1. Welcome! Please take a few seconds to create your free account to post threads, make some friends, remove a few ads while surfing and much more. ClutchFans has been bringing fans together to talk Houston Sports since 1996. Join us!

  2. Watching NBA Action
    Come join Clutch as we're watching live James Harden and the Clippers take on Luka Doncic and the Mavericks...

    LIVE: NBA Playoffs!
    Dismiss Notice

Hotel keycard lock picking in less time than it takes to blink...

Discussion in 'BBS Hangout' started by Xerobull, Jul 25, 2012.

  1. Xerobull

    Xerobull You son of a b!tch! I'm in!

    Jun 18, 2003
    Likes Received:

    Las Vegas -- If you are currently in Las Vegas for the Black Hat or Def Con security conferences, or any hotel for that matter, when you closed and locked your hotel door, heard it click, then you probably believed that you secured your hotel room. Eeenk! It, and four to five million other Onity keycard-protected hotel rooms, can be hacked with open-source hardware costing about $20. What’s more, any hacker, thief, stalker . . . or someone from the government, only needs 200 milliseconds for such untraceable access.

    Tuesday night at the Black Hat security conference, Cody Brocious, a Mozilla software developer, presented My Arduino can beat up your hotel room lock. “I plug it in, power it up, and the lock opens,” Brocious said. Onity locks have a DC power port under the keycard lock, so Brocious plugged his Arduino microcontroller into that port and was able to read the 32-bit key stored in the lock’s memory location. There’s no easy fix either, short of Onity physically changing every single lock as the lock is insecure by design.

    Need another reason to care about this hack? How about privacy and security? “With how stupidly simple this is, it wouldn’t surprise me if a thousand other people have found this same vulnerability and sold it to other governments,” Brocious told Forbes. “An intern at the NSA could find this in five minutes.”

    Brocious explained in his Black Hat research paper:

    While there are a number of special cards, the most important ones for this discussion are the programming card and spare card. When a programming card is introduced into a door followed by a spare card, the spare card becomes the guest card for the door.

    Programming cards and spare cards are generally created in case of encoder failure, so that guests can continue to check into the hotel when normal keycards cannot be made. However, they introduce a new risk in that if programming cards can be created, any door in the hotel can be entered.

    It should be noted that while programming cards are encrypted with the sitecode of the property, much like any other card, the spare cards are not encrypted whatsoever and simply contain an incrementing value.

    You don’t need the big bucks to exploit this vulnerability; it’s low budget lock picking as the hardware only costs about “$20 or less from Radioshack.” There’s no firmware upgrade, so until Onity takes action by changing these insecure-by-design locks, anyone can pull off this high-tech hack in about 200 milliseconds which is less time than it takes to blink. It does not work on all keycard locks, but Onity better get on it and fix it. While Brocious doesn't intend to take it further and figure out how to make it work on all hotel keycard locks, that doesn't mean someone else won't or doesn't already know how.

    Brocious suggested possible fixes so the next round of Onity locks will hopefully not be so easy to exploit for voila instant hotel room access. You can read more about this hack since Brocious has posted his research paper and slides [PDF]. “Happy hacking,” he said.
  2. 713

    713 Member

    May 6, 2011
    Likes Received:
    1 person likes this.
  3. Yonkers

    Yonkers Contributing Member

    Jun 19, 2002
    Likes Received:
    Sweet. More videos of Erin Andrews to come.
  4. conquistador#11

    Jun 30, 2006
    Likes Received:
    it seems to complicated. I will just go nfl player and pull the fire alarm and break through the window.
  5. ScubaSteve

    ScubaSteve Member

    Jun 2, 2012
    Likes Received:
    Yup exactly what i was thinking :)

Share This Page

  • About ClutchFans

    Since 1996, ClutchFans has been loud and proud covering the Houston Rockets, helping set an industry standard for team fan sites. The forums have been a home for Houston sports fans as well as basketball fanatics around the globe.

  • Support ClutchFans!

    If you find that ClutchFans is a valuable resource for you, please consider becoming a Supporting Member. Supporting Members can upload photos and attachments directly to their posts, customize their user title and more. Gold Supporters see zero ads!

    Upgrade Now