Hotel security pen test

Discussion in 'Travel Security' started by viguera, Oct 22, 2012.  |  Print Topic

  1. viguera
    Original Member

    viguera Gold Member

    Messages:
    4,737
    Likes Received:
    6,913
    Status Points:
    4,745
    You might or might not have seen the recent buzz around the security problems with hotel locks. There are of course quite a few people out there that believe in "security through obscurity" and the problem is that not everybody thinks like that -- more specifically the "Black Hat" community.

    Keeping that in mind, you should really, REALLY not leave any valuables in hotel rooms (the safe isn't that safe after all, but that's another topic), but that will be reinforced if you get a chance to do some "light" reading on the topic.

    The first link is a paper on how the Onity HT locks are designed and their vulnerabilities. It's somewhat heavy on the technical aspects of the encryption, but suffice it to say that the system is extremely insecure, as you can easily read the hotel's sitecode and make yourself a master key if you simply have physical access to one of the locks.

    http://demoseen.com/bhpaper.html

    The second link is worse, as it's basically an extension of the first... someone takes the information and puts it into practice by taking all the knowledge and squeezing the components into an Arduino device concealed as a dry erase marker.

    http://blog.spiderlabs.com/2012/10/pentesting-hotels-with-pens.html

    In theory, if you happened to be evil enough, you could book yourself a room at a hotel that uses these locks and go through your floor opening doors and grabbing valuables.

    So yeah... I suppose the bottom line is don't try this at home, but also make sure you are aware of what's possible so you're not surprised that pretty much anyone with enough knowledge can break into your room on a whim.
     
  2. USAF_Pride
    Original Member

    USAF_Pride Gold Member

    Messages:
    2,108
    Likes Received:
    4,015
    Status Points:
    2,545
    Onity's Plan to Mitigate Hotel Lock Hack

    This is an interesting read on the "Fix" and the response from Cody. I honestly think most hotel owners will be to lazy/cheap to implement any sort of fix.
     
    viguera likes this.
  3. viguera
    Original Member

    viguera Gold Member

    Messages:
    4,737
    Likes Received:
    6,913
    Status Points:
    4,745
    I think it's ridiculously irresponsible though... there's a clear security vulnerability and all they're doing is providing a cap with a screw to prevent access for the time being, with the long term solution being a replacement board for the locks to update the firmware, but they're leaving it up to the property owner to pay for everything -- labor costs and even shipping.

     
    USAF_Pride likes this.
  4. Hello Community,

    A pen test is a method of evaluating the security of a computer system or network by simulating an attack from malicious outsiders and malicious insiders. The process involves an active analysis of the system for any potential vulnerabilities that could result from poor or improper system configuration, both known and unknown hardware or software flaws, or operational weaknesses in process or technical countermeasures. This analysis is carried out from the position of a potential attacker and can involve active exploitation of security vulnerabilities. Security issues uncovered through the penetration test are presented to the system's owner. Effective penetration tests will couple this information with an accurate assessment of the potential impacts to the organization and outline a range of technical and procedural countermeasures to reduce risks.

    Best Regards,
    Abelard Balthasar

    Lastminute Hotel Deals
     
  5. viguera
    Original Member

    viguera Gold Member

    Messages:
    4,737
    Likes Received:
    6,913
    Status Points:
    4,745
    TRAVELSIG likes this.
  6. TRAVELSIG
    Original Member

    TRAVELSIG Gold Member

    Messages:
    3,942
    Likes Received:
    5,509
    Status Points:
    4,145
    Viguera- your first piece of advice was the best- never leave valuables in a hotel room.

    I also always leave the "Do Not Disturb" sign on the hotel door when I go out- while by no means a guarantee it helps a little bit.
     
    viguera likes this.
  7. viguera
    Original Member

    viguera Gold Member

    Messages:
    4,737
    Likes Received:
    6,913
    Status Points:
    4,745
    Yeah, depending on my schedule, I do that as well. Of course the biggest problem is that if you actually want housekeeping to refresh the room, then you have to time it so that the sign is not up when they show up. I often find that leaving the TV / radio on in the room and the sign on the door is a good way to "fake" the room being occupied, which might be a deterrent for someone "fishing" for an empty room.
     
    TRAVELSIG likes this.
  8. TRAVELSIG
    Original Member

    TRAVELSIG Gold Member

    Messages:
    3,942
    Likes Received:
    5,509
    Status Points:
    4,145
    Particularly in Europe the rooms are usually set up to turn off the power when leaving the room and require the key to be inserted to reactivate the power- as such the TV/radio idea is a bit more difficult. What I normally do is call and ask for my room to be serviced as in "Please send someone to service my room now" when I go for breakfast- on returning from breakfast and prior to going to meetings/etc I put out the DND sign for the day- works 90% of the time.

    Shame to have to do this yet it is just too easy for someone to get into a hotel room. I was at one particular luxury hotel where the room key ceased to work- the housekeeping department came up to the room, opened a panel with a screwdriver (normal phillips head), pushed a little button on the servo motor and the door opened....... When I asked about security he told me "shhhhhh- secret".
     

Share This Page