A hack for opening hotel room keycard locks, developed and demonstrated in July by 24-year-old security researcher Cody Brocious, has already been perfected.
Lock manufacturer Onity originally dismissed the trick as "unreliable and complex to implement," but based on YouTube videos, photos and testimony online, it's much easier than they thought.
At this summer’s Black Hat hacker's conference, Brocious showed off a device he'd created for under $50 that plugs into the data-port on the underside of widely used Onity keycard locks. Once he powered it up, the lock clicked open. Brocious said that because of a timing issue, his device didn't work every time. When Forbes reporter Andy Greenberg accompanied Brocious to various hotels, the device opened one out of every three locks he tested.
But now, according to Forbes, hackers who copied Brocious' device from the instructions that are readily available on his blog are having no trouble opening lock after lock after lock. One hacker actually asked Brocious (who obliged) to help him work out the kinks while another said his own homemade device worked flawlessly on the first five locks he tried.
For Onity, whose locks secure between 4 and 5 million hotel rooms around the world, this is really bad news. To their credit, the lock manufacturer quickly came up with a couple of solutions to fix the problem, but that fix will be slow to implement for a few reasons.
First, shoring up Onity's locks will require the installation of new hardware. The company is providing data-port caps to their customers free of charge, but it will be up to each hotel to order and install the new components. Second, the real solution, unavailable until the end of the month, which Onity somewhat disingenuously calls a "firmware" update, requires the physical installation of new computer chips inside each lock. Furthermore, Onity's customers — hotels — are being told they'll have to shoulder the cost. Left to their own discretion and timetable, many hotels will likely put off updating their locks, putting their guests at risk and doing little to give Onity's brand a much-needed boost.
Onity has removed the details of the security fixes from their website and has posted a customer service phone number in its place.
The lock company took some heavy criticism for their response, even from Broscious himself, who took to his blog and said, “If such a significant issue were to exist in a car, customers would likely expect a complete recall at the expense of the manufacturer … Whether they have such a responsibility from a legal point of view or not, I can't say; but from an ethical point of view I believe they do.”