Submission + - Hacker Exposes Security Vulnerabilities In 4 Million Hotel Keycard Locks (forbes.com)
Sparrowvsrevolution writes: At the Black Hat security conference Tuesday, a Mozilla software developer and 24-year old security researcher named Cody Brocious plans to present a pair of vulnerabilities he’s discovered in hotel room locks from the manufacturer Onity, whose devices are installed on the doors of between four and five million hotel rooms around the world according to the company’s figures. Using an Arduino gadget Brocious built for less than $50, he can insert a plug into that DC port and sometimes, albeit unreliably, open the lock in a matter of seconds.
Brocious found that he can read the raw memory of the lock, including its cryptographic keys, by spoofing the portable programming device used to set master keys around a facility. Though the trick doesn't work in every case and still requires some tweaking, Brocious demonstrated it on at least one hotel room for a reporter, opening its door without a key.
Brocious's hacker ethics may come under some scrutiny: He didn't tell Onity about the vulnerability before publicizing it, and also sold the information for $20,000 to a law enforcement training firm.
Brocious found that he can read the raw memory of the lock, including its cryptographic keys, by spoofing the portable programming device used to set master keys around a facility. Though the trick doesn't work in every case and still requires some tweaking, Brocious demonstrated it on at least one hotel room for a reporter, opening its door without a key.
Brocious's hacker ethics may come under some scrutiny: He didn't tell Onity about the vulnerability before publicizing it, and also sold the information for $20,000 to a law enforcement training firm.