Onity Wins: Hotels That Bought Their Easily-Hacked Door Lock Can't Sue According To Court
from the locked-in dept
A couple years back, I wrote about the curious case of Onity, a company that makes door locks for hotel rooms. Thing is, their locks fail to do the one thing they’re supposed to do, as shown when one man at a Black Hat security conference used a cheap device to access the lock’s dataport and cause it to unlock. The idea was that a lock that is defeated by equipment that costs pocket change isn’t so much a lock as it is a decoration. Onity, in the company’s infinite wisdom, claimed the long term fix, a new system board, was available to its customers…for a price.
A class action’s worth of hotels weren’t satisfied with paying twice for the same product just to make it work, so they filed a lawsuit. That filing was recently rejected by a judge using some awfully strange logic.
The court’s decision turns on three key facts. First, the plaintiffs didn’t allege any actual security breaches; the courts says they are suing “only for the costs of preventing future unauthorized access.” Second, each lock still works in the sense that it “still performs the functions of locking the door upon closing it and unlocking it upon insertion of a properly-coded key card….the locks do not begin to fail on their own upon installation, nor are they all ‘doomed to fail’ eventually.” Third, the court says any future security breaches “could occur only if third parties engaged in criminal conduct to enter Plaintiffs’ hotel rooms.”
Let’s deal with these in order. Onity’s lock has a gaping security hole that’s laughably easy to exploit. For anyone with fifty dollars in their pockets, the lock might as well not be there at all. The very nature of the condition of the product is a breach and, in any case, at least is easily understandable as a product that doesn’t perform its basic functions, which is what makes the second claim by the judge so galling. Deciding the lock “works” by the most childish evaluation possible is insane. The lock either performs to industry standards or it doesn’t, and this one doesn’t. As for the argument that a cheap lockpick can also defeat a hardware lock, there is an important difference here, I think. A hardware lock is limited in terms of a fix by its very nature, whereas Onity is proclaiming that an electronic fix does exist for its electronic lock, it only wants hotels to pay for the pleasure of having their product work properly.
As for that last claim: in what sort of insane world do we live in when a manufacturer that makes a product designed to prohibit illegal behavior can get out of paying to repair its product that doesn’t stop illegal behavior because the behavior its product isn’t stopping is illegal? An alarm system that fails to alarm when criminals break into a building isn’t protected by the fact that the break-in is illegal.
The whole ruling appears to be a case of an ill-informed judge, one that may have unfortunate consequences in other areas of the law.
The court instead analogized Onity’s situation to data breach cases like Reilly v. Ceredian, where consumers’ personal data is stolen but consumers can’t show directly attributable adverse consequence from this theft. I understood the analogy: just like consumers might fear future harm from identity theft, hotels might fear harm from future breaches of their locks. However, this analogy doesn’t work very well. While there aren’t many actions consumers can take to proactively protect their data after a data security breach (even credit monitoring isn’t particularly useful), everyone benefits if the hotels proactively remediate this problem.
This ruling could help defendants in future privacy violation cases. First, if lock buyers lack standing when a physical object fails to perform its basic function, plaintiffs with more abstract data-related risks shouldn’t either. Second, if the risk of future third party criminal behavior doesn’t count as an injury, data breach victims’ purported concerns about future data misuse (like identity theft) are also irrelevant.
Thankfully the ruling is being appealed, so hopefully a future court will get this corrected, but keep in mind that all this is the result of a lock company that makes locks that do not lock if someone comes along with fifty dollars worth of low-end technology. Happy traveling, readers….
Filed Under: digital locks, hotels, locks, security
Companies: onity
Comments on “Onity Wins: Hotels That Bought Their Easily-Hacked Door Lock Can't Sue According To Court”
"works"
The same logic is applied to punish hackers who are able to bypass ineffective security measures. Ask Weev about it.
The same logic is applied to hackers who try to circumvent ineffective copyright protection methods. Ask the people behind 2600 about it.
I wonder how much of this is caused by the ‘voodoo’ view of technology that seems to be prevalent in the courts.
Comparing a lock system to a data breach is akin to those people who opt to sue Google when a website makes them sad.
Google has nothing to do with it, but because Google is synonymous in many peoples minds for a catchall for the internet in general they proceed.
