Hotel Lock Company Wants Hotels To Pay For Fixing Their Hackable Product
from the and-probably-will-next-time,-too dept
Picture yourself on vacation. You leave your hotel room, listening to the fully-licensed music in the lobby on your way out. You make sure not to ask the hotel staff for anything as you leave, lest something called a PARFF come after you. And as you're out frolicking on the beach, sucking in that gut and puffing out your chest (asexual insults FTW!), Zero Cool takes a small electronic device that costs less than your average Electronic Arts videogame and hacks your hotel room's lock, giving him access to all the tourist crap you bought in the past three days.
Now, I know what you're thinking. You're thinking that this couldn't possibly happen. After all, Johnny Lee Miller is probably still too busy spinning in place from the speed with which Eli Stone was cancelled after two seasons (and again, I'm reminded that Firefly lasted one. Sigh…) to be stealing stuff from your hotel room. And besides, it can't be that freaking easy to hack into a hotel lock, can it?
Yes, it can. Forbes has the story of hotel lock-maker Onity's reaction to Cody Brocious revealing at a Black Hat security conference how to hack the company's locks (found on over 4 million hotel room doors) with $50 worth of equipment.
The company’s response to that epic security bug has two parts–a quick fix, and a more rigorous one, both of which it plans to make available by the end of August: First, it’s issuing caps that cover the data port Brocious’s hack exploited, which can only be removed by opening the lock’s case. To further stymie hackers who would try to open the locks and remove that cap, it’s also sending customers new, more obscure Torx screws to replace those on the cases of installed locks.
The second fix is more substantial: Onity will offer its customers new circuit boards and firmware that ostensibly fix the problems Brocious demonstrated.
Not bad, right? We've certainly seen companies in the past react poorly when shown the security flaws in their products, attempting to silence those that point them out rather than just fixing the problems. So this would seem to be a step in the right direction, yes? Maybe, except for this:
But Onity is asking owners of some models of its locks of some to pay a “nominal fee” for the fix, while offering others “special pricing programs” to cover the cost of replacing components. It’s also asking its customers to cover the shipping and labor costs of making hardware changes to the millions of locks worldwide.
That's ridiculous. Onity sold hotels a product that had one job to do: keep the wrong people out of hotel rooms. The product does the job so poorly that $50 worth of equipment and a little technical know-how defeats it entirely. And now you want customers to pay to fix your bad device?
Even Brocious himself pushed back on Onity's statement.
Brocious criticized Onity’s move to put the financial onus for the fix on its customers after selling them what he’s described as fundamentally insecure products. While the free mechanical cap solution could create hurdles for hackers, he says that’s only a partial fix replacement until the lock’s circuit boards are replaced–something that’s not likely to happen if it requires millions of dollars in costs for Onity’s customers. “This will not be insignificant, given that the majority of hotels are small and independently owned and operated. Given that it won’t be a low cost endeavour, it’s not hard to imagine that many hotels will choose not to properly fix the issues, leaving customers in danger,” he writes.
It's an especially bizarre move in terms of public relations. How quickly do you think word will get around to other hotel owners, particularly small independent hotels, about how Onity designs their locks and treats their customers? This could be a win for Onity, if they go out of their way to properly fix their flawed product, but instead they appear to want to turn this into a double-dip of bad business.
Filed Under: cost, fixes, hotels, locks, security
Companies: onity
Comments on “Hotel Lock Company Wants Hotels To Pay For Fixing Their Hackable Product”
Would you like to upgrade your hotel reservation to “Secure Room” status for the low price of an additional $50.00?
Re: Re:
The locks themselves probably cost over $200.
*googles it*
Yeah, this one looks like a pretty generic hotel lock,
http://www.gokeyless.com/product/1452/2/saflok-mt310-electronic-hotel-lock
Well even the best of electronic locks could be by passed. They really should be worried when it sounds this simple. Here’s the sad thing I could see a few hotels not getting the locks fixed simply because they didn’t even know it had a problem.
