If you’re carrying around an exposed circuit board and a bunch of wires people are going to notice you. But a dry erase marker won’t turn any heads. And this one holds its own little secret. It acts as a master key for hotel room door locks.
This is really more of a repackaging hack. The exploit is already quite well-known. The Onity brand of key card locks most commonly used in hotels have a power jack on the bottom that doubles as a 1-wire communications port. The first published proof of concept used an Arduino board and a simple adapter to unlock any door in under one second. Now that hardware has been reduced in size so that it fits in the hollow shell of a dry erase marker. Even better, the felt tip has been replaced with the appropriately sized barrel jack. Check out the ultra-fast and inconspicuous use of it after the break. We think using this is no more obvious than actually having the key card.
You can defend against this attack by checking in to your hotel room but just staying out at the clubs all night. If criminals break in, you are not there. Solved.
Brilliant!
I like the way you think
Very clever, I love the idea of how concealable this is now
The only thing I could think of was “Sonic Screwdriver”. Awesome!
I wonder when someone will do this with a lilypad and have nothing extra to carry.
Sew it into a glove, with a plug on the fingertip.
E.T. Hack dooooooor.
Super cool!
Onity released a free hardware patch for their locks: actually a ‘patch’ of metal which fits inside the casing and covers the jack.
Bottom line is you need a screwdriver to get the lock apart before you can plug anything in. So ultra-conspicuous again unfortunately.
You’re assuming that every hotel has actually installed the “patch”. I bet many wait until a door lock is scheduled for service, then install the guard plate. Wouldn’t surprise me if many fail to install it ever.
The likelihood that a majority of the hotels, and motels out there with Onity locks will actually install this “patch” is slim to none. Don’t get me started on servicing working units. Preventative maintenance is not a word that is in a facility managers vocabulary at these places.
I am speaking from the perspective of a Commercial door and hardware technician. I work in the service department and our company has many hotels and motels as clients. I’ve seen locks falling apart from loose screws and can’t fix them as they are not on my service ticket. Go back to the same business 3 weeks later, lock still falling apart.
That or incorporate a screwdriver into this build. Sometime in the future there may be multitool for criminals tag
I’m an electronics novice. Can someone explain to me why the 12v battery doesn’t damage the micro-controller? I thought they could only handle around 5 volts? Does it have something to do with the zener diode?
Thanks!
Yes, the 3.3v zener acts as a crude regulator. Personally I’d have just used a 3v lithium cell, but I suppose this is sufficient.
essentially the output voltage will equal (about) the reverse breakdown voltage of the zener which are available in a huge range. The resistor is there to limit the maximum current through the zener which happens when there is no load connected (12-3.3)/20 = 290 mA. This type of regulator is far from power efficient so you wouldn’t want to use it for most other applications, but since there is only power when the button is pressed it will work fine.
Yeah thanks ibespecial, I wasn’t really clear. Scott: If you add an opamp, you can actually make a decent supply using the zener as a reference. Many high-end supplies actually use a high-precision zener reference. If you want to learn about power supplies, I highly recommend this EEVBlog series: http://youtu.be/cM7t1Mpu7s4
You’ll notice at around the 2 minute mark, he’ll put up a diagram with a [Ref] block. If you stick the zener in there, you’ll have something close to an lm317 (in reality, those don’t use zeners as references, but the concept is the same).
Goes and stays at motel for a week. Checks out.
“SHIT!! I left my medication inside and I’ve already shut the door with keys in room!”
Wips out handy door hack marker.
“SUCK IT BITCHES!!!”
Yes, and I can only think of noble uses for this device too.
Has the whole world gone completely amoral and someone just forgot to email me the memo?
When someone steals something from the hotel rooms of people using this devious doohickey to feed their need for greed, I would love to see a CAT scan of their neurons flailing about trying to deal with the hypocrisy of their outrage.
There is a different approach to this question of morality and sharing device flaws. If they weren’t shared quickly then it may take even longer for the flaw to be noticed before any real damage was done. Letting the public know of security flaws contributes a lot.
To anonymous, who said “If they weren’t shared quickly then it may take even longer for the flaw to be noticed before any real damage was done.”..
This post is all about how to make an already existing thief’s tool easier to use in public by rendering the device undetectable. I am not quite sure why you would think that this is an efficient way of fighting crime.
Marco
It doesn’t fight crime, however, it makes people aware of what criminals are capable of doing. It’s good to know what criminals have at their disposal and reminds people of the flaws of the world and technology
I saw @Jaku with this at the last BurbSec. Really cool to check out.
