• United States



Lock picking hotel rooms like James Bond

Oct 07, 20124 mins
Data and Information SecurityMicrosoftSecurity

At the Black Hat security conference, a hacker picked Onity hotel keycard locks in less time than it takes to blink. These locks are in about 22,000 hotels worldwide, leaving about four million vulnerable to hacking. Matthew Jakubowski and some hackerspace pals took a 'boring' black pen and built a cool, very small prototype they d믭 'James Bond's dry erase marker: the hotel pentest pen.' Push the pen into the DC port on the underside of the hotel keycard lock and it instantly pops the lock open.

Have you ever envied James Bond for his ‘toys,’ his spy tools disguised as innocent objects? If so, then you’ll be happy to know that for about $30 you can now build a pen-sized device that looks like a dry erase marker…but it will open about four to five million hotel keycard locks.

Let’s back up a second to the Black Hat security conference, where Cody Brocious showed just how easily he could pick a hotel keycard lock in less time than it takes to blink. Onity boasts that its locks secure rooms in about 22,000 hotels worldwide, but Brocious said it’s “stupidly simple” to hack them. He added, “It wouldn’t surprise me if a thousand other people have found this same vulnerability and sold it to other governments. An intern at the NSA could find this in five minutes.” To exploit the lock, Brocious plugged an Arduino microcontroller into the DC power port located underneath the keycard lock. He discovered he could read the 32-bit key stored in the lock’s memory location and was able to spoof the type of portable programming device used by hotels to set master keys.

Inspired by Brocious, and his detailed description of how the hack works, a trio of hackers set out to make a smaller version of the lock-picking device. Matthew Jakubowski, a penetration tester and security researcher with the Trustwave SpiderLabs, and two fellow hackerspace hackers, Josh Krueger and Jordan Bunker, took an otherwise ‘boring’ black pen and built a working prototype. Their creation was dubbed “James Bond’s dry erase marker: the hotel pentest pen.” Push the pen into the DC port on the underside of the hotel keycard lock and it instantly pops the lock open.

Jakubowski wrote, “I already had the door lock from a previous eBay purchase that I may or may not fully remember. The next step was getting an Arduino. This part wasn’t too hard either since every hacker and their grandmother should have about 50 of these” lying around. He provided a complete list of parts and a diagram so you can “create your own hotel door opener pen.”

“I guess we wanted to show that this sort of attack can happen with a very small, concealable device,” Jakubowski told Forbes. “Someone using this could be searched and even then it wouldn’t be obvious that this isn’t just a pen.” With about $30 worth of hardware, it only took the trio about eight hours to build the inconspicuous lock-picking pen.

Brocious wanted Onity to step up and fix the lock security vulnerability. On July 25, Onity wrote about the Black Hat lock hack and said it “places the highest priority on the safety and security provided by its products.” It was “developing a firmware upgrade for the affected lock-type. The upgrade will be made available after thorough testing to address any potential security concerns.”

On August 13, the company responded by suggesting a free patch in the form of a plug to stuff into the DC port “to prevent a device emulating a portable programmer from hacking the lock.” Yet the other half of implementing a “two-tiered approach” involved charging customers a “nominal fee” for upgradable control boards, as well as charging for “shipping, handling and labor costs for installation.” Property owners with older lock models that didn’t have an upgradable control board were offered “special pricing programs” to “help reduce the impact to upgrade.” Carrying the cost over to its customers does not encourage hotels to fix the insecure-by-design locks. After that controversial solution, the company then deleted the post and replaced the statement with contact information for its hotel customers. Here’s a screenshot of Onity’s original post about the security vulnerability.

Other hackers, also inspired by Brocious, have developed their own devices to pick Onity locks. However, the James Bond lock-picking pen seems to be the smallest and perhaps the coolest yet.

Like this? Here’s more posts:
  • Time to disable Java AGAIN: 1 billion at risk from newest critical Java bug
  • Feds Warn of Zombie Apocalypse! Buy emergency kit, but you might be a terrorist if…
  • Senate report: Fusion centers don’t find terrorists, filled with ‘crap’ that violates privacy
  • Smartphone snoop: Even when phone sleeps, digital assistant always eavesdrops
  • ACLU: Electronic Spying Skyrocketed 64% Since President Obama Took Office
  • ‘We will find you’ marketing gone wild: Candy bars that guarantee stalkers
  • Microsoft: Companies should pay Uncle Sam $10k per H-1B Visa to hire skilled foreigners
  • Windows Phone 8 has ‘baked-in cybersecurity goodness’
  • Surveillance State: From Inside Secret FBI Terrorist Screening Room to TrapWire Training

Follow me on Twitter @PrivacyFanatic

ms smith

Ms. Smith (not her real name) is a freelance writer and programmer with a special and somewhat personal interest in IT privacy and security issues. She focuses on the unique challenges of maintaining privacy and security, both for individuals and enterprises. She has worked as a journalist and has also penned many technical papers and guides covering various technologies. Smith is herself a self-described privacy and security freak.