Re: Re:
After the first knowledgeable guest who gets robbed and recognizes the lock sues them, I’m sure they’ll figure it out.
Re: Re:
They weren’t worried for the years when they had reprogrammable locks… but never used the reprogramming feature until someone showed up with the proof that keys from months ago still worked on room doors.
I am sure some will try and play dumb about the problem just because having to spend money is bad for corporate america. Revenue, aka guests, just need to spend their money and not cause a fuss.
Re: Re: Re:
I just got back from vacation and the hotel we were at couldn’t even be bothered to fix the lock we had, where I could open it simply by putting the handle down and giving it a light hit with my shoulder.
Looking at the wear patterns, it became obvious that they had installed the lock wrong so that it only partially caught, meaning that the lock had ALWAYS been susceptible to this kind of entry.
They “fixed” the lock by removing the metal plate and boring out the wood farther down the door. It did lock after that and was not susceptible to the light shoulder attack, but I think my story shows 2 things.
1. There really aren’t that many people trying to hack into hotel rooms.
2. They do the absolute minimum. Always.
Re: Re: Re: Re:
I totally agree on number 2, however for number 1 without knowing where the hotel was and seeing if there was a history of thefts from that room its hard to tell.
Many people on vacation don’t always notice things missing right away, and a smart thief can hit a room multiple times. People misplace smartphones all the time, they might assume they just left it somewhere rather than it was stolen.
There are lots of targets in the rooms of travelers that are not always apparent.
Re: Re: Re:2 Re:
True, it’s only when large items go missing or multiple items of high worth that they start going “Hey…. did someone make off with some of my stuff?”
Re: Re:
It sounds simple, because it is.
The lock itself doesn’t use any encryption, and the cards use a very weak 32-bit encryption based on the site code. The lock itself exposes everything via the programming port on the bottom. When I say everything, I mean that includes the site code (the unique code for the hotel) and everything that’s in active memory.
Unlocking it is a simple matter of finding the sitecode and issuing an unlock request.
Overrated
Locks are overrated, doors for that matter as well
Re: Overrated
Seriously. You should only be worried if you have something to hide.
A+ Business Sense
Seriously, these guys are geniuses. Not only do they make money selling busted wares, they make money AGAIN fixing them! Imagine the potential!
“Hey McDonalds. I ordered a large Pepsi but you gave me a Big Mac instead. Could I get this rectified?”
“Why certainly valued consumer. I just need you to pay the $50 order correction fee and we can take another shot at providing you the food/beverage item you initially paid for and we promised we’d give you.”
“I would be outraged but I am too enamored with your unparalleled business savvy. Here, just take all my money.”
Re: A+ Business Sense
Isn’t that Microsoft’s business model?
Re: Re: A+ Business Sense
Yes. Yes, it is.
I have to side with the company on this one. No lock will be 100% secure forever and if the company was required to R&D updates and provide them for free every time their product was hacked then they wouldn’t survive beyond the first release. What if they had just abandoned the product and released another product under the name “Crappy Hotel Lock 2.0”?
The hotels wanted locks and they got locks. Did they turn out to be crappy? Sure, but that’s what market research is for. Sometimes it happens. If I buy an analog watch (one that doesn’t distinguish between AM and PM) and later find out that I need to know morning from afternoon (someone turns off the Sun or I move underground for an extended period of time) do I get to demand a new watch? I bought a watch and I got a watch.
I don’t think they should have to provide free updates, but because they don’t have to, their willingness to do so would speak volumes about their commitment to quality and their customers. So why is it a big surprise that a company is out to make money?
Re: Re:
I think further, the locks aren’t all that crappy. You have to remember that the locks in question have been sold for years, and even to this day, they continue to work as delivered and promised.
The locks aren’t broken or defective, however, someone did show a way that the can be abused and thus, making them less secure. Should the company be really responsible for something like this?
