The Epic Crime Spree Unleashed By Onity's Ambivalence To Its Easily Hacked Hotel Locks

(Mis)Uses of Technology

from the true-crime-story dept

Back in 2012, we wrote about Onity, the company that makes a huge percentage of the keycard hotel door locks on the market, and how laughably easy it was to hack its locks with roughly $50 of equipment. Surprisingly, Onity responded to the media coverage and complaints from its hotel customers with offers of fixes that ranged from insufficient (a piece of plastic that covered the port used to hack the door locks) to cumbersome (replacing the circuit boards on the locks entirely) and asked many of these customers to pay for these fixes to its broken product. Many of these customers wanted to sue Onity for obvious reasons, but a judge ruled against allowing a class action suit to proceed. That was our last story on the subject.

So… what happened? Well, Onity ended up springing for the fixes for some of their larger chain hotel customers, but not all of them. For the rest, it was on each hotel to decide to pay for the fix or not. Many, many of them absolutely did not and did nothing about the Onity locks on their doors, while those that did get the fix involving the plastic port cover quickly found out that the fix wasn’t much of a fix at all. To see the fallout from all of that, one need only look at Wired’s longform piece on the hellacious crime spree undertaken by one troubled young man, Aaron Cashatt, who managed to steal hundreds of thousands of dollars worth of stuff from hotel rooms using the afore-mentioned $50 worth of gear.

The entire post is worth your time, with its fascinating look into Cashatt’s background, the revelations of the Onity lock’s failures, and where those two stories converged. One of the key points in all of this was that even before Cashatt started his crime spree, everyone, from Onity to the hotel chains to any member of the public that cared to know, was aware of how laughably insecure Onity’s locks were, except that, for the most part, nobody bothered to do anything about it.

Instead of Brocious’ research protecting millions of hotel rooms from larceny-minded hackers, it served up a rare, wide-open opportunity to criminals. Soon other hacker hobbyists were posting YouTube videos of themselves demonstrating the vulnerability on real hotel doors, refining Brocious’ gadget to work far more reliably. One security researcher in Chicago managed to miniaturize the components of the lock-hacking device until it fit inside the body of a dry-erase marker, with its plug hidden under the marker’s cap. The attack became so notorious that it even made a brief cameo in the first season of USA Network’s show Mr. Robot.

But out of everyone who learned about the Onity keycard hack, only one person, perhaps, had the right mix of desperation, tech savvy, and moral flexibility to use it to its full criminal potential: Aaron Cashatt.

Cashatt saw a news segment about the Onity flaw and began to use his own hacking device to exploit it almost immediately. With equipment that cost less than a AAA video game, Cashatt began hacking into hotels, starting at a Marriott. While perfecting his hacking tool and managing to hide it in a sunglasses case that he kept slung around his neck, he worked a waiter job during the day and smoked meth and broke into hotel rooms at night. Using the tool, Cashatt would walk out of hotel rooms with everything the visitor owned and much of what was owned by the hotels as well, including not just towels and toiletries, but flat-screen televisions as well. After deciding to skip a court hearing, he took his show on the road, leaving his corner of Arizona and trekking to the Midwest, where the spree continued. Even when he was arrested on completely unrelated drug charges, police had no idea that the string of hotel room robberies in progress across the country was his doing. When he was carted back to Arizona and let out on bail, he went right back to work.

Now with no job to hold him back, Cashatt, his friends, and an on-and-off girlfriend spent the next four months hitting hotels at a frenzied pace, sometimes as many as four in a day…working his way methodically across central Arizona.

It was a month into that run that Onity began rolling out the plastic port-blocker fix to its locks. Onity had finally begun distributing this fix for free to at least some of its hotel customers. But this barely slowed Cashatt down. Instead, he used a screwdriver to open the panel of the door lock and was able to access the port once more, the plastic blocker circumvented. With enough practice, he was able to do this in under half a minute. He went right back to work, fencing stolen goods through a network of friends and a jewelry store whose owner he trusted. It was only after one of his friends got pinched that the police managed to get wind of just how big Cashatt’s operation had become. He once more hit the road and began breaking into hotels in Tennessee before trekking back west to California and hitting hotels there. It was there that the feds finally caught him, after he managed to steal an estimated half-a-million dollars worth of goods.

Now in prison, Cashatt doesn’t think much has changed.

“I guarantee you that if you tried this at some hotel in the Midwest, it would still work 19 out of 20 times,” he says. For that, he blames Onity’s negligence. “They just don’t get it.”

For its part, Onity remains opaque on how many fixes have been rolled out to how many hotel door locks, as well as exactly what form those fixes take, either the plastic port-blocker variety or an actual circuit board replacement. The fact that the company isn’t screaming about how many circuit board replacements its doled out should tell you all you need to know about the answer to that question. The Wired author himself tested it out and managed to get his own hacking tool to unlock a hotel door on his fourth try. This isn’t hard data of any kind, but with Onity itself ducking any kind of transparency, it’s the best that can be done.

What should stick out most to everyone about this story is how the flaws in Onity’s locks were uncovered only through the help of security researchers, oft maligned, whose work then went largely ignored. That willful ignorance allowed someone like Cashatt to go bananas on the hotel industry, all because Onity couldn’t be bothered to fix its flawed product.

Filed Under: aaron cashatt, fixes, hotel locks
Companies: onity