Hotel Lock Company Wants Hotels To Pay For Fixing Their Hackable Product
from the and-probably-will-next-time,-too dept
Picture yourself on vacation. You leave your hotel room, listening to the fully-licensed music in the lobby on your way out. You make sure not to ask the hotel staff for anything as you leave, lest something called a PARFF come after you. And as you're out frolicking on the beach, sucking in that gut and puffing out your chest (asexual insults FTW!), Zero Cool takes a small electronic device that costs less than your average Electronic Arts videogame and hacks your hotel room's lock, giving him access to all the tourist crap you bought in the past three days.Now, I know what you're thinking. You're thinking that this couldn't possibly happen. After all, Johnny Lee Miller is probably still too busy spinning in place from the speed with which Eli Stone was cancelled after two seasons (and again, I'm reminded that Firefly lasted one. Sigh...) to be stealing stuff from your hotel room. And besides, it can't be that freaking easy to hack into a hotel lock, can it?
Yes, it can. Forbes has the story of hotel lock-maker Onity's reaction to Cody Brocious revealing at a Black Hat security conference how to hack the company's locks (found on over 4 million hotel room doors) with $50 worth of equipment.
The company’s response to that epic security bug has two parts–a quick fix, and a more rigorous one, both of which it plans to make available by the end of August: First, it’s issuing caps that cover the data port Brocious’s hack exploited, which can only be removed by opening the lock’s case. To further stymie hackers who would try to open the locks and remove that cap, it’s also sending customers new, more obscure Torx screws to replace those on the cases of installed locks.Not bad, right? We've certainly seen companies in the past react poorly when shown the security flaws in their products, attempting to silence those that point them out rather than just fixing the problems. So this would seem to be a step in the right direction, yes? Maybe, except for this:
The second fix is more substantial: Onity will offer its customers new circuit boards and firmware that ostensibly fix the problems Brocious demonstrated.
But Onity is asking owners of some models of its locks of some to pay a “nominal fee” for the fix, while offering others “special pricing programs” to cover the cost of replacing components. It’s also asking its customers to cover the shipping and labor costs of making hardware changes to the millions of locks worldwide.That's ridiculous. Onity sold hotels a product that had one job to do: keep the wrong people out of hotel rooms. The product does the job so poorly that $50 worth of equipment and a little technical know-how defeats it entirely. And now you want customers to pay to fix your bad device?
Even Brocious himself pushed back on Onity's statement.
Brocious criticized Onity’s move to put the financial onus for the fix on its customers after selling them what he’s described as fundamentally insecure products. While the free mechanical cap solution could create hurdles for hackers, he says that’s only a partial fix replacement until the lock’s circuit boards are replaced–something that’s not likely to happen if it requires millions of dollars in costs for Onity’s customers. “This will not be insignificant, given that the majority of hotels are small and independently owned and operated. Given that it won’t be a low cost endeavour, it’s not hard to imagine that many hotels will choose not to properly fix the issues, leaving customers in danger,” he writes.It's an especially bizarre move in terms of public relations. How quickly do you think word will get around to other hotel owners, particularly small independent hotels, about how Onity designs their locks and treats their customers? This could be a win for Onity, if they go out of their way to properly fix their flawed product, but instead they appear to want to turn this into a double-dip of bad business.
Thank you for reading this Techdirt post. With so many things competing for everyone’s attention these days, we really appreciate you giving us your time. We work hard every day to put quality content out there for our community.
Techdirt is one of the few remaining truly independent media outlets. We do not have a giant corporation behind us, and we rely heavily on our community to support us, in an age when advertisers are increasingly uninterested in sponsoring small, independent sites — especially a site like ours that is unwilling to pull punches in its reporting and analysis.
While other websites have resorted to paywalls, registration requirements, and increasingly annoying/intrusive advertising, we have always kept Techdirt open and available to anyone. But in order to continue doing so, we need your support. We offer a variety of ways for our readers to support us, from direct donations to special subscriptions and cool merchandise — and every little bit helps. Thank you.
–The Techdirt Team
Filed Under: cost, fixes, hotels, locks, security
Companies: onity
Reader Comments
Subscribe: RSS
View by: Time | Thread
[ link to this | view in chronology ]
Re:
*googles it*
Yeah, this one looks like a pretty generic hotel lock,
http://www.gokeyless.com/product/1452/2/saflok-mt310-electronic-hotel-lock
[ link to this | view in chronology ]
[ link to this | view in chronology ]
Re:
[ link to this | view in chronology ]
Re:
I am sure some will try and play dumb about the problem just because having to spend money is bad for corporate america. Revenue, aka guests, just need to spend their money and not cause a fuss.
[ link to this | view in chronology ]
Re: Re:
Looking at the wear patterns, it became obvious that they had installed the lock wrong so that it only partially caught, meaning that the lock had ALWAYS been susceptible to this kind of entry.
They "fixed" the lock by removing the metal plate and boring out the wood farther down the door. It did lock after that and was not susceptible to the light shoulder attack, but I think my story shows 2 things.