Onity has pretty much made sure that they aren’t going to continue to have Hotels as customers, and one would expect that future contracts will have specific terms talking about upgrades, costs, and the limitation of how long they will provide those upgrades.
Once upon a time, I swear, companies would do the right thing without requiring lawsuits to attempt to make it happen. Now one has to think of all of the possible angles that one can sue over.
Re: Re:
Onity has pretty much made sure that they aren’t going to continue to have Hotels as customers,
It seems to me that’s the most important outcome here, more important than how this case is determined. These hotel chains should make sure to spread the word, and not just to hotels, that nobody should ever buy Onity products because A) they suck and B) Onity doesn’t stand behind them.
Re: Re:
“Onity has pretty much made sure that they aren’t going to continue to have Hotels as customers”
and I think this is a good reason why the free market capitalistic solution isn’t necessarily a bad thing to allow to happen without necessarily involving the courts. If your products and services suck you will get that sort of reputation and you will lose customers.
To address the OP
“The very nature of the condition of the product is a breach”
I think this really depends on how the product was advertised. Hard locks aren’t perfectly secure and, for a cheap price, they can reasonably easily be circumvented. They can be picked and doors can be broken into. Though at least breaking in leaves evidence of forced entry which can alert someone returning to their apartment that someone might still be in there so that they can call the cops and it can warn someone already inside that someone is trying to break in giving them time to respond and call the police/hotel security. In this case someone might be able to get in without leaving evidence or perhaps even sneak in quietly and sneak up on people.
Then again it’s also shady for a company to have a defect in their product and charge to have their product fixed. That’s kinda like a car manufacturer having a defect and then charging drivers to fix it (and the extent that the law requires the manufacturer to provide a free fix may depend on the jurisdiction and nature of the defect. If it’s a safety issue the government will require the manufacturer to recall and fix it free of charge. If it’s something minor with the radio the law may not care).
I guess in this case the defect is in the core function of the product. Technically it may even involve safety (someone being able to sneak in your room without leaving evidence). But I think it really goes back to how the product was advertised and what kinda disclaimers were included in the fine print.
“As for the argument that a cheap lockpick can also defeat a hardware lock”
Again this goes back to how the product is advertised. If the product is advertised as being more secure than a hard lock and it’s really not then I would consider that a breach of contract. If, however, it was advertised as simply being a more convenient replacement for hard locks without necessarily being more secure (but being about as secure) then maybe not (then again who will advertise it like that?). You promised a product and didn’t deliver your product. It’s possible the product comes with some sorta agreement that no one reads or if anyone working at the hotel reads it they figure if there is a problem they will deal with it when it happens (ie: by exercising their ability to not buy from this manufacturer in the future if they don’t reasonably correct problems with their product).
Re: Re: Re:
“and I think this is a good reason why the free market capitalistic solution isn’t necessarily a bad thing to allow to happen without necessarily involving the courts. If your products and services suck you will get that sort of reputation and you will lose customers”
Except, of course, that the courts are there to get you back the money you paid for products not up to the advertised task. It’s just that the judge here doesn’t grasp what the task of a lock is.
“I think this really depends on how the product was advertised. Hard locks aren’t perfectly secure and, for a cheap price, they can reasonably easily be circumvented. They can be picked and doors can be broken into.”
Both of which requires a certain degree of effort and know-how.
By that notion, hotels would all have primitive old keys which a standard piece of wire could defeat. After all, the judge clearly believes that the locks in a hotel are only there to thwart people too drunk to remember their room number, not actual thieves.
Huh, got to admit, I was rather surprised when I checked the legal filing and found out that it wasn’t by an East Texas judge. With logic like that I figured it had to be, but I guess clueless judges exist everywhere.
Up Next...
Onity files chapter 13.
One can buy a cheap mechanical lock for a few dollars or an expensive one for thousands.
What the hotel’s contractor did with the hotel’s approval was go to the lowest bidder and install accordingly.
What the hotel wanted was the expensive model at the cheap price.
What the judge did was to verify that you get what you pay for.
Re: Re:
That doesn’t appear to be the case, the original Forbes article about the findings has this quote (emphasis added):
From what I can tell, Onity is one of the major players in hotel locks (they also get used in student dorms on college campuses), so even if they are the cheapest, it’s not like they were buying crap from someone selling knock-offs out of the back of his car.
