Remember the “hacking hotel locks with an Arduino” bit from a while ago? There’s been a rash of hotel thefts which the hotels attribute to this flaw.
One thing few people noted when the hole came out was how not-responsible-disclosure it was. The guy who came up with it sold the flaw to a school that teaches locksmiths and covert entry types, and then a year later premiered it at BlackHat — without ever bothering to warn the manufacturer.
(Standard practice for physical security — practiced by TOOOL and others — is to work with the manufacturer to fix the flaws, and then announce it. Not only does this keep the world more secure, but it often results in free and interesting locks… to which those of you who’ve tried to pick a certain “SKG two-star” Euro cylinder can attest.)
Still, at least he went public with the hole! In the words of a woman who (after having her laptop stolen using the flaw) started waking up imagining the thief was standing at her desk in the night — “It should be made public so that the hotels can fix it. If people are vulnerable and there’s a fix out there, they need to know.”
“When Wolf returned to the Hyatt in Houston’s Galleria district last September and found her Toshiba laptop stolen, there was no sign of a forced door or a picked lock. Suspicions about the housekeeping staff were soon ruled out, too—-Wolf says the hotel management used a device to read the memory of the keycard lock and told her that none of the maids’ keys had been used while she was away.
With the mystery unexplained, the Hyatt tried to give its guests a sense of security by posting a guard in its lobby. But Wolf couldn’t shake the notion that a thief could re-enter her room at any time. “I had dreams about it for many nights,” says Wolf, a 66-year-old Dell IT services consultant traveling in Houston for business. “I’d wake up and think I saw someone standing there at my desk.”[…]
As for Janet Wolf, an actual victim of the Houston hotel thefts, she blames the Hyatt, not Onity. “If they’re vulnerable to these hackers and they knew this was a problem, to me that’s their fault,” she says.
And would she rather that Onity’s security flaw had never been publicized in the first place?
“No,” she says. “It should be made public so that the hotels can fix it. If people are vulnerable and there’s a fix out there, they need to know.””