Hotel-room hacks: Picking the lock(economist.com) |
Hotel-room hacks: Picking the lock(economist.com) |
That seems like rather an asshole move on his part. I understand the argument for disclosing security flaws to force a reluctant vendor to deal with them, but in this case he didn't even give them a chance.
The route I took may not have been pretty, but it will get the issue fixed in a timely fashion, I believe, and hopefully alert people to the fact that we need real security processes in place around such things; not having your equipment audited in the case of a security product is simply not acceptable. Not now, and not in 1993.
I also agree about disclosure - it might have been nice to drop them a note beforehand, but what could they honestly do about it? Nothing more than they are already doing.
When you get to your room, swipe your NFC enabled phone over the lock, then it asks for your pin (on the phone) to unlock the door.
The activity would need to allow you to swipe the NFC over the lock, which will auto-launch the app and prompt for pin to be a smooth user experience.
If you have to find the app and launch it and maybe make another click, to get to the PIN prompt, it would be too cumbersome to users to be a good experience.
You obviously knew about the flaw at least few days before your interview with Forbes (or whatever it was). Shooting a one-liner email to Onity was a no-brainer. "I found a major flaw in your locks. Contact me for details." They reply - great, they don't - fine, proceed as planned. I come from a reverse engineering background and I'm sorry to say but I have lost all professional respect for you, regardless of how good of a reverser you are.
You could have informed Onity first and then simply threatened them with full disclosure if they didn't start owning up to the problem themselves. You intentionally didn't do that. And the only good reason I can see for you not doing that is so you can get more publicity. It was a selfish decision on your part.
Blaming security researchers for finding holes is a very strange anti-pattern. We should be blaming vendors for shipping insecure products!
The easiest way into a hotel room is social engineering via the housekeeping staff.
So I'm in a foreign land, and I should carry around all my worldly possessions with me?
How is that safer?
(Why can't the hotel provide a lock that works?)
alternativly, take a mechanical approach to the problem - if you can live without the connector for servicing the lock.
1) De-solder the connector on the board and cut the traces/pads off the board - it won't stop everyone, but enough that have read of the exploit and try to follow through on it without applying any more critical thinking will be thwarted.
2) epoxy over the connector (they kind of did this with the security screw fix, but not really)
3) leave the connector, but add so much resistance between the connector and uP that you have to use a special interface cable to talk to the uP. no one will be able to tell until they pull the lock apart that its not stock.
If you really care about hotel customers you would be on the company side that made all these locks, because they really need help. Yes they screwed up, they deserve punishment but do the customers have to be the victim?
Just read this comment on the site - perhaps a bit exaggerated, but I think a valid point nonetheless. Of course, Onity should have done something about the flaw.
If someone didn't know about and exploit this flaw in 1998 (5 years later), I'd be downright flabbergasted. It's just way, way, way too simple.
I've written at length about how this can be fixed; Onity has not yet responded with an effective solution.
(I'm the original researcher)
Edit: Link to my post is here: http://daeken.com/onitys-plan-to-mitigate-hotel-lock-hack Note that their statement about how they would fix it was pulled after Forbes quoted my post.
That is very unlikely to be possible. The ROM may be a masked ROM, in which case it is not re-programmable at all. Quite likely it is a one-time programmable (OTP) ROM. For a OTP, at best you can flip "1" bits to "0", but you cannot change "0" bits to "1". It would take a large amount of luck to be able to patch "1"s to "0"s (and not need to change any "0"s to "1"s) to vector to patched code fixing the vulnerabilities.
In addition, many programmable memories require special programming voltages and they all need the proper control signals - very often the ROM is not in-circuit programmable or is in-circuit programmable only via a test/programming circuit at the factory, not in the field.
WRT #1 and #2, the reason for the connector is to allow the hotel staff to recover from Bad Things like dead batteries and confused/mis-keyed locks. I know I've been the victim of dead batteries more than once... if the only recourse is to destroy the lock to get into the room, the hotel is going to be very unhappy and the guest isn't going to be very pleased either.
#3 is "security through obscurity", which will be effective briefly until the next security researcher figures out how to defeat the change.
I didn't look at the exploit in detail, but as daeken reminded us there are problems with more than just the program in the door lock - so even if a patch to the ROM chip could fix the problem, it probably doesn't fix all the problem so it isn't a real solution.
You are right, everything else 1-3 are really just obscurity solutions and not real solutions - thanks for calling me out on that.
Assuming the hotel wins, Onity sends a team in to replace the locks (a relatively simple and already solved problem - that is how the original locks were installed). Then Onity sends the hotel the bill for the replacement service and the hotel says "Sorry, no." Then everybody fights in court over the retrofit bill for another 10 years.
'Internet' isn't their business - providing rooms, is.
But, really, this isn't a problem. The available maintenance staff takes care of it, or they have a local locksmith team spend a week at it.
Knowledge is power. We shouldn't censor ourselves because someone somewhere can be evil with some information. They have other ways of getting the information anyway.