But hey, it’s easier to blame the victim and make assumptions than to actually check this stuff out, right?
Maybe this was just in the way they phrased the lawsuit. If they had claimed that they were injured because customers knew the locks were defective and therefore refused to rent rooms, maybe they’d have had a better shot?
Re: Re:
yeah but they were not expecting to have an idiot judge…
Re: Re:
If they had claimed that they were injured because customers knew the locks were defective and therefore refused to rent rooms, maybe they’d have had a better shot?
That would be very difficult to prove. If everything is working correctly you have to actually demonstrate your claims in court, not just state them.
Re: Re: Re:
Hmm. Well, you know what they have to do?
Wait until someone actually breaks into someone’s room, and THEN sue. The court essentially found that, because nobody had actually broken into anyone’s room yet, they didn’t have standing. Under this logic, a lock manufacturer could sell you a paperclip, and you wouldn’t be able to sue them unless you actually tried to use it as a lock and someone defeated it.
Or they should appeal, because the ruling makes no sense. The court says this is different from a case where a consumer has a defective car that hasn’t actually injured them yet, because the resale value of the car drops due to the safety defect. Well, doesn’t the resale value of a hotel that has locks that need replacing go down? (It shouldn’t matter whether any particular hotel is looking to sell at the moment – class action lawsuits against auto makers don’t require that every plaintiff be looking to sell their car at the moment either.)
Re: Re: Re: Re:
“The court essentially found that, because nobody had actually broken into anyone’s room yet”
Or because no one used this method to break into anyone’s room yet.
and the precedent to sue for actual, and not hypothetical, damages is a very longstanding precedent that often does make sense.
I suppose if someone does break in and takes something or causes damage the tenant harmed would have to sue the hotel and then the hotel would have to sue the lock manufacturer. I’m not so sure that’s the best legal setup, for the law to require the hotels to wait for something to happen before being able to recover damages. First of all the person suing the hotel will sue on the grounds that the hotel knew this thing had a flaw and didn’t act to correct it ahead of time. The court will rule in favor of the tenant under the grounds that the hotel should have fixed the problem ahead of time because they knew there was a problem. True, but the problem is with the manufacturer so it should have been the manufacturer that fixed it ahead of time but the law is not requiring that either. Kinda contradictory on the part of the law. Another problem with this is if someone can sneak in and take something without anyone knowing how do you prove damages? How do you prove something was stolen and that this flaw is the cause (I suppose you can use security cameras, fingerprints, etc.. in some situations but security cameras may not be everywhere and there are problems with trying to use fingerprints to prove someone came in to steal something in a hotel room that probably had many guests and has everyone’s fingerprints everywhere).
Re: Re: Re:2 Re:
“Kinda contradictory on the part of the law.”
and the reason this is contradictory on the part of the law is because it kinda requires that the hotels suffer the cost of repairing the flaw to avoid liability without being recouped those costs. Yes the hotel maybe able to sue the manufacturer after being sued but what if the manufacturer went out of business by then? Even if they didn’t suing the manufacturer requires an expensive lawsuit and is risky because they still run the risk of losing or being unable to collect even if they win. The only sure way to avoid liability and risk is for the hotel to pay for the flaw ahead of time.
That’s not to say I disagree with the ruling (I have mixed feelings about it). I also think there could be many potential problems with the courts ruling in favor of the hotels as well in the kinda precedent it could set for other cases.
by that logic they could just put these on the ouside of hotel rooms and say they are “locked”
http://ecx.images-amazon.com/images/I/41psjQIp5qL.jpg
Re: Re:
No, you forgot to add a loop of string and the toy lock from your 8-year-old’s diary… since either cutting the string or breaking the toy lock to get in the room is “criminal”.
This seems to be an interesting example of people overrating their own importance: the judge, in effect, is claiming that mere fear of the justice system (“Watch out, I’ll throw the book at anyone who hacks those locks!”) should be sufficient to secure a hotel room door.
Implied Warranty Anybody?
Wow. Whatever happened to implied warranty????
https://en.wikipedia.org/wiki/Implied_warranty
Saith wiki:
In common law jurisdictions, an implied warranty is a contract law term for certain assurances that are presumed to be made in the sale of products or real property, due to the circumstances of the sale. These assurances are characterized as warranties irrespective of whether the seller has expressly promised them orally or in writing. They include an implied warranty of fitness for a particular purpose, an implied warranty of merchantability for products, implied warranty of workmanlike quality for services, and an implied warranty of habitability for a home.
