Abusing the Internet of Things

(Rick Simeone) #1

When a guest inserts a card into the lock, the data on the card is decrypted using the site-
code. Next, the expiration date is checked to see if it is still valid. Finally, the keycode value is
checked and the lock opens if it is within the look-ahead range.


THE PROGRAMMING PORT
A programming port, accessible using a DC adapter, is located at the bottom right of the lock.
A portable programmer (PP) device is used to program the lock when it is installed and when
batteries are replaced, which causes memory to reset. Upon installation, the PP is used to con-
figure the lock with its ident value and keycode value.
The PP can also be used to connect to the lock and issue it commands, such as a com-
mand to open, provided the correct sitecode is supplied.
The PP can additionally be used to read blocks of memory from the lock via the program-
ming port.


SECURITY ISSUES
Brocious’s whitepaper describes various security issues pertaining to Onity locks. These
issues are important for us to understand because they affect millions of hotel room doors
outfitted with these locks. They also represent the lack of basic security controls that other lock
makers should avoid.


Microcontroller vulnerability
If the sitecode is known, it is possible to open a lock by connecting to the programming port
using a simple microcontroller, such as the inexpensive ($50 or less) and popular Arduino.
Cody Brocious describes the Arduino code (also known as a sketch) required to open the
lock in Appendix A of his whitepaper. Basically, Brocious’s sketch takes advantage of the fact
that any part of memory can be read from the programming port using the Arduino. Brocious
uses this to read the sitecode from memory and then invokes the open command along with
the sitecode, which causes the lock to open.
This is a severe security issue, given the millions of Onity locks installed in various loca-
tions around the world. Armed with only an Arduino microcontroller purchased at a neigh-
borhood electronics store, anyone can walk up to a door protected by an Onity lock and open
it. In fact, famous hotel chains such as Holiday Inn, Extended Stay, Quality Inn, Laquinta Inn,
Red Roof Inn, Motel Six, Budget Inn, Courtyard By Marriot, and Comfort Inn have reported
burglaries as a result of this particular security issue.


Master keycode in lock memory
Master keycards can be created by reading the master keycode from the lock memory. This
value, in addition to the sitecode that can also be read from memory, can be used to construct
master keys. As stated previously, the hotel may choose to segment locks in different sections


HOTEL DOOR LOCKS AND MAGNETIC STRIPES 41
Free download pdf