Think about it. Cars are stolen all of the time. Do you think the car companies should be entirely responsible for the costs as a result of it being possible to hotwire a car, or at least tow it away?
Let’s not place an unfair burden on the lock company just because it’s an electronic slim jim instead of a flat metal one. That the solution is basically to replace the guys of the lock, and that they are selling it a a very low cost (like it won’t be a profit center for the company) makes it seem like a pretty logical conclusion.
Only in Techdirt world can a company doing the right thing get in trouble.
Re: Re: Re:
When a car has a massive design defect we make them recall them and repair them. *watches that go down in flames* We even let them write some of those costs off, but the end user isn’t charged.
The locks have a design flaw, that flaw is someone can make easy access to the circuitry and cheaply bypass it.
Locks by design are meant to be secure, and while it took a little while this design is flawed. The company decided to make their customers eat the cost of fixing their blunder, this seems like a bad thing to do. Word of these locks being bad is out there, so I can spend x on your cheap “fix” or spend even more to fix the real problem… or spend just a bit more and get an entirely different system from your competitor that doesn’t have this flaw. I bet they’ll even offer me a discount to switch.
Re: Re: Re: Re:
Think about it. When news come out that most domestic locks can be opened by “bump key” technique, we weren’t offered any discount for replacing insecure locks.
The locks themselves are not free to produce, so I think with charges applied it seems reasonable enough. At least they’re offering huge pricecut and not requiring you to use original price to buy the new ones.
Re: Re: Re: Re:
Security isn’t a binary state, the locks were meant to provide a level of security which I’m sure they do. All locks provide some level of security, none of it absolute. Frankly as time goes on that level will naturally drop as countermeasures advance.
Re: Re:
“I have to side with the company on this one. No lock will be 100% secure forever and if the company was required to R&D updates and provide them for free every time their product was hacked then they wouldn’t survive beyond the first release. What if they had just abandoned the product and released another product under the name “Crappy Hotel Lock 2.0”?
The hotels wanted locks and they got locks. Did they turn out to be crappy? Sure, but that’s what market research is for. Sometimes it happens. If I buy an analog watch (one that doesn’t distinguish between AM and PM) and later find out that I need to know morning from afternoon (someone turns off the Sun or I move underground for an extended period of time) do I get to demand a new watch? I bought a watch and I got a watch.
I don’t think they should have to provide free updates, but because they don’t have to, their willingness to do so would speak volumes about their commitment to quality and their customers. So why is it a big surprise that a company is out to make money?”
You make it seem as if it is a Adobe Photoshop product where the company charge for an update.
Re: Re: Re:
Read the PR post below.
You are correct the company is within their rights to do absolutely nothing. What you continuously fail to understand is there are consequences for actions (or even inaction). This post and indeed many of the posts here discuss ways for a company or an individual or even an artist to avoid blunders like these that tend to erode your customer base or in other ways negatively impact your cash flow.
I suspect that if you ran Onity you would be calling congress to demand they do something about hackers ruining your reputation, no?
Re: Re:
Former locksmith here. Agreed. I can buy a bolt cutter for a lot less then $50 and cut my way through all sorts of deadbolts. That doesn’t make them crappy, though it doesn’t preclude it.
Security is not binary. It’s not a choice between secure and insecure. It’s a continuum. You buy a level of security.
I have a home with a deadbolt. I add an alarm system. Video monitoring. Guard dogs. A security team. At what point am I secure? Unless you’re holed up like North Korea, holding a nuke and yelling – I’ll push the button – I swear I will! then then answer is never.
In regards to Tim’s other point that they want to make the clients pay for the update, I’m having a hard time disagreeing with that also. A few years ago, when SQL Injection came out, all sorts of sites got hacked (including mine and if memory serves, Techdirt got taken down one weekend also). I don’t remember a huge wave of programmers doing free work then. Good products can have a weakness discovered just like bad products, and it’s ok to charge for updates if they aren’t from negligence.
