The Epic Crime Spree Unleashed By Onity's Ambivalence To Its Easily Hacked Hotel Locks

from the true-crime-story dept

Back in 2012, we wrote about Onity, the company that makes a huge percentage of the keycard hotel door locks on the market, and how laughably easy it was to hack its locks with roughly $50 of equipment. Surprisingly, Onity responded to the media coverage and complaints from its hotel customers with offers of fixes that ranged from insufficient (a piece of plastic that covered the port used to hack the door locks) to cumbersome (replacing the circuit boards on the locks entirely) and asked many of these customers to pay for these fixes to its broken product. Many of these customers wanted to sue Onity for obvious reasons, but a judge ruled against allowing a class action suit to proceed. That was our last story on the subject.

So... what happened? Well, Onity ended up springing for the fixes for some of their larger chain hotel customers, but not all of them. For the rest, it was on each hotel to decide to pay for the fix or not. Many, many of them absolutely did not and did nothing about the Onity locks on their doors, while those that did get the fix involving the plastic port cover quickly found out that the fix wasn't much of a fix at all. To see the fallout from all of that, one need only look at Wired's longform piece on the hellacious crime spree undertaken by one troubled young man, Aaron Cashatt, who managed to steal hundreds of thousands of dollars worth of stuff from hotel rooms using the afore-mentioned $50 worth of gear.

The entire post is worth your time, with its fascinating look into Cashatt's background, the revelations of the Onity lock's failures, and where those two stories converged. One of the key points in all of this was that even before Cashatt started his crime spree, everyone, from Onity to the hotel chains to any member of the public that cared to know, was aware of how laughably insecure Onity's locks were, except that, for the most part, nobody bothered to do anything about it.

Instead of Brocious' research protecting millions of hotel rooms from larceny-minded hackers, it served up a rare, wide-open opportunity to criminals. Soon other hacker hobbyists were posting YouTube videos of themselves demonstrating the vulnerability on real hotel doors, refining Brocious' gadget to work far more reliably. One security researcher in Chicago managed to miniaturize the components of the lock-hacking device until it fit inside the body of a dry-erase marker, with its plug hidden under the marker's cap. The attack became so notorious that it even made a brief cameo in the first season of USA Network's show Mr. Robot.

But out of everyone who learned about the Onity keycard hack, only one person, perhaps, had the right mix of desperation, tech savvy, and moral flexibility to use it to its full criminal potential: Aaron Cashatt.

Cashatt saw a news segment about the Onity flaw and began to use his own hacking device to exploit it almost immediately. With equipment that cost less than a AAA video game, Cashatt began hacking into hotels, starting at a Marriott. While perfecting his hacking tool and managing to hide it in a sunglasses case that he kept slung around his neck, he worked a waiter job during the day and smoked meth and broke into hotel rooms at night. Using the tool, Cashatt would walk out of hotel rooms with everything the visitor owned and much of what was owned by the hotels as well, including not just towels and toiletries, but flat-screen televisions as well. After deciding to skip a court hearing, he took his show on the road, leaving his corner of Arizona and trekking to the Midwest, where the spree continued. Even when he was arrested on completely unrelated drug charges, police had no idea that the string of hotel room robberies in progress across the country was his doing. When he was carted back to Arizona and let out on bail, he went right back to work.

Now with no job to hold him back, Cashatt, his friends, and an on-and-off girlfriend spent the next four months hitting hotels at a frenzied pace, sometimes as many as four in a day...working his way methodically across central Arizona.

It was a month into that run that Onity began rolling out the plastic port-blocker fix to its locks. Onity had finally begun distributing this fix for free to at least some of its hotel customers. But this barely slowed Cashatt down. Instead, he used a screwdriver to open the panel of the door lock and was able to access the port once more, the plastic blocker circumvented. With enough practice, he was able to do this in under half a minute. He went right back to work, fencing stolen goods through a network of friends and a jewelry store whose owner he trusted. It was only after one of his friends got pinched that the police managed to get wind of just how big Cashatt's operation had become. He once more hit the road and began breaking into hotels in Tennessee before trekking back west to California and hitting hotels there. It was there that the feds finally caught him, after he managed to steal an estimated half-a-million dollars worth of goods.

Now in prison, Cashatt doesn't think much has changed.

