Security Failure Lets Anyone Crack the Lock on Your Hotel Room

August 22, 2012 By 8 Comments

How many of you trust the security in your hotel room? The door to the room is locked tight, right? Key cards have become the norm, and new radio frequency ID cards are starting to roll out. You can imagine these ought to be safer than a standard metal lock that anyone with some practice and a “bump” key would be able to crack in a few seconds. Of course, hotel employees will still have access to your room with universal keys, but there’s not much you can do about that.

Well, it turns out that just about anyone can crack the electronic lock on a hotel room in a few seconds using a $50 homebrew device and a screwdriver.

At the recent Black Hat security conference in Las Vegas, Cody Brocious, a software developer for Mozilla (the foundation/corporation behind Firefox) demonstrated how to find and use the master site code in electronic hotel locks manufactured by Onity. This code is used to reprogram the locks with a small electronic device. (Read more on Cody’s website.)

However, this code is not protected by any kind of encryption and is stored in the same place on every lock. Because it also serves as a standard-sized charging port for the lock’s battery, similar to the one on an old Nokia mobile phone, it is pretty easy to create your own simple device with off-the-shelf parts to read the code and play it back to unlock the door. Who here has ever been alone in a hotel hallway? It’s not that uncommon. All a thief or other malicious person needs are a few seconds to unscrew the cover plate at the base of the lock and 200 milliseconds for the device to do its work automatically.

(Arduino devices are the modern-day equivalent of the BASIC Stamp II microcontrollers I would play around with as a pre-teen. They are not that difficult to figure out, so this trick is within the reach of most people.)

Point Me to the Plane mentioned the original story a couple weeks ago, and the exploit has since been refined to work on nearly every lock sold. But now Onity, which provides electronic locks for over four million hotel rooms around the world, has come up with a response that is underwhelming. They propose two fixes, as reported by Forbes:

  • The free option: Hotels will get a plug to hide the access port. A cover plate normally covers this access port anyway–that’s why you need the screwdriver mentioned earlier. Onity will provide Torx screws that require a hexagonal screwdriver instead of the usual Phillips or standard types. Big deal. For $20 I once bought an assortment of 20 differently-sized Torx heads at the same mainstream electronics store that will sell the parts for your lock pick.
  • The expensive option: Hotels will have to pay for Onity to provide new circuit boards that make this master code a lot harder to find and use. Hotels will also have to pay for shipping and labor to replace the defective locks.

This seems like a major security issue if the locks are so easy to break into. I understand the reason for a master site code. Hotel management needs to be able to access and reprogram their locks without too much hassle. But it appears that their portable reprogramming devices are no more sophisticated than the little gadget this guy made on his own. I would have expected some encryption, perhaps requiring a PIN known only to hotel management before the site code can be accessed. Instead, all the electronics inside have made this device less secure than a standard physical key.

Personally, I don’t trust the locks on these doors anyway. Nothing stops the hotel staff from entering, and more than once I’ve had to shoo away housekeeping or maintenance when they tried to enter without even knocking. So in the meantime, throw the security latch above the door and hope that hotels are either willing to write off this expense or push Onity to take more responsibility for their negligence. As for what to do when you’re out of the room… I guess you’ll just have to hope the security safe inside each room has technology slightly more robust.

Did you learn something interesting? Show your support! Like this blog on Facebook or join my Twitter feed to share it with your friends and help get the word out to potential travel hackers everywhere. Subscribe by RSS to get delivery of every new post.

Note: School and work are still taking up time as I near the finish line, but my temporary absence these last few days should become less frequent. Thanks for sticking around…

Filed Under: Hotels, Security Tagged With: , ,
About Scott Mackenzie

Scott founded HMT while traveling on a budget during graduate school and stays loyal to United, Alaska, Hyatt, and Starwood.
Email // Twitter // Facebook // Google+ // Subscribe by RSS

  • http://www.frequentflyeruniversity.com/ Frequent Flyer University

    Although this is obviously a major issue. As long as you put your valuables in the safe, you should be fine. The chances of someone doing this are probably far less than a Housekeeper stealing something. Plus with the internet, someone who is savvy enough to build this device would probably rather just go to a Starbucks and steal some Credit Card numbers over the wi-fi.

    • Scottrick

      I agree with the first part. Most people aren’t going to try this. I’m more annoyed by the weak response from Onity, which doesn’t seem to think a security hole in their own devices is an issue they should pay to fix. I’m surprised this hole existed in the first place.

      As for the second issue, I disagree that this is on par with stealing CC numbers. There are lots of reasons the CC scam requires more technical expertise, plus it would violate a whole bunch of federal laws. Breaking into a hotel room probably wouldn’t leave a trace and is only a local crime.

    • http://www.thesterlingtraveler.com/ TheSterlingTraveler

      I disagree. The hotel safes are a false sense of security. If someone is savvy enough to get in your room, they have the master code to the safe. Master codes are basically readily available on the web. Heck even I know one.

  • Dad

    Maybe I watch too much TV, but one of the reality shows displayed a hotel manager unlocking a pushbutton room safe in a couple of minutes: He had a box that fit over the keypad and rapidly tried all combinations until it opened. Just like rooms, hotels need to deal with people who forget their safe combination. There’s no place to hide.

  • Troy

    In Vietnam i witnessed just how simple it is to get into a locked safe. First day i arrived and i was unpacking / putting camera etc into the safe. Got a call from the boss to come down for dinner, so left without locking and setting a password on the safe.

    When i got back from dinner, housekeeping had been in to provide the turndown service, and had to very kindly closed the safe.

    I called down to reception, and the front desk manager rocked up a couple of minutes later. A quick plug of a device into a USB port and not 30 seconds later the door unlocked and opened.

    So someone would relatively easily be able to create a device to crack these locks.

    • Scottrick

      I’m sure there are such devices. There will always be a need to re-code electronic locks. But I would hope the safe one requires some kind of management password to use. These locks on the doors (which you need to get through before getting to the safe) had no password.

  • Paul Feagan

    I found a security hole with the non-electronic key lock boxes that are used in holiday villa rentals and wrote it up here http://bugadvisor.com/2012/08/04/key-lock-box-security-not-as-secure-as-you-might-think/

  • http://twitter.com/deirdresm Deirdre

    I always pack a doorstop.