A security bug that is present in the locks attached to hotel room doors is suspect for allowing the point of entry for thieves as they pilfer through hotel rooms.
According to Forbes
, several visitors to various Texas hotels have fallen victim to theft, but the thief leaves behind no evidence of entry. There is definitely no forced entry.
Management at one of the hotels impacted had confirmed the door locks were not picked, and records indicated they were not opened with a key carried by any hotel staff. Suspicion has turned to a security flaw that was exposed by a software developer at a conference that took place last summer
Prior to these thefts, the flaw was a "theoretical intrusion" and, although not confirmed by authorities who have arrested a suspect in at least one of the hotel thefts, it is believed by hotel management this theory was the method of entry to the rooms.
The theoretical intrusion referred to by Forbes is a presentation given by Cody Brocious, 24, the software developer who had demonstrated the exploit. Brocious had reverse engineered
the hotel door locks, made by a company named Onity, and outlined the procedure at the Black Hat hacker conference in July 2012.
Forbes reports, "Brocious showed it was possible to insert the plug of a small device he built with less than $50 in parts into the port at the bottom of any Onity keycard lock, read the digital key that provides access to the opening mechanism of the lock, and open it instantaneously."
Currently, now the problem is that millions of hotel rooms across the globe currently have Onity locks installed and a fix is going to be expensive for the hotels. It seems there are two options for each hotel door, a new circuit board that addresses the flaw, or to install a plug in each port.
Onity also reportedly wants its customers (hotels) to pay for the fix
Some hotels have configured and implemented a temporary fix that plugs up the port in each hotel room door with a glue-type substance.
[note, Onity's original response does not appear
to be on its website any longer, the full statement can be found here
Brocious warned in August when he posted Onity's response:
Given that it won’t be a low cost endeavour, it’s not hard to imagine that many hotels will choose not to properly fix the issues, leaving customers in danger. If such a significant issue were to exist in a car, customers would likely expect a complete recall at the expense of the manufacturer. I can’t help but feel that Onity has the same responsibility to their customers, and to customers staying in hotels protected by Onity locks.
Brocious received some criticism for not going directly to the company, which is often a debate when security flaws, of any nature, are exposed. The software developer said that the exploit is so simple thousands of criminals could possibly have already been using it for years.
"An intern at the NSA could find this in five minutes," Brocious had said
What do you think? Will these flaws in hotel room locks make you think twice when traveling?