Hotel Lock Company Wants Hotels To Pay For Fixing Their Hackable Product
from the and-probably-will-next-time,-too dept
Picture yourself on vacation. You leave your hotel room, listening to the fully-licensed music in the lobby on your way out. You make sure not to ask the hotel staff for anything as you leave, lest something called a PARFF come after you. And as you're out frolicking on the beach, sucking in that gut and puffing out your chest (asexual insults FTW!), Zero Cool takes a small electronic device that costs less than your average Electronic Arts videogame and hacks your hotel room's lock, giving him access to all the tourist crap you bought in the past three days.
Now, I know what you're thinking. You're thinking that this couldn't possibly happen. After all, Johnny Lee Miller is probably still too busy spinning in place from the speed with which Eli Stone was cancelled after two seasons (and again, I'm reminded that Firefly lasted one. Sigh…) to be stealing stuff from your hotel room. And besides, it can't be that freaking easy to hack into a hotel lock, can it?
Yes, it can. Forbes has the story of hotel lock-maker Onity's reaction to Cody Brocious revealing at a Black Hat security conference how to hack the company's locks (found on over 4 million hotel room doors) with $50 worth of equipment.
The company’s response to that epic security bug has two parts–a quick fix, and a more rigorous one, both of which it plans to make available by the end of August: First, it’s issuing caps that cover the data port Brocious’s hack exploited, which can only be removed by opening the lock’s case. To further stymie hackers who would try to open the locks and remove that cap, it’s also sending customers new, more obscure Torx screws to replace those on the cases of installed locks.
The second fix is more substantial: Onity will offer its customers new circuit boards and firmware that ostensibly fix the problems Brocious demonstrated.
Not bad, right? We've certainly seen companies in the past react poorly when shown the security flaws in their products, attempting to silence those that point them out rather than just fixing the problems. So this would seem to be a step in the right direction, yes? Maybe, except for this:
But Onity is asking owners of some models of its locks of some to pay a “nominal fee” for the fix, while offering others “special pricing programs” to cover the cost of replacing components. It’s also asking its customers to cover the shipping and labor costs of making hardware changes to the millions of locks worldwide.
That's ridiculous. Onity sold hotels a product that had one job to do: keep the wrong people out of hotel rooms. The product does the job so poorly that $50 worth of equipment and a little technical know-how defeats it entirely. And now you want customers to pay to fix your bad device?
Even Brocious himself pushed back on Onity's statement.
Brocious criticized Onity’s move to put the financial onus for the fix on its customers after selling them what he’s described as fundamentally insecure products. While the free mechanical cap solution could create hurdles for hackers, he says that’s only a partial fix replacement until the lock’s circuit boards are replaced–something that’s not likely to happen if it requires millions of dollars in costs for Onity’s customers. “This will not be insignificant, given that the majority of hotels are small and independently owned and operated. Given that it won’t be a low cost endeavour, it’s not hard to imagine that many hotels will choose not to properly fix the issues, leaving customers in danger,” he writes.
It's an especially bizarre move in terms of public relations. How quickly do you think word will get around to other hotel owners, particularly small independent hotels, about how Onity designs their locks and treats their customers? This could be a win for Onity, if they go out of their way to properly fix their flawed product, but instead they appear to want to turn this into a double-dip of bad business.