Cody Brocious took a rather aggressive way of announcing his research on stage at BlackHat in Las Vegas. Instead of telling Onity about a potential vulnerability with its hotel door locks, Brocious decided to publish code that took him three years to figure out and demonstrated it during his talk.
With Brocious's code, anyone with an Arduino, the popular open-source single-board microcontroller, and some other accessories can unlock potentially millions of hotel locks made by Onity.
Forbes reporter Andy Greenberg got the exclusive, revealing that when he and Brocioius tried out the hack in real hotel rooms, it worked only one out of three times. However, Brocious blames the one-for-three on a time bug, which he says he will fix this week, with some tweaks to the code.
Brocious' day job is a Mozilla software developer. The 24-year-old programmer originally discovered the vulnerability in Onity's system when he worked at a startup that was trying to make a better hotel lock. However, when faced with the choice of telling the vendor or releasing the code that would turn any key into a master key--he chose the latter.
The reason, he says, is that Onity's locks can't be fixed--and too many people already know how to pick them. According to the Forbes article, the startup, Unified Platform Management Corporation, in fact sold Brocious' hack to a locksmith training company last year. In his paper, Brocious wrote "... after much consideration it was decided that the potential short-term effects of this disclosure are outweighed by the long-term damage that could be done to hotels and the general public if the information was held by a select few."
Millions of Onity locks are installed in hotels, so the implications of these findings might be significant if it means hotels have to replace the locks.
When Brocious holds the Adruino up to a lock, it blinks green and mimics a card swipe. There was a lot of reverse engineering done in the protocols. The Arduino connects to the lock, determines the unique code for that lock, and issues the open command. It opens within 200 milliseconds.
He used an Arduino Mega 128, 5.6k resistor, and DC (coaxial) barrel connector that is 5 mm outer diameter and 2.1 mm inner diameter.
"There is a bug with the implementation of this device which prevents it working on some locks. At the moment this is believed to be a timing bug, which leads to the first bit of each byte being corrupted, but this is not certain," Brocious wrote.
"It's too easy to shimmy a coat hanger and open it - ignoring the software aspect. There's too much easy access there. I think it will happen, give it a week before people start picking locks. People will use the information for good and evil and there's nothing I can do about that," Brocious said.
So, how does Brocious get a good night's sleep at a hotel? He feels pretty safe with door chains. He also shoves a towel inside the handle.