Dry erase marker opens all hotel room doors

If you’re carrying around an exposed circuit board and a bunch of wires people are going to notice you. But a dry erase marker won’t turn any heads. And this one holds its own little secret. It acts as a master key for hotel room door locks.

This is really more of a repackaging hack. The exploit is already quite well-known. The Onity brand of key card locks most commonly used in hotels have a power jack on the bottom that doubles as a 1-wire communications port. The first published proof of concept used an Arduino board and a simple adapter to unlock any door in under one second. Now that hardware has been reduced in size so that it fits in the hollow shell of a dry erase marker. Even better, the felt tip has been replaced with the appropriately sized barrel jack. Check out the ultra-fast and inconspicuous use of it after the break. We think using this is no more obvious than actually having the key card.

[Read more...]

Janus: The Gatekeeper

janus-001

[Piet] wrote in to tell us about his hack that allows for his front gate to be opened without a key. Unlike this hack that we featured in August, you don’t need a subway pass, just a good memory. As explained in his article (and the video after the break) if the proper sequence of doorbell rings is input, the gate unlocks itself.

For hardware a [mehduino] is used to take the doorbell input and decide whether or not the “secret knock” has been achieved. The door can be unlocked remotely via a button on the processor. Reprogramming the code is achieved by simply holding the program button while the code is entered on the “remote ringer” button.

Be sure to check out the video after the break to see this lock in action. The housing application may not be exactly what you expect. Also of interest, is that in true hacker fashion, the bare processor is hanging by a hook on his wall! [Read more...]

No secret knocks required at [Steve's] house – your subway pass will do

rfid-door-lock

[Steve] is often host to all sorts of guests, and he was looking for an easy way to let his friends come and go as they please. After discovering that his front door came equipped with an electronic strike, he decided that an RFID reader would be a great means of controlling who was let in, and when.

Giving all your friends RFID cards and actually expecting that they carry them is a bit of a stretch, but lucky for [Steve] he lives near Boston, so the MBTA has him covered. Just about everyone in town has an RFID subway pass, which pretty much guarantees that [Steve’s] cohorts will be carrying one when they swing by.

He crafted a stylish set of wooden boxes to contain both the RFID reader and the Arduino that controls the system, matching them to the Victorian styling of his home. A single button can control the setup, allowing him to add and remove cards from access lists without much fuss. For more granular control however, [Steve] can always tweak settings from the Arduino serial console.

The card system is both stylish and useful – a combination that’s hard to beat.

Work station includes a Smartcard lock for USB ports

The USB ports on this work station are locked. In order to use a USB device you’ll need to insert a Smartcard into the reader seen above. The interesting thing here is that this shouldn’t affect your ability to charge a USB device. When you visit the link above make sure to check out the worklog tab as it contains nine pages worth of build information.

The device is conceived of in two parts. There is one board which does the USB switching, and another that takes care of the Smartcard reader. That reader is based on a PIC 16F1939. It readers the Smartcard, verifies the data, then controls the USB switching board via SPI. An ADG714 chip completes the circuit on eight data lines making up the four USB ports. There is also a mechanical relay on the board which can cut USB power. Since this is separate from the data switching, the power could be left on for charging or toggled separately by a card that has permission to charge but not to use the data ports. You can see a demonstration of the system embedded after the break.

[Read more...]

Arduino, resistor, and barrel plug lay waste to millions of hotel locks

The security flaws on this common hotel keycard lock are nothing short of face-palmingly stupid. Look closely at the picture above. This is a hotel room door swinging open. The device he holds in his hand is an Arduino connected to the OUTSIDE portion of the door lock. It takes approximately 200 milliseconds from the time an attacker plugs the device in, until the door can be opened. Yes, in less than 1/4 of one second an Arduino can open any of the millions of these locks in service.

The exploit in Onity programmable keycard locks was revealed by [Cody Brocious] at the Blackhat conference. Apparently the DC barrel jack on the outside of the lock serves as a one-wire protocol interface. Once communications are established a 32-bit sitecode can be read from any of the locks and immediately used to open the door. There is no authentication or encryption used to obfuscate this kind of attack. To make matters worse, you can even read out master key and skeleton key codes. These codes facilitate ‘magic’ keys used to open a variety of different doors through the system.

We’re no strangers to easy hotel beak-ins. But how can a digital lock possibly be sold with this type of vulnerability present? Really!?

Here’s the white paper on the exploit as well as the slides from his talk (PDF).

[via Reddit]

A locking chest with a musical key

music-detecting-box

[Basil Shikin] was thinking about different types of locks, and was trying to come up with a locking solution that he had yet to see. It dawned on him that he had never come across a lock triggered by music, so he set off to construct one of his own.

He ordered a wooden chest online, then proceeded to piece together the electronics required for the locking mechanism as well as the music detecting logic. Using an Atmega328P paired with an electret mic, his system listens for a particular tune (the Prelude of Light from the Ocarina of Time) to be played , which triggers a tiny servo to undo the latch. To do this, he implemented a version of the Goertzel Algorithm on the Arduino, allowing him to accurately detect the magical tune by frequency, regardless of what instrument it is played on.

Be sure to check out the video below to see his musical lock in action.

[Read more...]

Adding an electronic lock to a DIY book safe

electronic-book-safe

DIY book safes are well and good, but if you give someone enough time to peruse your book collection, the 3-inch thick “Case study on Animal Husbandry Techniques during the 14th Century” is likely to stand out among your collection of hand-bound “Twilight” fan fiction. In an attempt to teach his friend a bit about microcontrollers and circuits, [Jonathan] spent some time adding a bit more security to your run of the mill book safe.

The pair started out with the time-consuming process of gluing the book’s pages together and creating enough hollow space for both storage and the electronics. With that out of the way, they installed a latch and servo motor inside the cavity, the latter of which is controlled using an Atmega328p with the Arduino bootloader. To gain access to the goodies stashed away inside, Jonathan hooks up a small PS/2 keypad and enters a passcode. This triggers the servo motor, opening the latch.

While the latch likely only adds a nominal bit of security to the book safe, it’s a fun enough learning exercise to justify the time spent putting it together.

Continue reading to see a short video of [Jonathan’s] electronic latching book safe in action.

[Read more...]