If full disclosure of lock picking aroused the ire of lock smiths in the past, it still does. Here are Andy Greenberg’s (Forbes reporter on security related issues) reports on (1) a blackhat presentation by Cody Brocious on exploiting a certain brand of hotel locks, dated 23rd July, 2012, and (2) dated 26th Novermber 2012, a recent robbery from a famous hotel in, yes, Houston! What is the connection, you might ask. Investigation authorities suspect the alleged thief to have used techniques from (1) to break into multiple rooms in the hotel.

The blackhat presentation discloses the technical details of hacking the locks by plugging an active probe into a small hole under the digital locks (meant for DC power supply and to insert a portable programmer for programming the lock) and reading the key. Bear in mind that the PP (Portable Programming) slot is openly accessible, not hidden under the lock panel. An attacker would simply need to walk up to the victim’s door, plug an arduino board (imitating the portable programmer that hotel staff use) to the PP slot and initiate communication with the lock, specifically effecting the lock to give out the key to open it! It turns out that this brand of locks stores keys in memory and no authentication is required for the read memory command. So, if one knows where keys are stored, it is not difficult for an attacker to read the key and simply replay it to open the lock.

It is suspected the the robbery took place using this type of intrusion; apparently opening the door using the PP slot leaves a trace (thanks to good old auditing mechanisms), which made the investigation authorities link the theft to material in the blackhat talk. This incident raises questions about who is right and who is wrong? It is evident that full (not responsible) disclosure led to a robbery in which a lady lost her laptop. Why didn’t Cody Brocious, the blackhat researcher, disclose the flaw to the lock making firm? Let’s suppose that he did. Do you think the firm would go about upgrading millions of installed locks that are in hotels around the world or would they simply feel, ‘No harm is going to happen if nobody knows it’, the basis for security by obscurity. Now that the firm has a fix, they are charging customers for their own hardware upgrades? Isn’t it their obligation to fix it for free; it’s not a feature upgrade we are talking about, it is simply about doing what locks are supposed to.

What can the affected hotels do, you ask? Either pay up for the “upgrade” or go low tech: plug the PP slot with a cap or some gooey concoction they use to fill holes in walls.

This entry was posted on Tuesday, November 27th, 2012 at 1:48 pm and is filed under Full disclosure, Lockpicking, Real world security. You can follow any responses to this entry through the RSS 2.0 feed. You can skip to the end and leave a response. Pinging is currently not allowed.