In association with heise online

10 December 2012, 13:24

Lock maker starts to pay for hackable lock fixes

  • Twitter
  • Facebook
  • submit to slashdot
  • StumbleUpon
  • submit to reddit

Padlock icon

Onity, the hotel security company, is replacing or repairing its Onity locks for free after design flaws left the locks vulnerable to being compromised with a $50 device, according to a report in Forbes. At the Black Hat conference in July, a security researcher named Cody Brocious showed how it was possible to hack a popular system of hotel door locks, the Onity HT, using an Arduino-based controller. Initially, the lock attack was not reliable, but was later refined to be much more effective and easier to carry.

This in turn led to the technique apparently being used by criminals who found the method left no signs of a forced door or picked lock. Now, according to memos and texts seen by Forbes, the lock maker is offering board upgrades for free to a number of hotel chains, but only for locks installed since 2005. The upgraded boards specifically address the issues raised by Brocious's research, but the company does say the upgrade is "conditioned on the franchisee’s acknowledgement that Onity does not guarantee a lock’s invulnerability to hacking". For locks older than 2005, a replacement board is apparently available for $100.

Brocious recently discussed the issue of responsible disclosure, saying that the reports of break-ins using the vulnerability left him "both horrified and vindicated". He examines the disclosure options that were available to him and explained how he concluded that full public disclosure was the only route to ensuring the issue got fixed as soon as possible – arguing against responsible disclosure of security issues where a product is in widespread use, is difficult to fix, and exposes customers to severe risk.

Onity had originally planned to generally offer to fit a mechanical cap over the access port or to ask customers to pay for a "firmware upgrade" where the board in the lock would be replaced. This plan was apparently removed from its site in the following weeks. Now, it appears the company has moved to a more heavily subsidised approach to resolving the problem.


Print Version | Send by email | Permalink:

  • July's Community Calendar

The H Open

The H Security

The H Developer

The H Internet Toolkit