“You cannot just dry erase marker hack your way into Hotel-door.” -> Nah. It’s just not the same.
This lock was made by the dead, and the dead….whoa! Well, look at that! He opened it.
Their device is about the same size. It’s a key card they get from the hotel lobby. They also have a slightly larger version that will open most hotel doors, it’s called a size 12 combat boot.
+1
I’m reading this from a hotel in Pittsburgh. I just went and checked the lock on my room door and there is no metal patch. In fact there are two ports at the bottom of the lock.
FIXED IT! Just went and epoxied the one on my door.
A close look at the circuit diagram and the build photos posted on the linked site suggests there are two errors on the schematic. The first is the 30 ohm resistor from the battery to the zener which is clearly too small. The photo suggests it is 3k3 which is, arguably, too small. The correct value should be around 470 or 560 ohms IMHO. Using 30 ohms would probably seriously stress that zener and the (small) batteries suggested.
The second error is the connection between the connector barrel and the 3.3V rail which does not match the original designer’s description. It should instead go directly to pin 5. A close look at the build photo suggests that was actually the arrangement used.
Of course, perhaps these were just intentional errors intended to confuse beginners in the black art of microprocessors.
Bill,
You seem to be correct on the second error. The 5.6K should be used to pull the barrel high, with the barrel inner connected directly to PD3. The circuit diagram is wrong. I don’t seem to be able to comment on his page.
Maybe shrink it down to use a SMD ATiny85 and you could have an even less suspicious biro…
For US USAers, “biro” is a the standard non-click Bic pen, it even has “Biro” printed on it.
Even stranger, it’s called “Biro” after Baron Biro, the inventor of the ball point pen – according to the French, at least.
Thank you Ren ^=^
Is there an updated schematic anywhere? one that is ‘truly’ correct? correct values and correct connections? I know this is old….and yes I read Onity has released hardware/software patches.. I have a Atmega328 DIP sitting here.. and I want to make one…. but dont want to use bogus/fake/erroneous schematic plans?
so errors/fixes:
1.) 30Ohm resistor is KAKA.. needs to be.?? what (not 3.3k…too small?) but a 470 Ohm is ok/correct? (bigger? than the 3.3k which is arguable too small?)…huh?
2.) 3.3v to pin 3? or pin 5? (which is it?) :)
3.) the 5.6k resistor? ‘should be used to pull the barrel high’.. which means what? That the 5.6k resistor should NOT be between the barrel and pin3.. but between barrel and +3.3v source/trace? and the trace/connection from barrel should go BETWEEN the 5.6k resistor and barrel. to >>>> pIn 5?
Would this be a more ‘accurate’ schematic then?
http://dmstudios.net/misc/onity_door_lock_schematic.jpg
Also.. Im curious as to how they are getting a 16MHz Arduino to work @ only +3v?
thanks!
Schematic on main site has been fixed and is correct now. It works on 3V because the zener acts like a voltage regulator. The chip will work on 3V
thanks..
what main site schematic are you referring to then?
this one: http://blog.spiderlabs.com/2012/10/pentesting-hotels-with-pens.html
I dont see the barrel being pulled up/high?..
I still see a 30 oHm resistor being used..
I still see pin 3 being used?
None of this reflects ANY of the comments made about the accuracy.. please elaborate/provide some links/facts?
thanks
I also do not see/understand several things:
1.) a 16MHz crystal? running at 3.3v? huh? thought it had to run @ +5v to be @ 16MHz clock?
2.) If you are running a 16MHz clock/crystal… wheres the caps? Arent those needed for precise timing?
3.) Is D3 or D5 used? if you read comments all over.. it differs..??
Schematic shows D3… but comments says ‘error’…should be D5?
PD3 is correct, which is pin number 5
30 Ohm will work, not ideal
16Mhz will work.
It’s basically a shrunk down complete arduino on a 3V regulator. Use a full arduino if u want.
I have built two of these just using ardunio’s both work great — I have bought black hobby boxes from radio shack to house them.. I really wanted to make one of these marker builds but no one can come up with/make the correct schematics
I know it is a while, but if you built two, that are working, then I presume you HAVE the correct schematics
Im trying to learn to make use and understand the technology that makes this device work, but it is not to steal stuff from random people its because iam prone to becoming homeless and it gets cold outside
how does one plug in the arduino and save the data so you can later go home retrieve the sitecode which was saved and write the site code to a bunch of key blanks?
1) The circuit show is correct and has been fixed. You could stick with the 30R resistor, and it would work.
