Key cards may be a convenient way for hotels to issue room keys, but a bug in one popular model made it convenient to electronically pick the locks. An override code to open doors was programmed into the locks, making them easy to open after a quick shopping trip to RadioShack. One man took advantage of this bug and used it to gain access to rooms across the country, stealing stuff from hotels and guests alike.
In an excellent feature story in Wired, you can learn the slightly horrifying story of how tens of millions of electronic locks in hotels have an easily exploitable flaw, but the manufacturer has no way to push an update out to all of them. Years after the flaw was discovered, many of them still haven’t been fixed.
“Like a ghost”
A man in Arizona had learned about the exploit from a TV news item just as he was about to be sent back to prison on charges that he thought had been dismissed. His crimes until then were minor forgeries and driving under the influence, and he decided that if he was going to prison for six years, he should do something that (to him) really merited that kind of sentence.
The first time he gained access to a room using his door-opening gadget, he just stole a pile of towels and pillows, not ready to risk stealing televisions yet. Eventually, he moved on to stealing multiple room TVs as well as guests’ stuff. Police and hotels were mystified.
He began entering empty hotel rooms during the day, at first un-bolting and removing hotel-owned TVs, but eventually making off with customers’ electronics, jewelry, and entire suitcases. Who looks twice at a person wheeling a suitcase down a hotel hallway?
“Everything’s gone. No prints. No forced entry,” a detective in Tempe, AZ, one of the cities that the hotel hacker first hit, told Wired. “It was like a ghost had slipped in and slipped out.”
He grew bolder, eventually stealing a guest’s luggage while the man napped in his bed during the day. Meanwhile, the maker of the popular door lock model, Onity, began to take the threat seriously and realized that it needed to pay for some kind of fix, and began sending plugs for the data ports on each door. The hotel hacker figured out how to remove the lock’s cover and get rid of the plastic piece blocking his access.
The hotel hacker was eventually caught, pleading guilty to three of what he claims are at least a hundred hotel burglaries. He was sentenced to nine years in state prison in Arizona.
Watch your bags
Five years after his spree began, though, there are still exploitable Onity locks around. If you see an open port that looks like it could take a DC power plug on your hotel room door, maybe take anything irreplaceable in your room with you, or lock it in a safe.
Normally, when a security researcher shares this kind of exploit with the world, as the man who discovered this issue did at a hacker conference and even a mainstream media article, the company responsible rushes to fix the problem before anyone can begin a nationwide crime spree.
Onity, the lock-maker, put that expense on the hotels that use its lock instead. Replacing the relevant part in each of its locks cost around $25 per lock, with tens of millions of locks installed.
As a result, there are still plenty of exploitable locks around. Watch your back. Or, we should say, your bags.