A firmware replacement clearly would require a new programming gizmo to be effective. But if they're replacing all the lock circuit boards in a hotel, throwing in a new programmer or two would be a comparatively minor cost. Is it possible they just didn't bother to mention it?
That's entirely possible, though considering the costs involved (on both sides) and the impact of the vulnerability, I'd be surprised if they weren't to mention it at least in passing if they plan to upgrade the PP.
The encoder is an even tougher one -- hotel owners in the US (it's different in some other countries) do not have the ability to update the locking information on the encoder. That means that any update on the device requires the board to be changed and then the device has to be loaded with the proper information for the hotel by Onity. That means either downtime to send in the old encoder and get it back, or that Onity has to send out a new (updated) encoder to each property and get the old one back. I can't imagine they wouldn't mention that.
