Arduino breaks hotel locks

[april.steel]

Nobody else has posted it . I suppose they all want to try it first
Hacker Uses Arduino to Gain Access to 4 Million Hotel Keys : arduino

Look back on Hack a day

http://www.extremetech.com/computing/133448-black-hat-hacker-gains-access-to-4-million-hotel-rooms-with-arduino-microcontroller

[nickgammon]

I'm a little uncertain whether we should let this thread stand. On the one hand, it seems to encourage breaking into hotel rooms. On the other hand, the information is already out there. And really, the doors sound stupidly insecure. Did the designers never think ahead to the day when someone might crack their system? Really easily?

There have been arguments in the past that if you discover a security weakness, that you should say nothing. But then the weakness is still there, and someone else may discover it, or indeed already be exploiting it. Maybe some good will come of this. Hotels might demand the doors be upgraded. Surely the firmware could at least be improved. Hotel guests and staff will be a little more suspicious if they see someone hanging around doors with an Arduino in their hand. And guests might think twice before leaving valuables in their room.

[april.steel]

You need to read it a bit more thoroughly Nick.
There is no firmware
The post is certainly out there and very public see his blog and follow the URLs
Ten years they have known about it

His pdf gives much more - details of the encryption used , master card making ,copy keys and the portable programmer. The Arduino demo is but a small part.

Is the censors knife out already?

[nickgammon]

I hadn't read the report at that stage. I was addressing the concern (raised by others) that your post may spur people to illegal activities.

Having read the report now, it doesn't seem to rule in or rule out that the lock hardware has firmware. Considering it uses a 1-wire communications system, stores property keys (presumably in EEPROM) and does crypto, it would be reasonable to assume it has some sort of microprocessor. Given that, presumably it could, with more or less difficulty, be reprogrammed to avoid this flaw.

I don't see that hotels that use this system are a heap worse off than ones that simply issue keys, because keys can be copied. I think a prudent hotel guest would not leave valuables lying around, and would also use the interior bolt when going to sleep.

But it is an interesting demonstration that a high-tech solution is not necessarily secure, and in addition, keeping all the details secret have simply hid how badly designed it is.

[udoklein]

IMHO almost all hotel locks are secure enough. The question is always: how easy is it to get into the room without key? (Think about fooling or bribing the maid, no high tech needed at all). The other side is: how expensive would more secure locks be? Especially with regard to maintenance? My conclusion is that the main reason for high tech locks is to make the "lost key scenario" cheaper.

Anyone who thinks that electronic locks are here to increase security is completely on the wrong track.

[Jantje]

There are many "known security issues" in this world. if they are not used "to often" the issue is not fixed.
Best regards
Jantje

[nickgammon]

... how easy is it to get into the room without key? (Think about fooling or bribing the maid, no high tech needed at all).

He's right. Many times I've returned to my room when it is being cleaned. I just walk past the maid, smile, sit down and read the newspaper. I never get challenged.

Of course if it was not my room the real guests might return any moment, that is a danger. But that also applies if you break in with some fancy key system.

[Grumpy_Mike]

A lock only ever stops an honest man. So the degree of "security" it offers is irelevant.

[april.steel]

It  was never my intention to start a thread on lock breaking and security and I agree with the posters.

My  posting is due to  amazement at the uses of Arduino controllers in everyday life and the acceptance of electronic solutions in ever increasing situations .
A knowledge of micro controllers is now a much needed asset