Black Hat: Hotel Keycard Lock Picking In Under 200ms

H

HardOCP News

[H] News
Joined
Dec 31, 1969
Messages
0
Imagine what something like this could be used for in a town like Las Vegas. :eek:

Tuesday night at the Black Hat security conference, Cody Brocious, a Mozilla software developer, presented My Arduino can beat up your hotel room lock. “I plug it in, power it up, and the lock opens,” Brocious said. Onity locks have a DC power port under the keycard lock, so Brocious plugged his Arduino microcontroller into that port and was able to read the 32-bit key stored in the lock’s memory location. There’s no easy fix either, short of Onity physically changing every single lock as the lock is insecure by design.
Click to expand...
 
Wow, hotels pay thousands of dollars for each one of these, and wammo, easy hack.

I really hope the DC power port wasn't also an I/O port, either way, I'm sure a 9v battery could assist you even if there isn't a power source
 
One time at a hotel with the cards I went to the wrong door by mistake and swiped the car. The door opened and some guy was in there watching TV. :eek:

Lucky for me his back was to the door and he didn't see me. My door was only two doors away.
 
My work just went out and tested it out on our locks, it didn't work,
BUT we have the commercial model, which the hack wasn't tested on.
We are still looking into the issue.

In the presentation they hadn't tried commercial model yet, (but said it should work) has anyone else got it to work on a commercial model?

FYI each individual lock we get costs around $270, the database upgrade would cost us around $7000.
.
 
to making $$$$$ by shorting Onity's stock--if there were such a thing. I checked--its a privately held company.... Good article nonetheless. Just goes to show another of the assumptions we all make in our lives that aren't particularly good ones.
 
Wouldn't a quick work-around be to physically block said port? is the port on the non gam side/top/bottom of the unit;

get a machined 1"x3"x~1/2"-1"(depending on how far out the door unit goes) bar, 2 ~2 1/2" screws. tap & thread holes halfway into the bar. position bar next to where port is drill 2 holes thru door at the hole positions on bar, screw in screws from the inside of the door into the bar blocking the port. it would take ~3 minutes per door to make it so noone can access "easily"
 
lenardo said:
Wouldn't a quick work-around be to physically block said port? is the port on the non gam side/top/bottom of the unit;

get a machined 1"x3"x~1/2"-1"(depending on how far out the door unit goes) bar, 2 ~2 1/2" screws. tap & thread holes halfway into the bar. position bar next to where port is drill 2 holes thru door at the hole positions on bar, screw in screws from the inside of the door into the bar blocking the port. it would take ~3 minutes per door to make it so noone can access "easily"
Click to expand...

Putting aside the looks, and the cost of the matter.
Door our updated more often then you would think, most due to humans reasons thought. To remove the quick fix each time i need to change a locking plan, from 8am -7am would be a pain. Sometimes they are hard wired in so this wouldn't be an issue. But if you didn't have your place wired like we do, then you need that port.

At my company alone we have 1800 locks, if you start on your fix now we would get done at around 3.75 days :). In any case, that would work, but sadly is impractical.
 
You must log in or register to reply here.
Back
Top