"I guarantee you that if you tried this at some hotel in the Midwest, it would still work 19 out of 20 times," he says. For that, he blames Onity's negligence. "They just don't get it."

For its part, Onity remains opaque on how many fixes have been rolled out to how many hotel door locks, as well as exactly what form those fixes take, either the plastic port-blocker variety or an actual circuit board replacement. The fact that the company isn't screaming about how many circuit board replacements its doled out should tell you all you need to know about the answer to that question. The Wired author himself tested it out and managed to get his own hacking tool to unlock a hotel door on his fourth try. This isn't hard data of any kind, but with Onity itself ducking any kind of transparency, it's the best that can be done.

What should stick out most to everyone about this story is how the flaws in Onity's locks were uncovered only through the help of security researchers, oft maligned, whose work then went largely ignored. That willful ignorance allowed someone like Cashatt to go bananas on the hotel industry, all because Onity couldn't be bothered to fix its flawed product.


Reader Comments

Subscribe: RSS

View by: Time | Thread


  • identicon
    Michael, 1 Sep 2017 @ 4:30am

    I am shocked they did not charge Brocious with conspiracy for exposing the vulnerability.

    It's crazy we live in a world where that is likely to happen...

    reply to this | link to this | view in chronology ]

  • identicon
    Anonymous Coward, 1 Sep 2017 @ 4:39am

    What really sticks out...

    Is the fact that a judge wouldn't allow a class action suit to go forward.

    reply to this | link to this | view in chronology ]

    • identicon
      Michael, 1 Sep 2017 @ 4:56am

      Re: What really sticks out...

      It is difficult to show harm from negligence.

      It's no less secure than a traditional key, and we do not sue regular key lock manufacturers for the fact that their product is not all that great at securing a room.

      I don't think hotels should have been able to sue them. The hotels purchased a poorly made product. Should they have returned the locks if they could? - absolutely. Should they stop buying products from the company? - Yuppers. Should we be able to sue a company the provides a bad product? - I don't think so.

      It would be difficult to draw a line as to how bad a product needs to be before we could sue.

      reply to this | link to this | view in chronology ]

      • identicon
        Machin Shin, 1 Sep 2017 @ 5:33am

        Re: Re: What really sticks out...

        "It's no less secure than a traditional key"

        Traditional keys these days are actually fairly secure if your getting the higher grade ones. I am pretty sure they do better than these digital keys at securing a room.

        Lock picking in a hallway makes you stick out and if it is a good lock, even if your skilled, your going to be there a little while. It doesn't work like in the movies where you pick a lock in 2 seconds unless 1) Your skilled with lockpicks and 2) The lock sucks.

        reply to this | link to this | view in chronology ]

        • identicon
          Anonymous Coward, 1 Sep 2017 @ 9:20am

          Re: Re: Re: What really sticks out...

          Traditional keys these days are actually fairly secure if your getting the higher grade ones.

          That's exactly his point. There are high grade, secure key locks, just like there are high grade, secure card locks. There are also low grade, insecure key locks, just like this company's low grade, insecure card locks. We don't sue low grade key lock manufacturers for the fact that their product is insecure, so why should we sue low grade card lock manufacturers because their product is equally insecure.

          Lock picking in a hallway makes you stick out and if it is a good lock, even if your skilled, your going to be there a little while.

          Which is fairly irrelevant in hotels, since 1) nobody is really wandering the hallways most of the time and 2) even if they are, most of them won't pay much attention to you struggling with a door. If you're even a halfway decent actor there's plenty of reasons for that: Swiped too fast, wrong card direction, wrong room, card got wiped by credit card (this happened to me a few months ago) etc.

          reply to this | link to this | view in chronology ]

          • identicon
            Bruce C., 1 Sep 2017 @ 1:31pm

            Re: Re: Re: Re: What really sticks out...

            Also the big thing about the keycard locks in hotels is that they can be reprogrammed after each stay. So even if you clone your keycard, it won't work to get into the room after you check out.

            No matter how good the lock is, hotels aren't going to change the locks on the rooms after each guest checks out. So access to keys is a big problem for them.