Scumbags and greedsters REJOICE!
So if I hire someone to make a database for my company and I find out that they haven’t used the most basic security measures, allowing anyone to pull out data by just using a line of easy to find code; they can just charge me again for getting their shit up to standard?
Wow this is the next big thing if patent trolling fails. Do crappy work and get rewarded, totally legal.
Re: Scumbags and greedsters REJOICE!
That depends, what level of security was in the specifications?
If no specific level of security was specified, then yes, it would be perfectly acceptable to have no security on the database.
Sauron and the one lock
Sauron is pleased , there will be no new locks
This surprises anyone that has worked in the Computer Industry how?
This ‘business method’ has been the bread and butter of more than a few software makers for decades, as evidenced by the fine folks in Seattle and Silicon Valley. Hell, would have been interesting to see if was ever a lawsuit like this against Microsoft or Oracle ‘back in the day’.
Re: This surprises anyone that has worked in the Computer Industry how?
Microsoft or Oracle at least have the excuse that their software must run on hardware they don’t control and alongside software they don’t control. They can’t foresee every combination of software and hardware, so they can’t be responsible for every crash.
This lock company doesn’t have that excuse. It’s totally their lock, and it’s not just a problem with an incompatible door or something.
Microsoft also expressly disclaims, in its licensing agreement, all warranties including fitness for a particular purpose. (Not sure how it’s legal to tell the customer about a disclaimer AFTER they’ve paid money, but that’s a topic for another day.)
AND, Microsoft provides free security updates when it finds a security problem in its OS, rather than charging a fee like this company.
Re: Re: This surprises anyone that has worked in the Computer Industry how?
Microsoft may disclaim certain implied warranties, but that doesn’t mean those disclaimers are enforceable.
Every Microsoft license I’ve bothered to read (I don’t read them all, but I do read the odd one every once in a while; they also recently released a new set) also has language, probably required by Law, pointing out that some States don’t allow some disclaimers, so they may have rights other than those outlined.
Re: Re: This surprises anyone that has worked in the Computer Industry how?
Re: Re: Re: This surprises anyone that has worked in the Computer Industry how?
So Windows 8 was free? How about Windows 7?
I didn’t realize those were considered security updates…
Don't agree
A lock is a control. Some are better than others. Better ones tend to be more expensive. None are perfect.
The lock in question was picked. But instead or revealing a physical technique to defeat the lock, a logical technique was revealed. Thing is, physical techniques are difficult to master, while logical techniques can be represented in source code that is trivial to copy, distribute, and alter. This is a type of freedom. It also increases the risks associated with locks subject to logical exploits.
Is it the fault of the manufacturer that a risk was presented that was ultimately exploited? Absolutely. To the point of liability? I’m not certain. How likely was the risk, to whom, and to what degree? Can you hold someone liable for failing to predict the future? And if so, to what degree?
Hotels that relied on the manufacturer to understand the risk are at fault for failing their due diligence.
Re: Don't agree
I’m not sure I buy that. How does the hotel know that the lock has a security flaw? Should they hire their own security expert to examine the lock before they use it? Do you really think that this sort of extraordinary diligence is “due”?
Re: Re: Don't agree
So if the lock manufacturer doesn’t understand the risk and the hotel operator doesn’t understand the risk, who is responsible?
Humans are terrible at evaluating risk. This is just another example of it.
Re: Re: Don't agree
If they are serious about security, then yes. The best bet would be to hire a security consultancy/contractor company to advise on and install an appropriate level of security lock. Then, if the lock fails like this, you sue that security consultant/contractor, as they were the ones who should have done due diligence on the lock.
Re: Don't agree
In the end, since all almost all door locks can be defeated in some manner, the question of security is in degrees. As you said, some are better, some are worse.
Bump keys, skeleton keys, wax molds, and about 100 other ways have been used to defeat regular locks. When in doubt, a boot or a properly used crow bar does the trick. It is just as easy to teach someone how to use a crowbar to pry a door open, and certainly many of the other techniques could be shown in a video or handed out in instructions that could be practices and mastered by most people.