1. There really aren't that many people trying to hack into hotel rooms.
2. They do the absolute minimum. Always.
[ link to this | view in chronology ]
Re: Re: Re:
Many people on vacation don't always notice things missing right away, and a smart thief can hit a room multiple times. People misplace smartphones all the time, they might assume they just left it somewhere rather than it was stolen.
There are lots of targets in the rooms of travelers that are not always apparent.
[ link to this | view in chronology ]
Re: Re: Re: Re:
[ link to this | view in chronology ]
Re:
The lock itself doesn't use any encryption, and the cards use a very weak 32-bit encryption based on the site code. The lock itself exposes everything via the programming port on the bottom. When I say everything, I mean that includes the site code (the unique code for the hotel) and everything that's in active memory.
Unlocking it is a simple matter of finding the sitecode and issuing an unlock request.
[ link to this | view in chronology ]
Overrated
[ link to this | view in chronology ]
Re: Overrated
[ link to this | view in chronology ]
A+ Business Sense
"Hey McDonalds. I ordered a large Pepsi but you gave me a Big Mac instead. Could I get this rectified?"
"Why certainly valued consumer. I just need you to pay the $50 order correction fee and we can take another shot at providing you the food/beverage item you initially paid for and we promised we'd give you."
"I would be outraged but I am too enamored with your unparalleled business savvy. Here, just take all my money."
[ link to this | view in chronology ]
Re: A+ Business Sense
[ link to this | view in chronology ]
Re: Re: A+ Business Sense
[ link to this | view in chronology ]
The hotels wanted locks and they got locks. Did they turn out to be crappy? Sure, but that's what market research is for. Sometimes it happens. If I buy an analog watch (one that doesn't distinguish between AM and PM) and later find out that I need to know morning from afternoon (someone turns off the Sun or I move underground for an extended period of time) do I get to demand a new watch? I bought a watch and I got a watch.
I don't think they should have to provide free updates, but because they don't have to, their willingness to do so would speak volumes about their commitment to quality and their customers. So why is it a big surprise that a company is out to make money?
[ link to this | view in chronology ]
Re:
The locks aren't broken or defective, however, someone did show a way that the can be abused and thus, making them less secure. Should the company be really responsible for something like this?
Think about it. Cars are stolen all of the time. Do you think the car companies should be entirely responsible for the costs as a result of it being possible to hotwire a car, or at least tow it away?
Let's not place an unfair burden on the lock company just because it's an electronic slim jim instead of a flat metal one. That the solution is basically to replace the guys of the lock, and that they are selling it a a very low cost (like it won't be a profit center for the company) makes it seem like a pretty logical conclusion.
Only in Techdirt world can a company doing the right thing get in trouble.
[ link to this | view in chronology ]
Re: Re:
The locks have a design flaw, that flaw is someone can make easy access to the circuitry and cheaply bypass it.
Locks by design are meant to be secure, and while it took a little while this design is flawed. The company decided to make their customers eat the cost of fixing their blunder, this seems like a bad thing to do. Word of these locks being bad is out there, so I can spend x on your cheap "fix" or spend even more to fix the real problem... or spend just a bit more and get an entirely different system from your competitor that doesn't have this flaw. I bet they'll even offer me a discount to switch.
[ link to this | view in chronology ]
Re: Re: Re:
The locks themselves are not free to produce, so I think with charges applied it seems reasonable enough. At least they're offering huge pricecut and not requiring you to use original price to buy the new ones.
[ link to this | view in chronology ]
Re: Re: Re:
[ link to this | view in chronology ]
Re:
The hotels wanted locks and they got locks. Did they turn out to be crappy? Sure, but that's what market research is for. Sometimes it happens. If I buy an analog watch (one that doesn't distinguish between AM and PM) and later find out that I need to know morning from afternoon (someone turns off the Sun or I move underground for an extended period of time) do I get to demand a new watch? I bought a watch and I got a watch.
I don't think they should have to provide free updates, but because they don't have to, their willingness to do so would speak volumes about their commitment to quality and their customers. So why is it a big surprise that a company is out to make money?"
You make it seem as if it is a Adobe Photoshop product where the company charge for an update.
[ link to this | view in chronology ]
Re: Re:
You are correct the company is within their rights to do absolutely nothing. What you continuously fail to understand is there are consequences for actions (or even inaction). This post and indeed many of the posts here discuss ways for a company or an individual or even an artist to avoid blunders like these that tend to erode your customer base or in other ways negatively impact your cash flow.
I suspect that if you ran Onity you would be calling congress to demand they do something about hackers ruining your reputation, no?
[ link to this | view in chronology ]
Re:
Security is not binary. It's not a choice between secure and insecure. It's a continuum. You buy a level of security.
I have a home with a deadbolt. I add an alarm system. Video monitoring. Guard dogs. A security team. At what point am I secure? Unless you're holed up like North Korea, holding a nuke and yelling - I'll push the button - I swear I will! then then answer is never.
In regards to Tim's other point that they want to make the clients pay for the update, I'm having a hard time disagreeing with that also. A few years ago, when SQL Injection came out, all sorts of sites got hacked (including mine and if memory serves, Techdirt got taken down one weekend also). I don't remember a huge wave of programmers doing free work then. Good products can have a weakness discovered just like bad products, and it's ok to charge for updates if they aren't from negligence.