I guess the bottom line is this – was the security hole blatant? Due to poor design? Or was the hacker particularly clever? Not really enough info to go on, though my suspicion is a bit of both, leaning heavily towards the latter.
Re: Re: Re:
Whoa, I promise I didn’t see your comment before I chimed in with my “security is not binary” and “level of security” bits above. Though it does pump up my ego a bit to hear a locksmith using those terms too. Great minds?
Re: Re:
According to Brocious himself, the company has known about this vulnerability for at least 3 years.
That’s three years that they had to issue a fix.
And this vulnerability is so trivial, that anyone with even a modicum of electrical knowledge and minimal programming experience can overcome it. There is, simply, no reason this vulnerability should still be in shipping locks.
Three. Years.
They have no excuses. They should be paying for this.
I’m really hoping this is just a case of having the wrong person doing the PR here, and that they get someone who actually knows proper PR, and knows how it can make or break a company to come in and say that it was a mistake, and that they’ll be happy to replace their faulty products at no cost.
Otherwise I get the feeling Onity is headed for some rough times as hotels switch over to a company that actually cares if the products they’ve sold actually work.
I should say though, on one hand their reaction is understandable, replacing all those parts is not going to be cheap, but on the other hand they sold a security product that is apparently easily hacked, so it’s really on them to fix it.
“More” obscure doesn’t mean much. I already own several sets of Torx drivers myself, and for legitimate reasons. (I’ve owned several Apple computers over the years, to start with.) Why not at least security screws? Though security screw tools are almost as easy to get, if a bit more expensive, last time I looked.
Torx are too easy — positive insertion and self-centering. They should make ’em flat blade screws. Those are a pain in the ass, the blade keeps slipping off. 🙂
Easy to see both sides
The locks worked for years without concern. Now, it’s a problem. Thing is, that’s true for many locks. Ever hear of bump keys?
Every one of these locks has a keyed component too. What if that keyed component was easily picked? (hint: it is.)
I have mixed feelings about the vendor’s reaction. It was not very nuanced. But at the end of the day, when the free solution removes eighty percent of the risk, the customer is taken care of. Yes, it sounds bad. (piss poor PR) but no locks are 100 percent.
On one hand, I totally understand the sentiment of wanting, or expecting software manufacturers to fix flaws in their products. On the other hand, I’m not aware of any mechanical locks that can’t be picked by properly skilled hands. We don’t typically blame keyed lock manufacturers for their locks being vulnerable…
I am curious, are these locks marketed as more secure than mechanical, keyed, locks? Or are they simply marketed as more convenient for hotels and their guests?
Re: Re:
We blame them when they claim them to be super duper secure and they are crap. Like those super high tech locks that meet national security standards that they were opening in seconds.
Electronic locks allowed hotels to save on the expense of having to have someone go to the room and rekey the lock after every guest left. They can now click some keys on a keyboard and boom the lock is changed.
Easy Padlock Hack
Do I get a new lock if a pair of $50 bolt cutters can take it out?
Lock are like fences…to keep honest people honest.
So they fix it for free and someones hacks that…then what?
The hotels are responsible here.
They didn’t do Due Diligence and figure this out before they bought the locks.
Having been an electrical contractor I have several questions?
What did the lock company supply? To whom? Was this a turnkey job or simply component parts?
If all the lock company furnished was parts to an engineering company or the hotel all the lock company is responsible for is bad components.
If some engineering campany or the hotel designed the system then it is up to the engineering firm or hotel to resolve non working issues not the lock company. If the engineering firm or hotel bought parts and now needs technical installation assistance from the lock company it is going to cost much more now than if the project had been put out for bid as a turnkey project.
A) Onity charges a fee to its customers to fix a defective product: customers pay the fee or go to a new manufacturer for all new locks. Onity will have trouble getting new/repeat customers, it’s value will decline and it will struggle to survive.