In all cases (including the Onity lock) it requires that you take steps beyond ordinary operations to “pick” the lock. Onity’s lock does what it is suppose to do in normal day to day use. Nobody can just open the door.
The judge correctly determined that while the lock was not the most secure product, that isn’t in itself a defect. If you could just take the handle and jiggle it a bit and have the door open, that would be a defect. The difference is clear as it gets.
Re: Re: Don't agree
Exactly right.
The lock works, it’s just not a high security lock.
It’d be like a hotel that uses standard tumbler pin locks suing the lock company because a bumpkey can defeat them.
Re: Don't agree
I was just about to write something up on due diligence. It seems like people forget that the consumer has to do some work in the market place as well.
Re: Re: Don't agree
The customer being the firm that built the hotel, installing shit locks – right?
Or did you mean by Customer, the Hotel firm who hired the construction firm that installed the shit locks?
Re: Don't agree
I think the primary objection here is that the lock company is charging twice for a working product, rather than standing behind the original purchase.
Re: Don't agree
Onity locking systems are expensive, They are not the cheapest out there.
Really?
Let’s look at this a little more realistically, shall we?
Onity’s lock has a gaping security hole that’s laughably easy to exploit. For anyone with fifty dollars in their pockets, the lock might as well not be there at all.
You missed one point, very important: they have to have intention to break in. Door lock, no door lock, whatever – they need to have the intent to break the law and break in. Blaming the door lock company for people’s bad intentions is blatant misdirection.
Deciding the lock “works” by the most childish evaluation possible is insane.
Does the lock do all the things it said it would do? Does it lock? Does it unlock? You may think it’s childish to use the basic standards of a door lock, but there you go. See your first point, the lock only fails when people have bad intentions and are willing to take specific steps to break in. Otherwise, the lock works fine. By your definition, any door manual door lock in the world that isn’t a shielded dead bolt is defective because you can open most of them with a credit card or similar. Are all of those locks defective as well?
in what sort of insane world do we live in when a manufacturer that makes a product designed to prohibit illegal behavior can get out of paying to repair its product that doesn’t stop illegal behavior because the behavior its product isn’t stopping is illegal?
You have a basic flaw in your logic here. Door locks don’t prohibit illegal behavior, they at best can slow down, delay, or otherwise make it harder to commit an illegal act. However, almost any normal hotel room door can be kicked down or pried open with a crowbar. Again by your logic, the makers of the doors, the hinges, and the strike plates would all be legally responsible because an illegal activity can circumvent their product.
Look, I don’t think it’s really good that these guys made a product that is fairly easy to get around. However, there is a significant difference between knowingly putting out a defective product (ie, it didn’t lock at all, or would refuse to open) with one that is perhaps easier for thieves to break into (say like early VW door locks, mid 90’s Chrysler minivan door locks, etc).
Re: Really?
I think you left out a basic question of door lock standards: Does it stay locked?
Re: Re: Really?
That’s whatever’s ‘realistic’ look on things. No surprise there.
Re: Re: Really?
Yes, it stays locked until someone forces it (uses a bypass / home make pass key) to open it.
Same thing could be accomplished with a crow bar or your foot.
Re: Re: Re: Really?
And if the door to your house had a built-in flaw where you just had to lean slightly against the door in a certain spot and it would click open?
In this case you would of course had paid for a security door and the door company would be able to fix it in 2 minutes, but told you that if you didn’t want anything to happen to your stuff, you had to pay again to make the door work as you requested from the beginning.
The door performs its basic function: it opens and closes, locks and unlocks.
Re: Re: Re:2 Really?
And if the door to your house had a built-in flaw where you just had to lean slightly against the door in a certain spot and it would click open?
that would be entirely different, because as a door lock, it’s a failure – it can be opened without any effort or ill intent.
The problem here is that as a door lock, their product works. It can only be opened if you are willing to “hack” it, using a tool to open it. It’s not defective in normal use.
It’s not just a question of the “basic function”, it’s the question of function is normal use. There is nothing in this that shows that this lock system doesn’t work propertly.
Your example as a result is sort of meaningless, because this lock doesn’t just open if you lean on it or just touch it. You have to willfully take steps to bypass it, similar to slipping a credit card between the door and the jam to force a lock. If you are willing to take physical steps to get around a lock, you can defeat almost all of them without spending very much money.
