A Hotel Lock Vulnerability Fixed - With A Cost
On a special Day Zero Briefing at Black Hat USA, Mozilla software developer Cody Brocious demonstrated how a device that cost less than $50 can crack the encryption used by Onity, one of the larger hotel room lock vendors. Now Onity has proposed a solution, but with a cost.
According to Forbes.com, the vendor says it has two solutions. One, a cap that covers the data port used by Brocious, is the least expensive, but requires owners of the locks to physically install it. The other solution is more long-term, but requires a "nominal fee" for the fix.
More on the Onity fix here.
In the Forbes article Brocious criticized Onity for passing the expense of the fix onto the customer. “This [cost] will not be insignificant, given that the majority of hotels are small and independently owned and operated. Given that it won’t be a low cost endeavor, it’s not hard to imagine that many hotels will choose not to properly fix the issues, leaving customers in danger,” he said.
It is an interesting problem. As I wrote in my book When Gadgets Betray Us, "when the Kryptonite lock flaw surfaced a few years ago, the bicycle lock company not only fixed the problem going forward, it also but also replaced a number of the defective locks retroactively. It had to. Kryptonite, a division of Ingersoll-Rand, is enormously popular with the biking community and the company’s reputation of the company depended on the trust that of bicycle owners world wide had in their product. The company soon switched to the more secure disc-style cylinders. But it took public disclosure to get them to make that switch."
With Onity, they're in a different position. Millions of hotels already use the locks and will continue to use their devices. Unlike Kryptonite, Onity's in a position to ask that customers pay for the fix.
Going forward it remains to be seen which method of fix--vendor provided or customer sponsored--wins out in the hardware universe.