Onity HT lock provides its own key when questioning it

The vulnerability found by Cody Brocious and presented at BlackHat Las Vegas 2012 deserves an entry in this blog. The Onity HT lock is installed on a huge amount of hotel doors around the globe and you might have already seen it, when you stayed in couple of hotels. 

 

This picture was extracted from Cody Brocious' talk at the BlackHat 2012 in Las Vegas.

Even more disturbing is the vulnerability that Cody discovered. Every lock has a small barrel-type DC power socket on the bottom. This is used to charge up the battery, when it is empty, but also to program the lock. Every hotel has its own random sitecode installed, which is used to encrypt/decrypt cards, program locks or open locks. This 32-bit key, however, is stored in the lock's memory and by connecting to the power socket, an attacker can extract the key. Moreover, the key is always stored on the same location and no authentication at all is needed to the extract the key.


More information can be found on Cody's website: http://daeken.com/blackhat-paper

Free cigarettes, anyone?

I know that is a very simple and very obvious one, but do not leave your cash / ATM card unattended in public space!

We got that one sent in at the end of last year before Christmas shopping, but the honest finder did return it the person to whom the card did belong to. Interestingly though, how much information somebody could get out of a card, apart from the money, of course. There is still some information stored on the magnetic stripe of the card and magnetic stripe card readers are easy to obtain.