When you slipped the credit-card-sized plastic key into the hotel door lock, what did you expect to happen?
Normally, the door opens.
Sometimes it takes a few attempts to get everything to line up, see the green light, hear the click, and open the door. Once inside, the back of the door warns us about responsibility for our valuables and safety, complete with 1-2 additional locks and possibly a safe for valuables.
A lock made by the Onity company was “discovered” -- some number of years ago -- to possess a vulnerability where an attacker with the right hardware, programming knowledge, and physical access to the door could interrogate the lock to decipher the key and cause it to open.
While it made news at the security conference it put the hotels using the lock (reported at somewhere around 4 million locks) on defense. Now that the vulnerability was public, they felt compelled to act.
Initially, Onity presented two options to the hotels using the lock:
- Physically cap access to the logic board -- for no charge
- Pay to replace the logic board, configured to resist this specific attack
Upset at the prospect of shelling out additional dollars for the locks, the hotels banded together and sued Onity. Recently, the judge ruled in Onity’s favor. That created a stir in the security community, decrying the vulnerability. We discussed it on the Down the Rabbithole Security Newscast, and we saw it differently (take a listen here).
When you buy a door lock, what do you expect?
The answer needs to address why you bought the lock in the first place. Beyond a seemingly obvious answer “to lock the hotel room door,” what purpose does the lock serve?
Buying a lock ranges from a quick trip to the hardware store to a careful and thorough evaluation of the purpose of the lock. In the realm of physical security, locks, safes, and other such protections offer guidance on the strength and complexity -- and the time, knowledge, and tools required for someone to bypass or defeat the mechanism.
When considering the Onity case, what is the reasonable expectation of a lock for a hotel room?
The hotel needs to be able to provide multiple authorized people access, some for a limited time. Between maintenance, housekeeping, security, and of course, guests, the door lock plays a somewhat interesting, if not unique, function to control access.
What does -- or should -- a guest expect?
While I’ve avoided coming back to a robbed hotel room, I’ve experienced the pain and shock of having someone break into our RV and steal all our electronics (laptops, phones, cameras, etc). Our RV was roughly the size of a hotel room, and the experience shaped how I protect my valuables (and myself) when I travel.
Perhaps my experience shades my expectation, and maybe I’ve watched too many action movies, or just been in security for nearly two decades. I don’t expect much from the lock.
I do, however, expect that there are additional mechanisms available to me so I can layer my defenses. Many hotel rooms include safes large enough to hold laptops, electronics, and other valuables. They have locking deadbolts and additional chains/bars to afford additional security once inside the room.
How much confidence do you place in a lock?
The function of a lock is not to prevent access, but to delay. Since it can be defeated, a lock is part of the solution.
How do you test it? How do you measure the delay to determine if it’s sufficient to meet your requirements?
When thinking about the appropriate level and approach to purchasing, testing, and installing the lock, consider the standard value it needs to protect. Or consider the liability likely imposed. Hopefully this is a defined value available to hoteliers.
Interesting about this case is the lament that with $50 of technology, the door look can be defeated. That discounts the knowledge of programming and need for physical access. And that assumes it works every time, without fail.
How does that compare to a $10 crowbar? What about the social engineers (also popular at conferences) that can talk their way into a room, or convince someone with a master key to let them in? How is this different than buying and learning to use a lockpick set?
Plenty of security conferences and events have ‘lockpicking villages’ and support efforts to help us get a better understanding of how physical locks work. Whether you have hands-on experience picking a lock or not, most people realize locks can be picked.
Realizing this is what prompts most hotels -- and organizations -- to include other methods of prevention, detection, and response. This includes cameras, security staff, ‘patrols’, and other tools designed to protect sensitive areas and ensure the safety of employees and guests.
What the judge had to say
The judge ruled in favor of Onity for three reasons (read the decision here):
- The hotels suffered no harm; the cost of upgrading the mechanism was not deemed a harm (partly because of #2)
- The lock still functions as expected; it locked and unlocked the door as advertised and expected, (see #3)
- Someone breaking the lock is breaking the law; if someone possessed the tools and knowledge to break the lock, doing do with electronics or otherwise is still breaking the law
Seems to me the judge got it right.
Maybe the hotels didn’t consider or evaluate the technology as thoroughly as they could/should have.
Lesson learned. Hopefully.
Minimally, a clear take away is the need to get a better understanding of the warranty. It likely means specifically asking about potential vulnerabilities in software code, time to resolution, cost of repairs, and potential for upgrades. It doesn’t mean the the provider is always responsible; what matters is our understanding of the risk.
In the end, the ruling is likely to be appealed. It also seems that Onity is working with their customers to find satisfactory solutions. Good for Onity. Good for the hotels. Good for all of us.
And yet, locks are still locks. Their primary role remains the same -- provide a layer of protection and delay the potential of someone to gain entry.
Learning and improving our practices from this experience
The major lesson to take away -- for any aspect of security -- is that we need to clearly understand and document the challenge we’re trying to solve. Then select solutions and test them, appropriately, against the range of anticipated (and even some unanticipated) challenges, attacks, and scenarios.
As the merging of physical and cyber security continues, the more clear and thoughtful in our actions, the better the outcomes.
What do you think? Did the judge get it right? Do we have the right expectation of locks? Are we properly considering, testing, and implementing ‘new’ technologies in our organizations?