2) The actual source info is here: http://demoseen.com/bhpaper.html
3) The initial guy used PCB connect #3 in the code, but on a bare 328 that is chip pin 5.
https://www.arduino.cc/en/uploads/Main/Arduino_Uno_Rev3-schematic.pdf
It would be safer to use an 8Mhz xtal, but make sure you set in the settings the 8Mhz during programming
4) The best way I found is to use an arduino pro mini 3.3V version https://www.arduino.cc/en/Main/ArduinoBoardProMini
https://www.arduino.cc/en/uploads/Main/Arduino-Pro-Mini-schematic.pdf
You can see output 3 (D3) is PD3 or chip pin 1. This has on=board regulator and the reset button starts the process.
5) In relation to the site code extraction it should be possible by modifying the code. I looked at it briefly before, but after it is saved, it immediately over writes it, to create the open string. You would need, to not do that, or save a copy. Writing blank mag stripes is expensive business.
In terms of testing it, many hotels systems seem to be upgraded and no longer vulnerable. You may be able to get old locks for sale online, but be sure to get the seller to pre-program them, and supply a working card. The onity programmer costs thousands and with no program they will not open. They forget the program with battery removal so don’t remove the battery! I had a spare for a few years for testing. You could also borrow one from a hotel door!
1) The circuit show is correct and has been fixed. You could stick with the 30R resistor, and it would work.
2) The actual source info is here: http://demoseen.com/bhpaper.html http://demoseen.com/bhtalk2.pdf
3) The initial guy used PCB connect #3 in the code, but on a bare 328 that is chip pin 5.
https://www.arduino.cc/en/uploads/Main/Arduino_Uno_Rev3-schematic.pdf
It would be safer to use an 8Mhz xtal, but make sure you set in the settings the 8Mhz during programming
4) The best way I found is to use an arduino pro mini 3.3V version https://www.arduino.cc/en/Main/ArduinoBoardProMini
https://www.arduino.cc/en/uploads/Main/Arduino-Pro-Mini-schematic.pdf
You can see output 3 (D3) is PD3 or chip pin 1. This has on=board regulator and the reset button starts the process.
5) In relation to the site code extraction it should be possible by modifying the code. I looked at it briefly before, but after it is saved, it immediately over writes it, to create the open string. You would need, to not do that, or save a copy. Writing blank mag stripes is expensive business.
Even fixed there is probably encryption flaws where site keys may be extracted from room keys. See the talk details.
In terms of testing it, many hotels systems seem to be upgraded and no longer vulnerable. You may be able to get old locks for sale online, but be sure to get the seller to pre-program them, and supply a working card. The onity programmer costs thousands and with no program they will not open. They forget the program with battery removal so don’t remove the battery! I had a spare for a few years for testing. You could also borrow one from a hotel door!
1) The circuit shown on his site has been changed for a third time and again is wrong.
The code is written for Arduino connector D3 which is 328 chip pin 5 (curious minds is right)
https://www.arduino.cc/en/uploads/Main/Arduino_Uno_Rev3-schematic.pdf
The barrel wiring is now correct. Basically the 560R goes between centre pin and 3.3V supply.
You could stick with the 30R resistor, and it would work, higher might be safer.
It would be safer to use an 8Mhz xtal, but make sure you set in the settings the 8Mhz during programming
2) The actual source info is here: http://demoseen.com/bhpaper.html http://demoseen.com/bhtalk2.pdf
3) The best way I found is to use an arduino pro mini 3.3V version https://www.arduino.cc/en/Main/ArduinoBoardProMini
https://www.arduino.cc/en/uploads/Main/Arduino-Pro-Mini-schematic.pdf
You can see output 3 (D3) is PD3 or chip pin 1. This has on=board regulator and the reset button starts the process.
4) In relation to the site code extraction it should be possible by modifying the code. I looked at it briefly before, but after it is saved, it immediately over writes it, to create the open string. You would need, to not do that, or save a copy. Writing blank mag stripes is expensive business.
Even fixed there is probably encryption flaws where site keys may be extracted from room keys. See the talk details.
In terms of testing it, many hotels systems seem to be upgraded and no longer vulnerable. You may be able to get old locks for sale online, but be sure to get the seller to pre-program them, and supply a working card. The onity programmer costs thousands and with no program they will not open. They forget the program with battery removal so don’t remove the battery! I had a spare for a few years for testing. You could also borrow one from a hotel door!
Usually, Erase marker used for open all hotel room doors. I heard several time, people talking about Erase marker if the hotel room door does not open, should use it. Thank for sharing.
Anyone has an idea where I can buy one? I have one but it doesn’t work properly, I don’t know why.or is there a possibility to connect the device to pc to update?
does anyone has the code?