of the venue with different master keys, so the master keycard can be limited to a particular
section of the hotel real estate.
However, this remains a severe issue, because a one-time creation of the master keycard
can allow a potential intruder access to an entire section of the hotel.
Unencrypted spare cards
As stated earlier, each subsequent spare card is created with an incremental identifying value
and is not encrypted. These spare cards are used when the encoding machine is not working.
So, if an intruder were to get hold of a spare card with the value 500 , that person could create
another card with the value 499 or 501 and attempt to open other locks.
Of course, it is not possible to easily ascertain exactly what doors the newly created spare
card might open, which makes this attack a little difficult to execute.
VENDOR RESPONSE
On July 24, 2012, Brocious revealed his research and his paper to the world, providing anyone
armed with a cheap Arduino board with all the information needed to break into millions of
hotel rooms. This also alerted the public to the risk they were taking when staying in hotel
rooms protected by the Onity lock. Onity was put under scrutiny by the public and hotel own-
ers, who looked to it to provide a solution to the problem.
On July 25, 2012 and August 13, 2012, Onity issued responses, stating that it would
release a firmware upgrade to alleviate the issue. It also promised to insert a mechanical cap
into the programming port to prevent access to the port, along with an additional Torx screw
to secure the mechanical cap.
There were several problems with Onity’s statements. First, a mechanical cap makes it
only slightly harder for the average criminal to break in—only a few additional physical tools
(Torx-based screwdrivers are available for a few dollars in electronics and grocery stores) are
needed to break it open and eventually gain access to the programming port. Also, as pointed
out in Brocious’s rebuttal, the design of the Onity lock does not allow for a true firmware
update without updating the circuit board. Therefore, in reality, hotel owners would have to
replace the actual circuit boards (costly on millions of installed locks) rather than apply a sim-
ple firmware update.
A few weeks after posting its response, Onity removed every trace of it from its website.
Further investigation revealed that Onity had been working with certain hotel chains to
replace circuit boards, depending upon the year the locks were manufactured.
This particular set of security concerns targeting a specific manufacturer reveals critical
issues we must all be cognizant of when it comes to the design of mass-produced devices, the
cost of fixes, and, ultimately, the negative effect on brand reputation for both the manufac-
turer (Onity) and the client (hotel chains upon whom patrons depend for their security). First,
it is vital that mass-produced devices contain the ability to issue software-related fixes when-
ever possible, because this is less costly and therefore more scalable than hardware fixes. Sec-
CHAPTER 2: ELECTRONIC LOCK PICKING—ABUSING DOOR LOCKS TO COMPROMISE(^42) PHYSICAL SECURITY