B) Onity amends its solution and talks/compromises with its customers to get the problem resolved quickly and at a cost acceptable to both parties – perhaps with Onity showing a little generosity on the customer’s behalf to inspire goodwill and what not. Onity’s reputation improves overall while also strengthening customer loyalty, profits rise, etc.
All of this, of course, is contingent upon Onity’s customers actually resisting the current solution. The public may have an opinion but if hotels find the cost acceptable then there isn’t really a problem. The most important thing is that the locks get fixed.
What about those Internet lock on bank accounts?
Financial accounts and other important personal records accessible via the Internet have “locks” usually consisting of user IDs, passwords and “security questions.” Millions, if not hundreds of millions of these digital locks have been broken in the last few years. Most responsible companies assist users in fixing the problem and change their security mechanisms. And there is no added fee for the service. Hotels should also be exempt from such a fee to fix their locks.
A few years ago some jerk poured sand into the gas tank of my 1987 Ford F150. This wrecked the engine. Seeing as the truck was not under warranty it cost me $3500 to have it fixed.
Assuming that the locks are out of warranty I don’t understand why Onity should not be able to charge for their replacements parts.
Under Timothy Geigner’s reasoning Ford sold me a product that had one job to do: get me to work. The product did the job so poorly that $0.20 worth of playground equipment and a little technical know-how defeated it entirely. And then they wanted a customer to pay to fix it?
Re: Re:
Lame analogy. If you boiled it down to the lock on the car being defeated with pocket change, then you’d be fucking pissed. Nice try though….
Re: Re: Re:
I was pissed about the sand.
If the locks are under warranty then the company would be obligated to fix them. Assuming it is not, how is this much different than the millions of times other pieces of technology have became obsolete?
Remember those red bars people used to lock on to their steering wheels in order to prevent theft? Thieves figured out ways around them. Does that mean that the company that made that lock has to refund everyone?
Is that it?
If this is the case, Then there is no point of going for a good hotel. Because the risk of theft is still there in such hotels.
Well that sounds like a disadvantage to a computer locking system. Funny that. Let’s see, the upsides are that the keys are a fraction of the cost of tumbler lock keys, the lock system per room is quickly/easily/remotely changeable, and i’m sure there are some more, like tracking frequency of entry/exit. The door lock is only one part of having a secure hotel though. There should on-site security watching the hallways, that way you see someone taking the cover off the lock. Thier product was crap, but if it takes a hardware fix to solve, then there is nothing wrong with charging for the upgrade. Hotels I’m sure can buy into another company’s product if they don’t like the crap one that already bought.
Re: Re:
Thank you! I don’t know what hotels most people are staying in but from a lot of comments they all have kleptomaniac hacker biker gangs loitering around in the corridors. Hotel security should be much more than a door lock; no matter the lock, if someone wants to get into a room they will.
Re:
I guess the bottom line is this – was the security hole blatant? Due to poor design? Or was the hacker particularly clever? Not really enough info to go on, though my suspicion is a bit of both, leaning heavily towards the latter.
My understanding from reading an article on this on Gizmag a couple days ago was that you can send the lock an address, and it will read back whatever it has in memory at that address. The site security key is always stored at the same address, so you feed it that address, get back the key, feed it the key, and the lock grants access.
Blindly returning what effectively amounts to the admin key to an unsecured query sounds like a pretty faulty design to me.
source: hxxp://www.gizmag.com/onity-lock-hack/23840/
Re:
I thought kleptomaniac hacker biker gangs hung out at Motels and not Hotels.
Although there are still places of travel, that are worth the extra security features such as (inconspicuously dressed) security* guarding elevators that require key access to board and get to your floor. Generally if your worried about losing stuff instead of a person, that extreme isn’t necessary.
*The security have more in common with mercenaries than a security guard with a walkie talkie.
I am from Canada, what are these “lock” thingies? =P
Re:
no worries, I’m sure I’m not the first to use the term either 🙂