

Fast opener: with an Arduino board, an Onity hotel room lock can be opened within 200 milliseconds Using an inexpensive Arduino microcontroller board, security researcher Cody Brocious was able to open the Onity HT lock system used to secure rooms by a number of hotels around the globe. Brocious presented his findings yesterday (Tuesday) at the Black Hat information security conference in Las Vegas.

The researcher discovered that the DC power socket on the lock also plays host to the programming interface, normally used by hotel staff to configure the lock. This socket provides enough access to the device that it can be used to retrieve the "sitecode" from the lock's memory without authentication; the sitecode is the private 32-bit unique crypto key that protects the entire locking infrastructure. Brocious programmed an Arduino to retrieve the data, and then used the sitecode and board to unlock the door in question. Opening a door is said to take approximately 200 milliseconds. According to the researcher, the 32-bit code can also be used to program custom master key cards.

Brocious also took a look at the encryption of the data on the magnetic card and discovered that the sitecode can be established within about half an hour using a known-plaintext attack with a single-core CPU. However, two cards for the same room are required for this to be successful. His findings aren't too surprising – after all, the system has been on the market for almost 20 years. Brocious notes that more than four million of these crackable locks are currently in use in hotels worldwide. According to an article in Forbes, when tested with actual hotel locks the device was not as reliable as hoped, but did unlock some doors.

(crve)