"This -- as much as it is security-through-obscurity -- is actually a great temporary fix."
I don't understand how the Torx screw and cover solution is security through obscurity. They're being very open about it. It may be a weak solution, but it's not being hidden.
If it is a security torx - or some other rarer type of driver then the average guy probably won't have one in the truck. However - the guy coming down the hall to hack your lock while your down at the pool will. I liked the security-through-obscurity reference.
"To further enhance the security of this fix, we will also supply a security TORX screw with each mechanical cap to further secure the battery cover in the lock"
I hope it's not one of those small security torx that can be unscrewed by a flat tip screwdriver...
If I wanted to break into a hotel room that bad I would just get a job working there as a cleaner. Seriously, how big of a problem is this really? As someone who stays in hotel rooms quite often I don't place any faith in room security. I know multiple people in the hotel can enter my room with very little oversight. That's why good hotels offer room safes.
What if the hotel isn't hiring any cleaning staff at that time? Not to mention, I would imagine that cleaning staff and other people who have access to keys would be first on the list of suspects.
A firmware replacement clearly would require a new programming gizmo to be effective. But if they're replacing all the lock circuit boards in a hotel, throwing in a new programmer or two would be a comparatively minor cost. Is it possible they just didn't bother to mention it?
That's entirely possible, though considering the costs involved (on both sides) and the impact of the vulnerability, I'd be surprised if they weren't to mention it at least in passing if they plan to upgrade the PP.
The encoder is an even tougher one -- hotel owners in the US (it's different in some other countries) do not have the ability to update the locking information on the encoder. That means that any update on the device requires the board to be changed and then the device has to be loaded with the proper information for the hotel by Onity. That means either downtime to send in the old encoder and get it back, or that Onity has to send out a new (updated) encoder to each property and get the old one back. I can't imagine they wouldn't mention that.
When Kryptonite's locks were found to be vulnerable to opening with a Bic pen, they issued a recall on all affected units.
The vulnerabilities I disclosed in Onity's locks are as trivial and obvious as possible; it's not that the lock can be picked, but that it's instant and trivial with absolutely no special skills.
That Bic pen hack was pretty crazy! for those that don't know, the technique may have been discovered as early as 1992 [1] but the Kryptonite hack was made public in around 2004. [2]
Wow look at that - once made aware of the vulnerability Onity responded with a fix.
The last post I saw on this mentioned that the security researcher did not responsibly disclose the vulnerability because he just knew they wouldn't do anything. Looks like he was wrong.
> The last post I saw on this mentioned that the security researcher did not responsibly disclose the vulnerability because he just knew they wouldn't do anything. Looks like he was wrong.
I'm the security researcher in question (and author of this post). What a company does when pressured by their customer base and what they do when no pressures exist are two very, very different things. Had I approached them with these vulnerabilities ahead of time, it's highly likely that they would have used their considerable cash reserves to strong-arm me legally into not releasing this data, and the issue would not have been resolved.
As I said in my original paper/slides, this was the best way to get the issue in front of hotel owners so that it could be resolved; this is the intended behavior.
> I'm the security researcher in question (and author of this post). What a company does when pressured by their customer base and what they do when no pressures exist are two very, very different things
Totally agreed.
> Had I approached them with these vulnerabilities ahead of time, it's highly likely that they would have used their considerable cash reserves to strong-arm me legally into not releasing this data, and the issue would not have been resolved.
I guess we'll never know will we?
Edit: To be fair, I don't have a stake in this either way, and I'm glad the end result is that they're taking the threat seriously.
I don't understand how the Torx screw and cover solution is security through obscurity. They're being very open about it. It may be a weak solution, but it's not being hidden.