Assuming the goal is to minimize harm, then when to disclose depends on an interplay of several factors. Here are some of them:
1. How many people will discover and exploit the flaw on their own if it is not publicly disclosed.
2. How many people will exploit it if they find out about it, but will not discover it on their own.
3. How fast knowledge of the flaw will spread to the people of #2 without public disclosure. E.g., through word of mouth in hacker or researcher circles.
4. How many users of the flawed system will be able to use knowledge of the flaw in order to protect themselves from the people of #1 and #2.
5. How long the flaw will remain available.
6. How lessons from this flaw will teach others to build more secure systems.
Disclosure affects #2 (disclosure increases harm), #4 (disclosure decreases harm), sometimes #5 (disclosure might push a vendor to action), and #6 (disclosure decreases harm).
This is not such a case; the vendor had no reasonable way of fixing this. Others had probably already discovered (and used) this vulnerability, and in the long term fixing this vulnerability quickly requires motivating the company to do so. Disclosing it privately wouldn't have held much benefit, and might have been detrimental (the company may have tried to use legal means to prevent or penalize the public disclosure).
[This is why the frequent suggestions you hear "oh, why can't we replace <system X> with a smartphone app!" are so stupid. Optional smartphone support for convenience features = nice plus; mandatory smartphone = idiotic.]
- Use an industry-standard (for the time) crypto algorithm for cards, and use the biggest key size possible. As it stands, they use a (horrible) proprietary algorithm and 32-bit keys.
- Make the lock know which door it's actually for and encode a list of acceptable lists along with the code key values on the card. This prevents a card from one door from opening another door. Not a huge security issue, but it happens more often than you'd think.
- Use secure, authenticated protocols for programming the lock. This is really the critical part; unauthenticated, raw memory reads/writes are just not OK.
That phrase is misused and misunderstood on the net almost as much as Benjamin Franklin's statement on freedom and security.
It means that you should not rely on obscurity to keep a system safe. In the long run, you have to assume the bad guys will find out all your bugs. If someone were suggesting that the flaw not be disclosed and that it would be OK for the vendor to not fix it since it is not disclosed, that would be attempting "security through obscurity" and would be bad.
We aren't talking about the long run here. The relevant question here is if in the time it takes to deploy a fix, will more people be harmed if the flaw is widely known than if the flaw is kept quiet while the fix is being deployed.
To answer this question, you need to consider several factors, including (1) what steps customers who learn of the flaw can and will actually do to mitigate its effect on them, (2) whether customers will actually learn about it, (3) how many bad guys who would not have discovered it on their own will exploit it after it is disclosed.
The BLS says that the median wage for "Maids and Housekeeping Cleaners" is $9.32. Federal minimum wage is $7.25 per hour. Obviously then, most are not paid minimum wage.
In any case, people also want a long-term job. An aspect of keycard entry is that you have a record of what people entered the room. If only one person entered when something was stolen, then that person is a definite suspect, and may be fired. But if it's possible to circumvent that security, then it's also possible to frame others.
Yes. Seriously, is that even a question? Wouldn't you?
Higher wages mean two things: the staff have more to lose by being fired, and by implication the hotel puts more effort into its staff. Which means they're probably recruiting more carefully and putting more effort into staff loyalty once they're there.
I don't think wages affect honesty to any great extent, no. I think bad working conditions affect honesty a lot more.
If you believe this to be true, do you ask the hotel how much they pay their cleaning staff, and choose the one with higher base pay? How much more are you willing to pay to be in a hotel which pays their employees a higher wage?
Higher wages mean other things than those two. It could mean that it's harder to get staff because there is better employment elsewhere, so there's less risk to being fired for suspicion of theft because it's not hard to find a new job. It could be because the union is strong and able to negotiate better than management, while management actively wants to break the union by treating their cleaning staff poorly in the hopes that the staff will steal, so management has reason to fire them and blame the union for protecting thieves.
(Yes, the latter sound much less likely than the former.)
Since seeing this video last year, I have yet to find a hotel safe the I can open with all zeros. In the end, I figure that if someone really wants to steal my stuff, they'll eventually find a way.
If the hotel wants to fit a lock that doesn't prevent easy access to my room, and my stuff gets stolen, they can meet my lawyer.
Did that ever happen? Have you written anything on that?
It went better than I could've ever imagined; it was topping the front page for a while! Seriously awesome experience.
Thanks for doing it.
Sure, but the two are closely correlated.
>do you ask the hotel how much they pay their cleaning staff, and choose the one with higher base pay? How much more are you willing to pay to be in a hotel which pays their employees a higher wage?
I'd be surprised if they handed that information out, and it's not worth a great deal of research. But if I do happen to know then it changes how much I'm willing to pay for a given hotel, yes. I haven't calculated every facet of my internal hotel-pricing model (and it's almost certainly nonoptimal in some way - just not worth the effort to optimize), but I've certainly been known to pay more for a hotel I had a better impression of that, and on the (IIRC unique) occasion when I happened to know what the cleaners at one were paid I'm pretty sure that was one of the factors.