By what was alleged in this lawsuit, almost every door lock in existence is “defective” in some manner.
Re: Really?
“Let’s look at this a little more realistically, shall we?”
Let’s look at this a little more apologetically, shall we?
FTFY
Re: Really?
See your first point, the lock only fails when people have bad intentions and are willing to take specific steps to break in.
That is exactly what a lock is supposed to protect against.
Re: Really?
“You missed one point, very important: they have to have intention to break in. Door lock, no door lock, whatever – they need to have the intent to break the law and break in. Blaming the door lock company for people’s bad intentions is blatant misdirection.”
Why do you buy a door lock? Is it because it’s a nice decoration? No, you buy it to stop people from breaking in. You do state that door locks may not be successful at stopping every criminal, but their main function is a deterrent. If I’m a burglar, standing on your porch for twenty minutes fiddling with your lock, or beating down your door with a crowbar, is a dead giveaway that I’m a burglar and I will be caught. This door lock can be thwarted in seconds by a $50 gadget (and any burglar knows he can get at least $50 worth of loot from one room) and is therefore ineffective as a deterrent. The product is defective and hotels should not have to pay twice for a door lock that works.
Re: Re: Really?
If I’m a burglar, standing on your porch for twenty minutes fiddling with your lock, or beating down your door with a crowbar, is a dead giveaway that I’m a burglar and I will be caught. This door lock can be thwarted in seconds by a $50 gadget (and any burglar knows he can get at least $50 worth of loot from one room) and is therefore ineffective as a deterrent.
Most conventional locks can be opened in seconds with a bump key. What is the difference?
Traditional locks and bump keys?
Should the purchasers of traditional locks be able to sue lock manufacturers because they can easily be opened by bump keys?
Re: Traditional locks and bump keys?
Should the purchasers of traditional locks be able to sue lock manufacturers because they can easily be opened by bump keys?
Good question. Is there a difference? Does it matter that it’s fairly well known that bump keys can open most locks? If that’s the important difference then would a lawsuit have been appropriate soon after bump keys were made available (I don’t know much about them or how long they’ve been around)?
with $50 in your pocket, pretty much ANY lock can be opened!!
Is this a surprise?
For 50 years, companies have been fighting consumer law in every avenue; fighting to establish their “right” to sell whatever crap they want, to consumers.
Now, it returns to bite them. Now the companies are getting the crap, and finding out that the laws they so determinedly gutted are now useless to protect their own interests.
This isn’t the first time this happened and it wont’t be the last: Remember the China companies selling adulterated wheat gluten to the pet food companies? Same thing.
perhaps sending the bill to the judge after a room has been burgled will help him get his head out of his ass and realise what is going on? he’s basically said the lock is fine, while handing the chk over the counter, so help him get educated
Re: Re:
No, actually the judge has it just right…just right in line with current consumer law. If your room gets burgled, guess what? You’re on your own buddy; it’s your loss. The hotel won’t have to pay and the judge won’t either.
The hotels wanted it that way, so they didn’t have to pay for people’s stuff burgled because they used poor quality locks and skipped such “superfluities” as security.
Now the hotels have been “burgled” by Onity and (Surprise!) Onity doesn’t have to pay for the hotels’ loss. What goes around comes around.
Not responsible for lost or stolen items … lol
Pack your super-glue
If you dont want to run from hotel to hotel looking for decent non-Onity locks, bring your super-glue and “fix” your lock.
I agree with most posts here on TechDirt, but I agree with the decision made in this case. Yes, the lock had an easily exploitable security hole, however it did in fact perform its function unless someone with malicious intent and some degree of technical skill took measures to break in.
Chances are the lock on the door on the front of your house has an easily exploitable security hole: a set of lock picks can be had very inexpensively and can be leveraged to open most common locks in short order. This doesn’t mean the lock is flawed or unusable – it just means that it’s not as secure as it could potentially be.
If someone found that the hotel door locks could be opened by inserting any blank key card or something like that, sure, they should be replaced at the manufacturer’s expense, because they don’t perform the intended function. That wasn’t the case here – breaching the lock required specialized equipment, even if inexpensive, that most people do not have immediate access to or know how to use.
My dad was a locksmith and passed on an adage that has stayed with me throughout my life and is applicable here: Locks only keep honest people out.