Secret Listening to Elevator Music

While we don’t think this qualifies as a “fail”, it’s certainly not a triumph. But that’s what happens when you notice something funny and start to investigate: if you’re lucky, it ends with “Eureka!”, but most of the time it’s just “oh”. Still, it’s good to record the “ohs”.

Gökberk [gkbrk] Yaltıraklı was staying in a hotel long enough that he got bored and started snooping around the network, like you do. Breaking out Wireshark, he noticed a lot of UDP traffic on a nonstandard port, so he thought he’d have a look.

Continue reading “Secret Listening to Elevator Music”

Two Guys, a Hotel Room and a Radio Fire

Can you build a HF SSB radio transciever in one weekend, while on the road, at parts from a swap meet? I can, but apparently not without setting something on fire.

Of course the swap meet I’m referring to is Hamvention, and Hamvention 2016 is coming up fast. In a previous trip to Hamvention, Scott Pastor (KC8KBK) and I challenged ourselves to restore tube radio gear in a dodgy Dayton-area hotel room where we repaired a WW2 era BC-224 and a Halicrafters receiver, scrounging parts from the Hamfest.

Our 2014 adventures were so much fun that it drove us to create our own hacking challenge in 2015 to cobble together a <$100 HF SSB transceiver (made in the USA for extra budget pressure), an ad-hoc antenna system, put this on the air, and make an out-of-state contact before the end of Hamvention using only parts and gear found at Hamvention. There’s no time to study manuals, antennas, EM theory, or vacuum tube circuitry.  All you have are your whits, some basic tools, and all the Waffle House you can eat.  But you have one thing on your side, the world’s largest collection of surplus electronics and radio junk in one place at one time.  Can it be done?

Continue reading “Two Guys, a Hotel Room and a Radio Fire”

Burglar suspected of using Arduino-Onity hack to rob hotel rooms

Can anyone argue against this being the least-secure hotel room lock on the market? Regular readers will recognize it as an Onity key card lock. A few months back a glaring flaw in the security was exposed that allows these locks to be opened electronically in less than a second. So we are not surprised to hear that a series of hotel room robberies in Houston are suspected to have been performed using this technique.

The image above is from a demonstration video we saw back in October. That hack used an Arduino-compatible chip inside of a dry erase marker as an end-run around the lock’s electronics. It reinforced the warning sound by [Cody Brocious] when he presented the exploit at this year’s Blackhat conference. The barrel jack on the outside of the door lock doubles as a 1-wire communications port and that is how an attacker can gain access. Investigators can find no other means of entry for these thefts.

We applaud one of the victims in this story. At the end of the article she is asked if the information about the Onity flaw should have been kept secret. She said that if there’s a vulnerability that’s not being fixed people have a right to know about it. Bravo [Janet Wolf]!

[Thanks Andrew]

Dry erase marker opens all hotel room doors

If you’re carrying around an exposed circuit board and a bunch of wires people are going to notice you. But a dry erase marker won’t turn any heads. And this one holds its own little secret. It acts as a master key for hotel room door locks.

This is really more of a repackaging hack. The exploit is already quite well-known. The Onity brand of key card locks most commonly used in hotels have a power jack on the bottom that doubles as a 1-wire communications port. The first published proof of concept used an Arduino board and a simple adapter to unlock any door in under one second. Now that hardware has been reduced in size so that it fits in the hollow shell of a dry erase marker. Even better, the felt tip has been replaced with the appropriately sized barrel jack. Check out the ultra-fast and inconspicuous use of it after the break. We think using this is no more obvious than actually having the key card.

Continue reading “Dry erase marker opens all hotel room doors”

Arduino, resistor, and barrel plug lay waste to millions of hotel locks

The security flaws on this common hotel keycard lock are nothing short of face-palmingly stupid. Look closely at the picture above. This is a hotel room door swinging open. The device he holds in his hand is an Arduino connected to the OUTSIDE portion of the door lock. It takes approximately 200 milliseconds from the time an attacker plugs the device in, until the door can be opened. Yes, in less than 1/4 of one second an Arduino can open any of the millions of these locks in service.

The exploit in Onity programmable keycard locks was revealed by [Cody Brocious] at the Blackhat conference. Apparently the DC barrel jack on the outside of the lock serves as a one-wire protocol interface. Once communications are established a 32-bit sitecode can be read from any of the locks and immediately used to open the door. There is no authentication or encryption used to obfuscate this kind of attack. To make matters worse, you can even read out master key and skeleton key codes. These codes facilitate ‘magic’ keys used to open a variety of different doors through the system.

We’re no strangers to easy hotel beak-ins. But how can a digital lock possibly be sold with this type of vulnerability present? Really!?

Here’s the white paper on the exploit as well as the slides from his talk (PDF).

[via Reddit]