The Epic Crime Spree Unleashed By Onity's Ambivalence To Its Easily Hacked Hotel Locks
from the true-crime-story dept
Back in 2012, we wrote about Onity, the company that makes a huge percentage of the keycard hotel door locks on the market, and how laughably easy it was to hack its locks with roughly $50 of equipment. Surprisingly, Onity responded to the media coverage and complaints from its hotel customers with offers of fixes that ranged from insufficient (a piece of plastic that covered the port used to hack the door locks) to cumbersome (replacing the circuit boards on the locks entirely) and asked many of these customers to pay for these fixes to its broken product. Many of these customers wanted to sue Onity for obvious reasons, but a judge ruled against allowing a class action suit to proceed. That was our last story on the subject.
So... what happened? Well, Onity ended up springing for the fixes for some of their larger chain hotel customers, but not all of them. For the rest, it was on each hotel to decide to pay for the fix or not. Many, many of them absolutely did not and did nothing about the Onity locks on their doors, while those that did get the fix involving the plastic port cover quickly found out that the fix wasn't much of a fix at all. To see the fallout from all of that, one need only look at Wired's longform piece on the hellacious crime spree undertaken by one troubled young man, Aaron Cashatt, who managed to steal hundreds of thousands of dollars worth of stuff from hotel rooms using the afore-mentioned $50 worth of gear.
The entire post is worth your time, with its fascinating look into Cashatt's background, the revelations of the Onity lock's failures, and where those two stories converged. One of the key points in all of this was that even before Cashatt started his crime spree, everyone, from Onity to the hotel chains to any member of the public that cared to know, was aware of how laughably insecure Onity's locks were, except that, for the most part, nobody bothered to do anything about it.
Instead of Brocious' research protecting millions of hotel rooms from larceny-minded hackers, it served up a rare, wide-open opportunity to criminals. Soon other hacker hobbyists were posting YouTube videos of themselves demonstrating the vulnerability on real hotel doors, refining Brocious' gadget to work far more reliably. One security researcher in Chicago managed to miniaturize the components of the lock-hacking device until it fit inside the body of a dry-erase marker, with its plug hidden under the marker's cap. The attack became so notorious that it even made a brief cameo in the first season of USA Network's show Mr. Robot.
But out of everyone who learned about the Onity keycard hack, only one person, perhaps, had the right mix of desperation, tech savvy, and moral flexibility to use it to its full criminal potential: Aaron Cashatt.
Cashatt saw a news segment about the Onity flaw and began to use his own hacking device to exploit it almost immediately. With equipment that cost less than a AAA video game, Cashatt began hacking into hotels, starting at a Marriott. While perfecting his hacking tool and managing to hide it in a sunglasses case that he kept slung around his neck, he worked a waiter job during the day and smoked meth and broke into hotel rooms at night. Using the tool, Cashatt would walk out of hotel rooms with everything the visitor owned and much of what was owned by the hotels as well, including not just towels and toiletries, but flat-screen televisions as well. After deciding to skip a court hearing, he took his show on the road, leaving his corner of Arizona and trekking to the Midwest, where the spree continued. Even when he was arrested on completely unrelated drug charges, police had no idea that the string of hotel room robberies in progress across the country was his doing. When he was carted back to Arizona and let out on bail, he went right back to work.
Now with no job to hold him back, Cashatt, his friends, and an on-and-off girlfriend spent the next four months hitting hotels at a frenzied pace, sometimes as many as four in a day...working his way methodically across central Arizona.
It was a month into that run that Onity began rolling out the plastic port-blocker fix to its locks. Onity had finally begun distributing this fix for free to at least some of its hotel customers. But this barely slowed Cashatt down. Instead, he used a screwdriver to open the panel of the door lock and was able to access the port once more, the plastic blocker circumvented. With enough practice, he was able to do this in under half a minute. He went right back to work, fencing stolen goods through a network of friends and a jewelry store whose owner he trusted. It was only after one of his friends got pinched that the police managed to get wind of just how big Cashatt's operation had become. He once more hit the road and began breaking into hotels in Tennessee before trekking back west to California and hitting hotels there. It was there that the feds finally caught him, after he managed to steal an estimated half-a-million dollars worth of goods.
Now in prison, Cashatt doesn't think much has changed.