            Which is why this backdoor is even more annoying. It takes a more secure architecture and makes it even less secure than the old model.

            reply to this | link to this | view in chronology ]

        • identicon
          Anonymous Coward, 1 Sep 2017 @ 3:50pm

          Re: Re: Re: What really sticks out...

          There's also this: "Instead, he used a screwdriver to open the panel of the door lock and was able to access the port once more, the plastic blocker circumvented."

          It's a level of incompetence I've never seen in traditional locks. Any access panel should be on the *room side* of the lock, not the hallway side. What other lock manufacturer doesn't know this?

          reply to this | link to this | view in chronology ]

          • icon
            JoeCool (profile), 3 Sep 2017 @ 10:22am

            Re: Re: Re: Re: What really sticks out...

            It needs to be on the outside so that if the card reader breaks, they can get into the room (presuming the screws for the assembly are on the inside for security). However, seeing as it needs to be on the outside, it needs to be more than just a plastic panel - it needs to be a STEEL panel with a secure lock of the keyed variety to open it. Then only the hotel manager or head of security would have that key.

            reply to this | link to this | view in chronology ]

            • identicon
              Anonymous Coward, 3 Sep 2017 @ 1:39pm

              Re: Re: Re: Re: Re: What really sticks out...

              A mechanical key can, and should be provided to directly open an electronic lock. Without such a key, a failure of the lock, or loss of power and a dead battery can render the door difficult to open. That key can be kept in a secure safe.

              reply to this | link to this | view in chronology ]

      • identicon
        Anonymous Coward, 1 Sep 2017 @ 6:32am

        Re: Re: What really sticks out...

        "I don't think hotels should have been able to sue them. The hotels purchased a poorly made product. Should they have returned the locks if they could? - absolutely. "

        Isn't that what the lawsuit is about? The company is only willing to fix the problem for a few of the larger customers. What are the rest supposed to do? They spent money on a product that promised security, spent people resources training on the new systems, maintaining them, etc. There's far more $$$ involved than just buying the locks, but the company isn't even willing to "fix" the situation with them for many of their customers.

        reply to this | link to this | view in chronology ]

        • icon
          Roger Strong (profile), 1 Sep 2017 @ 7:40am

          Re: Re: Re: What really sticks out...

          Just so. Often a so-called "fix" isn't good enough.

          My company once bought four D-Link switches for our network. One quickly failed, was sent in for repair, and a replacement arrived a few weeks later.

          Then another failed. And another. And another. And another. Including the replacements. The D-Link forum for the switches showed that everyone else with the same model was having the same problem. The switches were >100% failure rate garbage.

          D-Link's response was... nothing. Just keep sending them in, waiting weeks for them to come back, and always have a couple spares on hand. There would be no replacement with a reliable model. There would be no acknowledgement from D-Link that there was an ongoing problem.

          They did temporary repairs, but they didn't fix the problem.

          reply to this | link to this | view in chronology ]

        • icon
          Coyne Tibbets (profile), 1 Sep 2017 @ 9:02am

          Re: Re: Re: What really sticks out...

          What are the rest supposed to do? Ignore the problem. They're not responsible for the personal possessions of guests, so why would they worry?

          reply to this | link to this | view in chronology ]

      • identicon
        TRX302, 3 Sep 2017 @ 11:13am

        Re: Re: What really sticks out...

        Under Common Law there's the concept of "warranty of fitness." If you sell something that's supposed to be a combination lock, it's supposed to work as an ordinary person would expect a combination lock to work - that is, to be openable only with one specific combination out of some large number.

        What Onity shipped was the equivalent of a combination lock that might be set to 36-24-36, but *also*opened with the default combination of 1-2-3. Which, even if it was secret to start with, didn't stay secret for long, which reduced the lock's effectiveness so severely it was nearly worthless. It might technically still be a "combination lock", but it is no longer suited for the purpose it was sold for.

        reply to this | link to this | view in chronology ]

  • identicon
    Annonymouse, 1 Sep 2017 @ 4:48am

    So how much election support was the judge given.

    reply to this | link to this | view in chronology ]

    • icon
      ThaumaTechnician (profile), 1 Sep 2017 @ 4:57am

      Re:

      I've always found it bizarre that judges are elected in (most of) the States, rather than using merit selection.

