Burglar exploits hotel lock security flaw

Posted by Emma Woollacott

A Texas hotel says that a spate of break-ins were carried out by hackers exploiting a security vulnerability in rooms' electronic locks.

This summer, Mozilla software developer Cody Brocious demonstrated how it was possible to break into hotel rooms using cheap and widely available hardware to hack locks produced by Onity.

"I plug it in, power it up, and the lock opens," Brocious told Forbes at the time. "With how stupidly simple this is, it wouldn't surprise me if a thousand other people have found this same vulnerability and sold it to other governments... An intern at the NSA could find this in five minutes."

And now, it seems, someone has. The Hyatt House Galleria in Houston has told Forbes that a string of burglaries in September was carried out using just this hack. A 27-year-old, Matthew Allen Cook, has been arrested, after a laptop stolen to the hotel was found in a pawn shop and traced to him.

The Hyatt apparently became aware of the security vulnerability in Agust, but says it took Onity months to develop a fix. Worse, says Forbes, it's asking hotels to pay for the hardware changes themselves, or settle for a little plug for the affected portable programmer plug.

"The deployment of this second solution, for HT series locks, will involve replacement of the control board in the lock," wrote the company, in a statement that's since been removed from its site.

"For locks that have upgradable control boards, there may be a nominal fee."

That's not good enough, according to Brocious.

"If such a significant issue were to exist in a car, customers would likely expect a complete recall at the expense of the manufacturer," he says in a blog post. "I can't help but feel that Onity has the same responsibility to their customers, and to customers staying in hotels protected by Onity locks."