When was the last time you saw a hotel that still used traditional key locks? Odds are that you haven’t unless you are sleeping at a very small private hotel or a very low cost chain. Modern card-based locks are easier for the hotel to keep up with and are more convenient for the guests that use them as well, but how safe are they in reality? According to a Mozilla software developer, Cody Brocious, not nearly as safe as we would hope.
Brocious is set to deliver a presentation today at the Black Hat USA 2012 security conference that will show just how easy it is to open a hotel lock with cheap, open-source parts that take advantage of a real security flaw in card-based lock systems that are made by manufacturer Onity. The open-source device is designed to insert into the DC power port of a hotel lock by posing itself off as a portable programming device that the hotel staff uses to assign master keys to doors. The device can get the job done in a matter of seconds with almost 100% accuracy on Onity locks that were ordered online, but on-site at a hotel it was proven that it only worked on one out of three locks tested- still that is a very real security hole.
Brocious intends to publish his findings on Daeken after the presentation but is done working on the flaw exploit, fearing it could threaten the overall security of millions of hotel guests. It is said that about four or five million hotels across the globe use Onity locks, so hopefully the presentation of this flaw will encourage Onity to work on fixes that prevent this from ever becoming a real issue. In the meantime, it’s not such a bad idea for hotel guests to use the chain lock inside their rooms as well.