      Even at first blush, IMHO, electing judges is a recipe for disaster. If elections result in corrupt, un-informed, unrepresentative, self-serving politicians, why should it be any different for judges, eh?

      reply to this | link to this | view in chronology ]

      • icon
        Chris ODonnell (profile), 1 Sep 2017 @ 5:22am

        Re: Re:

        ''If elections result in corrupt, un-informed, unrepresentative, self-serving politicians, why should it be any different for judges, eh?''

        The people in charge see this as a feature, not a bug.

        reply to this | link to this | view in chronology ]

      • identicon
        Anonymous Coward, 1 Sep 2017 @ 9:44am

        Re: Re:

        Not that I disagree, but the continual problem with all "merit selections" is how you define "merit." The only methods of doing so that anyone has come up with so far are 1) basic capitalism where if you don't do it effectively somebody else will come along and undercut you (which, of course, doesn't work nearly as well as it sounds like) and 2) a process where a small group of "experts" select people who are "the best", which de facto means they also get to pick their own successors (since said successors should also be "the best") leading over time to a de facto oligarchy (see most communist parties in power, as one example). This can be mitigated to a large extent in fields like the physical sciences, where there is close to an objective standard to measure each other by, but outside of that...

        If we could define and measure merit well then we would never need any elections, since we'd already know who would be the best president.

        Not to say that it wouldn't be better than elections, just that it's not going to actually cure the problem. Merit selection sounds good, right up until you try to put it into practice.

        reply to this | link to this | view in chronology ]

  • icon
    Roger Strong (profile), 1 Sep 2017 @ 5:09am

    I went to my first computer conference at the New York Hilton about [decades] ago. When somebody there predicted the market for microprocessors would eventually be in the millions, someone else said, "Where are they all going to go? It's not like you need a computer in every doorknob!"

    Years later, I went back to the same hotel. I noticed the room keys had been replaced by electronic cards you slide into slots in the doors. There was a computer in every doorknob.

    • Danny Hillis

    And now we know how this anecdote would be handled by The Twilight Zone or Black Mirror.

    reply to this | link to this | view in chronology ]

  • identicon
    Anonymous Coward, 1 Sep 2017 @ 6:25am

    'What should stick out most to everyone about this story is how a judge ruled against allowing a class action suit to proceed'

    what i then must ask is what was he paid by Onity to stop the law suit? surely there was ample evidence and reason to allow this to move forward, so it must have been in the judges interest to stop it. look what then happened, as stated in the story!

    reply to this | link to this | view in chronology ]

  • identicon
    Jim, 1 Sep 2017 @ 6:47am

    Huh?

    Judges? Never have had a good experience with a judge. Become a judge thru merit? Ever had a "good" experience with a lawyer? That's who become judges. I honestly think a judge should be someone trained in critical thinking rather then law. Trained to see past rhetoric that clouds judgement, and to focus on absolutes rather then politics. But, there is no such animal, they focus on the politics to get in office, and promotion.

    reply to this | link to this | view in chronology ]

  • identicon
    Anonymous Coward, 1 Sep 2017 @ 8:41am

    Think about it

    Thank God this guy and his friends weren't rapists or serial killers. Oh crap, l just gave some scumbags an idea. Damn.

    reply to this | link to this | view in chronology ]

  • identicon
    Call me Al, 4 Sep 2017 @ 4:35am

    I worry the wrong lesson will be learned...

    "Cashatt saw a news segment about the Onity flaw and began to use his own hacking device to exploit it almost immediately".

    What are the odds you'll have people saying "well clearly that means this flaw should never have been made public" and that those people will be in positions of power.

    reply to this | link to this | view in chronology ]


Add Your Comment

Have a Techdirt Account? Sign in now. Want one? Register here
Get Techdirt’s Daily Email
Use markdown for basic formatting. HTML is no longer supported.
  Save me a cookie
Follow Techdirt
Techdirt Gear
Show Now: Takedown
Advertisement
Report this ad  |  Hide Techdirt ads
Essential Reading
Techdirt Deals
Report this ad  |  Hide Techdirt ads
Techdirt Insider Chat
Advertisement
Report this ad  |  Hide Techdirt ads
Recent Stories
Advertisement
Report this ad  |  Hide Techdirt ads

Close

Email This

This feature is only available to registered users. Register or sign in to use it.