"I guarantee you that if you tried this at some hotel in the Midwest, it would still work 19 out of 20 times," he says. For that, he blames Onity's negligence. "They just don't get it."
For its part, Onity remains opaque on how many fixes have been rolled out to how many hotel door locks, as well as exactly what form those fixes take, either the plastic port-blocker variety or an actual circuit board replacement. The fact that the company isn't screaming about how many circuit board replacements its doled out should tell you all you need to know about the answer to that question. The Wired author himself tested it out and managed to get his own hacking tool to unlock a hotel door on his fourth try. This isn't hard data of any kind, but with Onity itself ducking any kind of transparency, it's the best that can be done.
What should stick out most to everyone about this story is how the flaws in Onity's locks were uncovered only through the help of security researchers, oft maligned, whose work then went largely ignored. That willful ignorance allowed someone like Cashatt to go bananas on the hotel industry, all because Onity couldn't be bothered to fix its flawed product.
Thank you for reading this Techdirt post. With so many things competing for everyone’s attention these days, we really appreciate you giving us your time. We work hard every day to put quality content out there for our community.
Techdirt is one of the few remaining truly independent media outlets. We do not have a giant corporation behind us, and we rely heavily on our community to support us, in an age when advertisers are increasingly uninterested in sponsoring small, independent sites — especially a site like ours that is unwilling to pull punches in its reporting and analysis.
While other websites have resorted to paywalls, registration requirements, and increasingly annoying/intrusive advertising, we have always kept Techdirt open and available to anyone. But in order to continue doing so, we need your support. We offer a variety of ways for our readers to support us, from direct donations to special subscriptions and cool merchandise — and every little bit helps. Thank you.
–The Techdirt Team
Filed Under: aaron cashatt, fixes, hotel locks
Companies: onity
Reader Comments
Subscribe: RSS
View by: Time | Thread
It's crazy we live in a world where that is likely to happen...
[ link to this | view in chronology ]
What really sticks out...
[ link to this | view in chronology ]
Re: What really sticks out...
It's no less secure than a traditional key, and we do not sue regular key lock manufacturers for the fact that their product is not all that great at securing a room.
I don't think hotels should have been able to sue them. The hotels purchased a poorly made product. Should they have returned the locks if they could? - absolutely. Should they stop buying products from the company? - Yuppers. Should we be able to sue a company the provides a bad product? - I don't think so.
It would be difficult to draw a line as to how bad a product needs to be before we could sue.
[ link to this | view in chronology ]
Re: Re: What really sticks out...
Traditional keys these days are actually fairly secure if your getting the higher grade ones. I am pretty sure they do better than these digital keys at securing a room.
Lock picking in a hallway makes you stick out and if it is a good lock, even if your skilled, your going to be there a little while. It doesn't work like in the movies where you pick a lock in 2 seconds unless 1) Your skilled with lockpicks and 2) The lock sucks.
[ link to this | view in chronology ]
Re: Re: Re: What really sticks out...
Traditional keys these days are actually fairly secure if your getting the higher grade ones.
That's exactly his point. There are high grade, secure key locks, just like there are high grade, secure card locks. There are also low grade, insecure key locks, just like this company's low grade, insecure card locks. We don't sue low grade key lock manufacturers for the fact that their product is insecure, so why should we sue low grade card lock manufacturers because their product is equally insecure.
Lock picking in a hallway makes you stick out and if it is a good lock, even if your skilled, your going to be there a little while.
Which is fairly irrelevant in hotels, since 1) nobody is really wandering the hallways most of the time and 2) even if they are, most of them won't pay much attention to you struggling with a door. If you're even a halfway decent actor there's plenty of reasons for that: Swiped too fast, wrong card direction, wrong room, card got wiped by credit card (this happened to me a few months ago) etc.
[ link to this | view in chronology ]
Re: Re: Re: Re: What really sticks out...
No matter how good the lock is, hotels aren't going to change the locks on the rooms after each guest checks out. So access to keys is a big problem for them.
Which is why this backdoor is even more annoying. It takes a more secure architecture and makes it even less secure than the old model.
[ link to this | view in chronology ]
Re: Re: Re: What really sticks out...
It's a level of incompetence I've never seen in traditional locks. Any access panel should be on the *room side* of the lock, not the hallway side. What other lock manufacturer doesn't know this?