I guess the bottom line is this - was the security hole blatant? Due to poor design? Or was the hacker particularly clever? Not really enough info to go on, though my suspicion is a bit of both, leaning heavily towards the latter.
[ link to this | view in chronology ]
Re: Re:
[ link to this | view in chronology ]
Re: Re: Re:
[ link to this | view in chronology ]
Re: Re:
My understanding from reading an article on this on Gizmag a couple days ago was that you can send the lock an address, and it will read back whatever it has in memory at that address. The site security key is always stored at the same address, so you feed it that address, get back the key, feed it the key, and the lock grants access.
Blindly returning what effectively amounts to the admin key to an unsecured query sounds like a pretty faulty design to me.
source: hxxp://www.gizmag.com/onity-lock-hack/23840/
[ link to this | view in chronology ]
Re:
That's three years that they had to issue a fix.
And this vulnerability is so trivial, that anyone with even a modicum of electrical knowledge and minimal programming experience can overcome it. There is, simply, no reason this vulnerability should still be in shipping locks.
Three. Years.
They have no excuses. They should be paying for this.
[ link to this | view in chronology ]
Otherwise I get the feeling Onity is headed for some rough times as hotels switch over to a company that actually cares if the products they've sold actually work.
I should say though, on one hand their reaction is understandable, replacing all those parts is not going to be cheap, but on the other hand they sold a security product that is apparently easily hacked, so it's really on them to fix it.
[ link to this | view in chronology ]
Torx are too easy -- positive insertion and self-centering. They should make 'em flat blade screws. Those are a pain in the ass, the blade keeps slipping off. :)
[ link to this | view in chronology ]
Easy to see both sides
Every one of these locks has a keyed component too. What if that keyed component was easily picked? (hint: it is.)
I have mixed feelings about the vendor's reaction. It was not very nuanced. But at the end of the day, when the free solution removes eighty percent of the risk, the customer is taken care of. Yes, it sounds bad. (piss poor PR) but no locks are 100 percent.
[ link to this | view in chronology ]
I am curious, are these locks marketed as more secure than mechanical, keyed, locks? Or are they simply marketed as more convenient for hotels and their guests?
[ link to this | view in chronology ]
Re:
Electronic locks allowed hotels to save on the expense of having to have someone go to the room and rekey the lock after every guest left. They can now click some keys on a keyboard and boom the lock is changed.
[ link to this | view in chronology ]
Easy Padlock Hack
Lock are like fences...to keep honest people honest.
So they fix it for free and someones hacks that...then what?
The hotels are responsible here.
They didn't do Due Diligence and figure this out before they bought the locks.
[ link to this | view in chronology ]
What did the lock company supply? To whom? Was this a turnkey job or simply component parts?
If all the lock company furnished was parts to an engineering company or the hotel all the lock company is responsible for is bad components.
If some engineering campany or the hotel designed the system then it is up to the engineering firm or hotel to resolve non working issues not the lock company. If the engineering firm or hotel bought parts and now needs technical installation assistance from the lock company it is going to cost much more now than if the project had been put out for bid as a turnkey project.
[ link to this | view in chronology ]
B) Onity amends its solution and talks/compromises with its customers to get the problem resolved quickly and at a cost acceptable to both parties - perhaps with Onity showing a little generosity on the customer's behalf to inspire goodwill and what not. Onity's reputation improves overall while also strengthening customer loyalty, profits rise, etc.
All of this, of course, is contingent upon Onity's customers actually resisting the current solution. The public may have an opinion but if hotels find the cost acceptable then there isn't really a problem. The most important thing is that the locks get fixed.
[ link to this | view in chronology ]
What about those Internet lock on bank accounts?
[ link to this | view in chronology ]
Assuming that the locks are out of warranty I don't understand why Onity should not be able to charge for their replacements parts.
Under Timothy Geigner's reasoning Ford sold me a product that had one job to do: get me to work. The product did the job so poorly that $0.20 worth of playground equipment and a little technical know-how defeated it entirely. And then they wanted a customer to pay to fix it?
[ link to this | view in chronology ]
Re:
[ link to this | view in chronology ]
Re: Re:
If the locks are under warranty then the company would be obligated to fix them. Assuming it is not, how is this much different than the millions of times other pieces of technology have became obsolete?
Remember those red bars people used to lock on to their steering wheels in order to prevent theft? Thieves figured out ways around them. Does that mean that the company that made that lock has to refund everyone?
[ link to this | view in chronology ]
Is that it?
[ link to this | view in chronology ]
[ link to this | view in chronology ]
Re:
[ link to this | view in chronology ]
Re: Re:
Although there are still places of travel, that are worth the extra security features such as (inconspicuously dressed) security* guarding elevators that require key access to board and get to your floor. Generally if your worried about losing stuff instead of a person, that extreme isn't necessary.
*The security have more in common with mercenaries than a security guard with a walkie talkie.
[ link to this | view in chronology ]
[ link to this | view in chronology ]