Burglar suspected of using Arduino-Onity hack to rob hotel rooms

Can anyone argue against this being the least-secure hotel room lock on the market? Regular readers will recognize it as an Onity key card lock. A few months back a glaring flaw in the security was exposed that allows these locks to be opened electronically in less than a second. So we are not surprised to hear that a series of hotel room robberies in Houston are suspected to have been performed using this technique.

The image above is from a demonstration video we saw back in October. That hack used an Arduino-compatible chip inside of a dry erase marker as an end-run around the lock’s electronics. It reinforced the warning sound by [Cody Brocious] when he presented the exploit at this year’s Blackhat conference. The barrel jack on the outside of the door lock doubles as a 1-wire communications port and that is how an attacker can gain access. Investigators can find no other means of entry for these thefts.

We applaud one of the victims in this story. At the end of the article she is asked if the information about the Onity flaw should have been kept secret. She said that if there’s a vulnerability that’s not being fixed people have a right to know about it. Bravo [Janet Wolf]!

[Thanks Andrew]

Giving an apartment keyless entry

The key for [rybitski]’s apartment is a copy of a copy of a copy, and the landlord lost the original key years ago. The lock itself still works, but opening it with [rybiski]’s key is a chore. He wanted to make it easier to get into his apartment, and with Arduinos and such he figured he could make a keyless entry device for his front door.

After figuring out how to open his deadbolt with an Arduino and a rather powerful servo, [rybiski] looked into wireless control options. He found a keyless entry remote, complete with receiver, that integrated perfectly to just about any microcontroller project.

After mounting the Arduino, receiver, and servo on a piece of plastic, he attached his contraption to the deadbolt. In the video after the break, you can see his key fob remote locking and unlocking the deadbolt, all without jamming an ill-fitting key into the lock.

Continue reading “Giving an apartment keyless entry”

Dry erase marker opens all hotel room doors

If you’re carrying around an exposed circuit board and a bunch of wires people are going to notice you. But a dry erase marker won’t turn any heads. And this one holds its own little secret. It acts as a master key for hotel room door locks.

This is really more of a repackaging hack. The exploit is already quite well-known. The Onity brand of key card locks most commonly used in hotels have a power jack on the bottom that doubles as a 1-wire communications port. The first published proof of concept used an Arduino board and a simple adapter to unlock any door in under one second. Now that hardware has been reduced in size so that it fits in the hollow shell of a dry erase marker. Even better, the felt tip has been replaced with the appropriately sized barrel jack. Check out the ultra-fast and inconspicuous use of it after the break. We think using this is no more obvious than actually having the key card.

Continue reading “Dry erase marker opens all hotel room doors”

Janus: The Gatekeeper


[Piet] wrote in to tell us about his hack that allows for his front gate to be opened without a key. Unlike this hack that we featured in August, you don’t need a subway pass, just a good memory. As explained in his article (and the video after the break) if the proper sequence of doorbell rings is input, the gate unlocks itself.

For hardware a [mehduino] is used to take the doorbell input and decide whether or not the “secret knock” has been achieved. The door can be unlocked remotely via a button on the processor. Reprogramming the code is achieved by simply holding the program button while the code is entered on the “remote ringer” button.

Be sure to check out the video after the break to see this lock in action. The housing application may not be exactly what you expect. Also of interest, is that in true hacker fashion, the bare processor is hanging by a hook on his wall! Continue reading “Janus: The Gatekeeper”

No secret knocks required at [Steve’s] house – your subway pass will do


[Steve] is often host to all sorts of guests, and he was looking for an easy way to let his friends come and go as they please. After discovering that his front door came equipped with an electronic strike, he decided that an RFID reader would be a great means of controlling who was let in, and when.

Giving all your friends RFID cards and actually expecting that they carry them is a bit of a stretch, but lucky for [Steve] he lives near Boston, so the MBTA has him covered. Just about everyone in town has an RFID subway pass, which pretty much guarantees that [Steve’s] cohorts will be carrying one when they swing by.

He crafted a stylish set of wooden boxes to contain both the RFID reader and the Arduino that controls the system, matching them to the Victorian styling of his home. A single button can control the setup, allowing him to add and remove cards from access lists without much fuss. For more granular control however, [Steve] can always tweak settings from the Arduino serial console.

The card system is both stylish and useful – a combination that’s hard to beat.

Work station includes a Smartcard lock for USB ports

The USB ports on this work station are locked. In order to use a USB device you’ll need to insert a Smartcard into the reader seen above. The interesting thing here is that this shouldn’t affect your ability to charge a USB device. When you visit the link above make sure to check out the worklog tab as it contains nine pages worth of build information.

The device is conceived of in two parts. There is one board which does the USB switching, and another that takes care of the Smartcard reader. That reader is based on a PIC 16F1939. It readers the Smartcard, verifies the data, then controls the USB switching board via SPI. An ADG714 chip completes the circuit on eight data lines making up the four USB ports. There is also a mechanical relay on the board which can cut USB power. Since this is separate from the data switching, the power could be left on for charging or toggled separately by a card that has permission to charge but not to use the data ports. You can see a demonstration of the system embedded after the break.

Continue reading “Work station includes a Smartcard lock for USB ports”

Arduino, resistor, and barrel plug lay waste to millions of hotel locks

The security flaws on this common hotel keycard lock are nothing short of face-palmingly stupid. Look closely at the picture above. This is a hotel room door swinging open. The device he holds in his hand is an Arduino connected to the OUTSIDE portion of the door lock. It takes approximately 200 milliseconds from the time an attacker plugs the device in, until the door can be opened. Yes, in less than 1/4 of one second an Arduino can open any of the millions of these locks in service.

The exploit in Onity programmable keycard locks was revealed by [Cody Brocious] at the Blackhat conference. Apparently the DC barrel jack on the outside of the lock serves as a one-wire protocol interface. Once communications are established a 32-bit sitecode can be read from any of the locks and immediately used to open the door. There is no authentication or encryption used to obfuscate this kind of attack. To make matters worse, you can even read out master key and skeleton key codes. These codes facilitate ‘magic’ keys used to open a variety of different doors through the system.

We’re no strangers to easy hotel beak-ins. But how can a digital lock possibly be sold with this type of vulnerability present? Really!?

Here’s the white paper on the exploit as well as the slides from his talk (PDF).

[via Reddit]