questionsdid you know that crooks have a new tool to breakā€¦


"All thieves have to do is plug it in, and it acts like a master key, even bypassing the deadbolt, giving criminals access while you sleep." exactly do you bypass a deadbolt when it's not part of the electronic key system in the first place? unless they're somehow connected and i didn't know.


@carl669: Well, either the electronic lock and deadbolt are part of the same system or the tool can be used to unlock a separate deadbolt that is commonly used in hotels. Unfortunately, the article doesn't specify this, but it would be my best guess on the subject.


I would assume the deadbolt are part of the same system. The hotel must be able to access the room at all times. Even if you lock yourself in.


The original researcher who found this built the tool that cracks the security code using a $24 arduino-based prototyping system. It reads out the master key, allowing the attacker instant access to all of the rooms in the hotel.

The amazing thing is that the manufacturer's response when the weakness was exposed was to offer hotels a screw-in plug that blocks the hole where the programmer plugs in - as if attackers couldn't own screwdrivers. Absolutely hilarious.


@carl669: The deadbolt in hotel rooms is part of the electronic system. What I find most annoying about this is that it's OLD NEWS. This came up five months ago, and most hotels are still on the "Wow, really? You sure our hotel system is vulnerable?" Yes, it's a problem. Yes, it was pointed out, publicly, FIVE months ago.

I've been known to set a laptop+camera system connected to a LOUD alarm when traveling, but then, I don't travel much any more. I'd guess that very few people are going to be that sophisticated.

The major hotels are all just trying to avoid upgrading their systems (because they don't want to spend the money). For now, either keep your stuff with you when you leave the room, and when you're in the room, use that extra lock at the top of the door, or else leave your crap at home.


@rhmurphy: Well, as craigster38 noted above, hotel staff still need to have access to all rooms no matter what. The "fix" which seems meaningless is only complying with this need (and probably some law or statute) even if it only costs a criminal a minute to undo.

And since hotels will always need access to rooms even with deadbolts engaged this could be a vulnerability that will always exist. Makers of the locks can make a better, more secure design, but eventually thieves will find some way around it.

Perhaps the only around it would be to install "master keys" that require thumbprints of the hotel staff, but if the cost is too high it could price many travelers out of the market for the hotel rooms.


@shrdlu: Businesses always look to find the most cost effective way of doing business. It keeps prices low for consumers and increases profits for improvements and expansion. Normally this is a good thing. However, in this instance it isn't.

Hotels and lock manufacturers would have spend a great deal of capital redesigning new lock systems and installing them on hotel doors. The cost could be rather prohibitive. The hotels will then use the least costly method of dealing with this problem (paying to replace lost possessions) until it costs them more than to replace the locks. Only constant public pressure and reduced patronage of the hotels could change this stance.


The best advice is to not make yourself a target by flashing expensive electronics, cash, jewelry, etc... Someone is not going to risk arrest unless they know it's worth their time. Drunk tourists in Vegas are notorious for being oblivious to this.

I use the hotel safe for my electronics and passport and always keep my wallet with me. I bought this bag that looks like a used pair of skidmarked underwear, I use this to store stuff in my luggage if they don't have a safe.


I was at a casino hotel when the battery in the locking mechanism for my door died. They had to call out a locksmith to get into the room and replace the battery. Want to know the ultra high tech tool he used? A coat hanger. Slide it under the door, hook the handle and pull. Using the handle from the inside disengages the "deadbolt".


@ryanwb: That's kinda genius. Fortunately, the good people at Amazon offer the skidmarked underwear safe. I'm totally going to buy them, great idea. Thanks for posting that.


How 'bout we go back to using, i don't know, metal keys?


@shrdlu: @carl669 was probably talking about the non-electronic lock most hotels have that's separate from the electronic card-lock system and is usually only accessible from the inside.. usually it's either a bolt, a latch, or a chain.. something along those lines.

@dmmutti: Old-school pin-and-tumbler locks are really insecure.. somebody that knows what they're doing can pop one open in a few seconds. They have "anti-pick" locks of all sorts, but all locks have their upsides and downsides.. with a lot of the better locks it's usually cost and practicality.


I didn't.. but I do now! THANKS! This is going to save me LOADS on Christmas shopping :D

[edit: sarcasm clarification; that was a joke, I'm not a hotel thief)


@drchops: The "deadbolt" on almost all rooms with this type of electronic key is connected to the electronics, and the master key unlocks it, even when the room key doesn't. Yes, it's true. Your kids can lock you out of the room with the deadbolt, but the hotel staff can go right in.

As an interesting side note, I think that door opens are logged the same whether it's the guest key, housekeeping, or a master key, and I think that even the arduino toy still causes a log for door entry when used. Yes, it's true. Hotels log each time an electronic door opens and shuts.

Fun stuff. (The Open Organisation Of Lockpickers)

"Security is achieved through openness. Take things apart and play with them... exposing bad security is what protects us all." Deviant Ollam


@shrdlu: Well, you're mostly right :)..

What I'm talking about are the locks that are completely independent from the electronic locking mechanism.. They sit about 2-3ft above the door handle and usually consist of a couple pieces of steel and chain or something similar :D

These ones are also a pretty common sight:


This won't get you into the safe found in most hotel rooms though so at least there's that.


@thetexastwister: I'm more inclined to think hotels will deny any responsibility, since there would be no evidence of unauthorized entry into the room and no way for the guest to prove anything was stolen. It gets even worse if there are room safes available or if the hotel front desk has secure-storage available.


@magic cave: Hotels are often targets for fraudulent claims of theft so hotels would probably view every claim as a possible attempt at fraud and may deny responsibility as a defensive mechanism. And as you noted there would need to be sufficient proof that hotel guests actually had the items claimed as stolen in the hotel rooms prior to the alleged theft.


Well, that's just wonderful. Now I'm even more afraid to stay in a hotel room. sigh

I guess I won't be traveling any time soon :(


@drchops: I use those every time. It saved us some serious issues when the front desk of a hotel gave someone else our room and they attempted to walk in. Also, keeps out housekeeping.


@thumperchick: as you and @drchops pointed out, these are invaluable in preventing access ... when you are in the room. My biggest concern would be when you are NOT in your room.

If I were a thief looking to make out with stuff when no one was looking, I would be casing a floor and waiting for people to leave. You can't set that high door lock from the outside. So, when you leave, I'd be entering then.

Still great advice, but it doesn't account for when you are not in the room.


@drchops: I've been in the hotel business for 20 years. There is a tool to open those locks too. Every hotel has one, and they are available just about anywhere. The tool can also be made out of a thin piece of plastic, and takes but a second.


@brian188: Not if you gum it up with a chain and padlock.


Professional criminals will already be aware of the fake skidmarked underwear.
Next time, use a real pair to thwart them.


@shrdlu: w3rd.

This security vulnerability was publicly announced at BlackHat, which I think was back in March. The researcher had gone to the company involved before that and was, basically, blown off. Now, as time has gone on, the market has found a way to "monetize" this exploit.

The fix from Onity (the maker of these): a screw in plug that can easily be screwed out. The only fix that will work (since this is a hardware flaw) is to replace the board in the locks, which Onity is insisting that hotels pay for themselves.