[ link to this | view in chronology ]
Re: Re: Re: Re: What really sticks out...
[ link to this | view in chronology ]
Re: Re: Re: Re: Re: What really sticks out...
[ link to this | view in chronology ]
Re: Re: What really sticks out...
Isn't that what the lawsuit is about? The company is only willing to fix the problem for a few of the larger customers. What are the rest supposed to do? They spent money on a product that promised security, spent people resources training on the new systems, maintaining them, etc. There's far more $$$ involved than just buying the locks, but the company isn't even willing to "fix" the situation with them for many of their customers.
[ link to this | view in chronology ]
Re: Re: Re: What really sticks out...
My company once bought four D-Link switches for our network. One quickly failed, was sent in for repair, and a replacement arrived a few weeks later.
Then another failed. And another. And another. And another. Including the replacements. The D-Link forum for the switches showed that everyone else with the same model was having the same problem. The switches were >100% failure rate garbage.
D-Link's response was... nothing. Just keep sending them in, waiting weeks for them to come back, and always have a couple spares on hand. There would be no replacement with a reliable model. There would be no acknowledgement from D-Link that there was an ongoing problem.
They did temporary repairs, but they didn't fix the problem.
[ link to this | view in chronology ]
Re: Re: Re: What really sticks out...
[ link to this | view in chronology ]
Re: Re: What really sticks out...
What Onity shipped was the equivalent of a combination lock that might be set to 36-24-36, but *also*opened with the default combination of 1-2-3. Which, even if it was secret to start with, didn't stay secret for long, which reduced the lock's effectiveness so severely it was nearly worthless. It might technically still be a "combination lock", but it is no longer suited for the purpose it was sold for.
[ link to this | view in chronology ]
[ link to this | view in chronology ]
Re:
I've always found it bizarre that judges are elected in (most of) the States, rather than using merit selection.
Even at first blush, IMHO, electing judges is a recipe for disaster. If elections result in corrupt, un-informed, unrepresentative, self-serving politicians, why should it be any different for judges, eh?
[ link to this | view in chronology ]
Re: Re:
The people in charge see this as a feature, not a bug.
[ link to this | view in chronology ]
Re: Re:
Not that I disagree, but the continual problem with all "merit selections" is how you define "merit." The only methods of doing so that anyone has come up with so far are 1) basic capitalism where if you don't do it effectively somebody else will come along and undercut you (which, of course, doesn't work nearly as well as it sounds like) and 2) a process where a small group of "experts" select people who are "the best", which de facto means they also get to pick their own successors (since said successors should also be "the best") leading over time to a de facto oligarchy (see most communist parties in power, as one example). This can be mitigated to a large extent in fields like the physical sciences, where there is close to an objective standard to measure each other by, but outside of that...
If we could define and measure merit well then we would never need any elections, since we'd already know who would be the best president.
Not to say that it wouldn't be better than elections, just that it's not going to actually cure the problem. Merit selection sounds good, right up until you try to put it into practice.
[ link to this | view in chronology ]
Re: Re: Re:
"Sandra Day O'Connor, the former Supreme Court justice, has condemned the practice of electing judges. "No other nation in the world does that," she said at a conference on judicial independence at Fordham Law School in April, "because they realize you're not going to get fair and impartial judges that way."" http://www.nytimes.com/2008/05/25/world/americas/25iht-judge.4.13194819.html?mcubz= 0
Well, almost no other nation. Per John Oliver, Bolivia also elects judges. https://www.youtube.com/watch?v=poL7l-Uk3I8&feature=youtu.be
[ link to this | view in chronology ]
And now we know how this anecdote would be handled by The Twilight Zone or Black Mirror.
[ link to this | view in chronology ]
what i then must ask is what was he paid by Onity to stop the law suit? surely there was ample evidence and reason to allow this to move forward, so it must have been in the judges interest to stop it. look what then happened, as stated in the story!
[ link to this | view in chronology ]
Huh?
[ link to this | view in chronology ]
Think about it
[ link to this | view in chronology ]
I worry the wrong lesson will be learned...
What are the odds you'll have people saying "well clearly that means this flaw should never have been made public" and that those people will be in positions of power.
[ link to this | view in chronology ]