Onity Hotel Lock Hacker on Disclosure (and exploiting internal assumptions)

The guy behind the Onity hacker’s put pen to paper on his reasons for releasing the flaw the way he did. The point about manufacturers suing to prevent release is a valid one… especially given the hotel industry’s tendency to retaliate against people who expose security flaws. (I seem to recall a security researcher getting banned from every Marriott(?) in the world for doing something similar.)

Exploiting internal assumptions: I came up with some ideas ages ago after a discussion with a particularly dodgy character, been meaning to toss them out for comments.

Roughly, I think it might be possible to exploit words and phrases that have multiple meanings (e.g ‘wire’*) to figure out someone’s level of knowledge or state-of-mind. Some things have positive or negative connotations depending on context, so dropping them into conversation might elicit revealing microexpressions.

* how many of you thought ‘long bit of metal,’ and how many of law enforcement?

The major hurdle is probably using them without prejudicing the person’s reaction. Engineering a truly neutral context is hard. (Priming would be a huge issue.) The solution might be dropping the conversation framework entirely and using things like posted signs/notices, official/job titles, words printed on clothing, names, etc. (In Canada there was once a ski resort called Tod Mountain — the name was changed after it was pointed out that Tod is German for death, and German tourists are a major market for ski resorts.)

Along this line of thinking, pictures and graphics also have this homonymic quality… even a minor cultural shift can hugely change their import. (Memes are a huge, huge case: a slide of Nyan Cat in the middle of a presentation, and see who snickers vs who’s confused.)


“The standard ‘Responsible Disclosure’ approach would be to notify Onity and give them X months to deal with the issue before taking it public. While this is tried and true, there are several issues with this approach.

Onity, after 20 years and 4-10M locks, has a vested interest in this information not getting out, as it makes them look bad and costs them a significant amount of money. As such, it’s likely that without public pressure — which we’ve seen in the form of unrelenting press coverage — they would have attempted to cover this up. Cases of security researchers being sued by vendors are well known in the industry and not uncommon.

Due to the difficulty in mitigating the issue, it’s entirely possible that only a tiny fraction of hotels would’ve been fixed by the publication deadline, and without such a deadline applying pressure, there’s no reason for Onity to continue to make strides to fix the issue. Don’t Release

This was a genuine option for a long while. While it’s likely that it’s been discovered and exploited long before I even looked at these locks, it was not a well-known attack.

However, I decided that the long-term benefits of this being fixed outweighed the problems certain to be faced in the short term while the flaws were being mitigated. Full Public Disclosure

The last approach is to simply release all information to the public in the most visible way possible. This dramatically increases the odds that someone will use the attack for malicious purposes, which is why it was always a big concern for me.

However, by making it as visible as possible, it puts significant pressure on Onity and the hospitality industry as a whole to fix the issues and get hotel guests back to a safe position. At the end of the day, this seemed like the approach most likely to get a swift response to the problem.”


Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )


Connecting to %s

%d bloggers like this: