Criminals in the Phoenix area are stealing hotel guests' belongings by exploiting a known software flaw in electronic room locks, demonstrating how an unpatched security flaw can have real-life consequences.
Police said the hotel-room hack, which works against an estimated 4 million keycard locks made by Onity, was used in a spree of crimes in several Arizona cities, including Phoenix, Mesa, Scottsdale and Tempe, KNVX-TV reported on Tuesday (May 14).
Thieves reportedly stole thousands of dollars' worth of valuables from hotel guests, including wallets, electronics, clothing and at least one suitcase.
"Since the room was completely cleared out, I thought I went into the wrong room," airline pilot Ahmiel Fried told KNVX-TV after his iPad, laptop, passport, suitcase and pilot's uniform were taken from his room at a Tempe hotel.
Fried told KNVX-TV the hotel refused to compensate him for the stolen property because hotel staff were not involved.
The Houston area experienced a spate of similar hotel-room break-ins in September 2012.
The vulnerability first came to light last July, when security researcher Cody Brocious showed off an inexpensive device he'd built to open Onity locks at the Black Hat security conference in Las Vegas.
Based on a $30 hobbyist circuit board made by Arduino, Brocious' gadget plugged into a data port on the lock's underside and opened it in about one-third of his attempts.
After Brocious' demonstration, how-to videos began to surface on YouTube.
Onity, a Duluth, Ga.-based subsidiary of United Technologies, originally responded to the revelation by calling the hack "unreliable and complex to implement."
… to reality
After a number of people were able to replicate the trick with a fairly high rate of success, Onity offered its hotel-industry customers a fix, but with a catch.
For free, the company offered its clients plastic caps to cover the data ports. Security experts pointed out that a screwdriver could remove the cap.
Onity also offered to replace parts of each lock to permanently disable the security flaw, but said its clients would have to foot the bill.
Last fall, the hacking device was miniaturized to fit into what looked like a dry-erase marker. Reports surfaced of the hack's use in Houston-area hotel-room break-ins, and Onity began to cover part of the cost to permanently upgrade its locks in larger hotel chains.
But not all of Onity's clients appear to have gotten the message. A "Today" show piece that aired in early December found hotel owners who said they had not been informed of the vulnerability.
"Onity places the highest priority on the safety and security provided by its products," the company said in an official statement provided to TechNewsDaily. "Onity has shipped 4.9 million solutions for locks to hotel properties. Hotels that haven't implemented these solutions should do so immediately. Customers who require assistance can call Onity’s dedicated customer assistance line at 1-800-924-1442."
A service representative told us that the plastic cap to plug the data port was free. A circuit-board replacement that would permanently fix the problem would cost $11 for each lock manufactured before 2005, but was free for locks manufactured afterward.
No matter where you're staying, or what kind of lock is on your hotel-room door, it's a good idea to put all your valuables in the in-room safe before you leave the room. If there's no safe in the room, ask to use the hotel's main safe.
At night, be sure to turn the privacy deadbolt and use the door chain.