobody says:

    Im trying to learn to make use and understand the technology that makes this device work, but it is not to steal stuff from random people its because iam prone to becoming homeless and it gets cold outside

  22. alex says:

    how does one plug in the arduino and save the data so you can later go home retrieve the sitecode which was saved and write the site code to a bunch of key blanks?

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

Follow

Get every new post delivered to your Inbox.

Join 94,499 other followers