It used to be that you only had to worry about maids rummaging through your belongings in your locked hotel room. But now anyone with 50 bucks of hardware and some programming skills can hack their way in—as long as it's locked by keycard.
At the Black Hat security conference yesterday, a hacker named Cody Brocious, a Mozilla software developer, demonstrated how someone could gain instant, untraceable access to millions of hotel rooms protected by key card locks made by Onity.
Every single Onity key card lock has a DC power socket on the base. This socket is used to charge up the battery inside the device, as well as program the lock with the hotel's own sitecode, a 32-bit key that identifies the specific hotel.
For the hack, Brocious simply plugged in his programmed Arduino microcontroller into the socket, which let him read the key from the lock's stored memory. Pretty simple.
All the Arduino needs to do is play back the 32-bit key and voilà—your hotel room door is now open. The whole process takes just 200 milliseconds from plugging the device in to opening the door.
"I plug it in, power it up, and the lock opens," Brocious says.
Right now, as he showed in a demonstration, this only works in about 1 in every 4 doors, but being able to open up 25% of the rooms in a hotel room is still a huge security concern. However, it's possible that it could work on every one with a little more programming effort. And the only fix said to work for Onity is replacing the locks with updated new ones that prevent this from happening.
You can get the whole scoop on the hack over at Brocious's blog. To see the slides for his presentation, click here. If you want to pursue this hack yourself before Onity has a chance to switch out all of their locks, here's the code for the Arduino (at the end, under the "Sketch" heading).
The next time you leave your valuables locked in your hotel room with nothing more than a key card lock, I'm sure you'll think twice, though breaking into a hotel room the old-fashioned way isn't that hard, either.
UPDATE: SpiderLabs took the idea even further, shrinking down the electronics so you can fit them inside of a dry erase marker.