|In July, Cody Brocious, a systems engineer for Mozilla, revealed a security flaw in the Onity HT locking system at the Black Hat security conference held in Las Vegas. Brocious demonstrated a “hardware hack” that allows a homemade device, created with readily available, store-bought parts, to plug into the port on the bottom of Onity locks, read the lock’s memory, issue a command, and electronically break into any hotel room where these locks are installed.
Brocious published his research on his web site and made it available to the public. He did so without consulting or warning Onity in advance. According to Forbes, Brocious also sold a locksmith training firm a license to use his hack for $20,000 prior to publishing his findings. Since the initial release, other hackers have refined Brocious’ research and made the device more efficient and more concealable. In September, Nick Percoco of Trustwave, a security consulting firm, posted a YouTube video that showed the device fitting into a felt-tip marker and opening Onity locks.
While many industry professionals have questioned Brocious’ handling of the situation, he told Lodging that his purpose for releasing the information to the public was to force Onity to come up with a solution and put pressure on hotels to get these locks fixed.
“It has such a severe risk for hotels,” says Brocious. “I had a suspicion that Onity knew about this flaw all along because it is such a simple thing—it’s not an obscure vulnerability. Rather than trying to work with them and get this figured out 10 years from now, I decided to release this and get it out there so hotel owners could make decisions about their locks.”
Recently Petra Risk Solutions, a hospitality insurance firm, released information linking guestroom thefts at hotels in Texas to this type of hack. With the new developments that have made this device easy for hackers to hide and difficult for hotel security to trace, hotels with the affected Onity locks should take steps to mitigate this threat.
“Hotels generally are not the insurers of their guest safety. However, hotels have a duty to provide reasonable care,” says Stephen Barth, professor of hospitality law at the University of Houston and founder of HospitalityLawyer.com. “What that means then is that they have an obligation to take reasonable steps to prevent foreseeable acts from occurring that could injure their guests. In this particular case, it is clearly foreseeable that harm can come because of this.”
In August, Onity issued two solutions to fix the locks in question. One was the release of a cap that can be placed inside the battery cover on the bottom of the locks to make it more difficult to access the port. The cover would have to be unscrewed and removed in order for hackers to access the port. The caps are being distributed to hotels free of charge.
While adding the plate does not fix the security flaw, the solution does make breaking into a room more difficult for hackers to execute swiftly without being caught. Brocious believes that the plate is a good temporary fix for hotel owners.
“It’s not perfect, and it doesn’t fix the underlying issue, but it does stop someone from just walking up to a door and immediately opening it,” says Brocious. “And it makes it more traceable as well because you can see physical evidence that there’s been access.”
Onity also issued a firmware upgrade for the affected locks, but shipping and labor costs to install the new boards into existing locks will come at a cost to the properties. Hotels may also be charged a “nominal fee” for the upgrade. Brocious says that the added cost to hotel owners will dissuade many hotels from installing the firmware. “That nominal fee is going to impede people upgrading their security,” says Brocious. “Most of the hotels using Onity are small, independently owned hotels. By charging for this fix, Onity is making it so that the issue isn’t likely to be fixed.”
In a response, Onity told Lodging that both the cap and firmware upgrade have been tested and validated by two independent security firms and that all customer requests for these solutions have already been filled or are in the process of being filled. In a statement, the company said, “Onity places the highest priority on the safety of security provided by its products.”
Barth believes that hotels where Onity locks are installed need to take this security threat very seriously and take action in order to avoid legal dilemmas down the road. “The fact is that if an injured party can show that the access to the room was done via this process, and it’s shown that the hotel hasn’t taken any mitigating steps to solve it, then I think that the hotel has a real problem in terms of being negligent, or possibly even grossly negligent,” he says. “Insurance policies typically cover damages arising from ordinary negligence claims, but insurance policies rarely, if ever, cover damages arising from punitive awards from juries.”
Barth suggests that hotel owners make their associates aware of the situation and beef up in-hall security checks and monitor hotel security cameras more closely. He also advises hotels to inform their guests about the potential threat and instruct them to always use the security bar on their hotel room doors when they are in the rooms and lock up valuables in safes when they are away from their rooms. Other actions hotels can take to ward off this type of attack include setting up a designated system or call-in line for reporting suspicious activity on the property and ramping up the focus on guest-facing safety videos and instruction.
According to Brocious, this specific hack will only work on Onity locks, but he believes that electronic security in hotels is an issue that the industry has to pay more attention to going forward to keep their guests safe.
“This specific issue isn’t going to exist in other locks,” he says. “However, the locking industry in general doesn’t have a focus on security from an electronic perspective. The likelihood of other vulnerabilities of this magnitude existing in other locking systems is high.”
Hotel owners and Onity customers can call Onity’s dedicated hot line at 800-924-1442 to obtain the company’s proposed solutions.
Thursday, January 17, 2013 by Lisa Goodwin
Cody Brocious could have made the manufacturer aware of this threat the proper, safer way, but chose to be showy and greedy. That is unfortunate for all.