Hacker Newsnew | past | comments | ask | show | jobs | submitlogin

I'm planning on doing a Reddit AMA for reversing in general -- as well as this work -- in the next hour or two, but if anyone has any questions I'll do my best to answer here. All I ask is no protocol details (paper and full code will be out tomorrow immediately following my talk) and no legal questions. Go wild.

Edit: Since this thread has blown up a bit, we may as well just do it here for real. If you have any reversing questions or background questions or whatnot, feel free.



Was it necessary to wear a t-shirt that reads "It's fun to use learning for evil!" in the photo shoot for a Forbes spread? This doesn't help the negative perception of the word "hacker". :-/

All due respect to the work you're doing – I'm a former member of the security industry myself (worked on the IPS engine at TippingPoint).


Counterpoint: I love that you wore it, I think the content of the article makes it hard to come to a negative conclusion (especially the comments about stopping development), and most anything that supports dieselsweeties.com is a good thing!


You don't think this is a little nitpicky? He's at the "Black Hat Briefings".


It's fairly easy to change a T-shirt. Whether or not anyone agrees with his appearance or not being relevant, he wasn't photographed in the audience at the conference or up on stage.

He posed for a photograph in a hotel.

Even if he didn't have a spare shirt, the gift shop in a hotel generally does. That's if he had thought of that issue. No problem with telling the photographer you had to change. Even if they noted that in the story it's the picture that's worth 1000 words.

I had a story done a number of years ago and they sent a photographer to the office. I took several hours to arrange everything to get a good setup for the photo. It paid off. The photo was good and the photo editor liked and made it the centerpoint of a story where many people were quoted. It ran all over in syndication. My point is simply it's important to think ahead when the media comes knocking. (Along those lines hmm, maybe he did the right thing with that t-shirt publicity wise).

In any case people can now learn from the "nitpick" and decide for themselves if they are ever in the spotlight what they want to do.


I did plan to wear the shirt; I felt it injected a bit of fun into something that, frankly, is scary as hell.


Forgive me if I'm just naive but I don't get the 'scary' part. Locks have always been 'advisory' and people who have wanted to circumvent them for both good and evil rate them by their 'time to disable'.

Hotel locks with hard keys had their issues as well, and were pretty trivially picked with simple tools. But the key is always that you need to bring the 'simple tools' which is to say that they aren't vulnerable in a way that someone who decides on the spur of the moment to enter the room can easily duplicate. They need the plug that fits the power cord, they need the software which does the JTAG wiggler etc etc.

So if it is 'scary' that people who are not affiliated with the hotel either as guests or as staff can, with pre-meditation, open a hotel room door without damage. Then you need to re-define scary. This has always been true, and will probably always be true by the nature of hotels and motels.


Agreed. The vast majority of locks on doors are to make the people inside feel safer, not to actually prevent a determined intruder from entering.

Given the dozens or hundreds of hotel staff that can easily gain access to your room, I fail to see why this is "scary."


It should be noted that [some] hotel doors with electronic key cards also have physical key holes (as a backup) that are hidden, but are still susceptible to being picked.

This just supports your point that hotel doors are not 100% secure for anyone who really wants to get through.

Edit: Replaced all with some. The doors at the hotels I worked had backup physical keys in case the battery failed. It's cool that Onity locks can be powered externally if the battery fails. Thanks for the correction.


That's not really the case. While some of these do exist, Onity's locks themselves do not contain any physical keyhole and I've never seen them installed in such a configuration. Other vendors may be different.


And also, you don't have to be our ambassador. You can wear whatever you'd like -- you don't owe us anything.


"did plan"

The most important thing was that you gave it thought in advance! That is good. You had your reason for wearing the shirt it might not be the same decisions others would have made but the decision is yours to make based on what you were trying to achieve.

By "scary" did you mean the media attention?


I mean the vulnerabilities. While my exploit has issues (which, as far as I can tell, are issues with timing when reading data from the lock; I lose the first bit of every byte) it's only a matter of time before someone fixes that and has these rolling off the assembly line. All you need is a microcontroller, a resistor, and a connector; that scares me.


http://xkcd.com/538/ is sort of relevant, no?


I'm curious how the admin system of the hotel logs these types of entries. What do they show it as in the log file?

Were or are you able to find out?


Fair enough, and that's why I attempted to tone down the message with my statement of respect. I've followed Cody's work with interest for years.

I do stand by my general point, though. I think it's worth thinking about how we represent ourselves to the general public. The word "Hacker" has an unfortunate negative reputation, and I don't think messages like this help. It really jumped out at me when I opened the article (otherwise I would have kept this nit to myself).


I can see a reasonable point that it feeds into the stereotype of the programmer-misanthrope.


I didn't even notice the text on the shirt underneath his greasy, unwashed hair.


It's pretty obviously tongue-in-cheek. He doesn't look at all evil (sorry Daeken, you look kind of... Jolly) and any real evil people don't let Forbes take their picture.


It's ok, I get "jolly" a lot.


Ugh, a dyed-in-the-wool corporate whitehat bitching about a real hacker wearing an ironic black t-shirt while posing for a magazine interview.

It's 2012. Your argument is twenty years late to the discussion. Deal with it.


Random question: His former employer [..], sold the intellectual property behind Brocious’s hack to the locksmith training company the Locksmith Institute (LSI) for $20,000 last year.

Are these guys "buying up" security flaws in locks similar to others who sell these kinds of things for software?


Don't know what they're doing, quite honestly. Though I should mention that they didn't buy it from us, they got a non-exclusive license to use the technology. Just wanted to clarify.


It's the Locksmith Institute. Locksmiths are who you call to get into a door to something own, but to which you lost the key. So presumably there's situations where a hotel can't get their keys working, and they'd like to have locksmiths in their city who are trained in this. Don't think it's any more complicated than that...


Do you kindly mind only leaking the information on Friday?

Thanks from all us who spend our weekdays living in hotels.


Regardless of which hotel you're in and what locks they use, always use the physical security mechanisms provides, e.g. door chains. Deadbolts are engaged by the lock mechanism and will be retracted by, say, maintenance key cards.

While this definitely opens up new bad things, the message is the same: don't trust the software, trust the physical. Then again, after doing this for a few years, I may be a bit on the paranoid side.


Little hard to lock the door with door chains while you're not in the room.

Hotel occupancy is a lot lower on the weekend. I'm sure many people living in hotel rooms with more belonging than can fit in the safe will appreciated this information being released on a weekend.


Hotel safes in rooms are notoriously insecure.


Hotel safes are there to secure insurance protection for your belongings.


How so? Does it tend to stem from poor physical design, or the locking software?


I always figure that the maintenance guy and probably half the staff know the master code.


Many have backdoor passwords. Most can simply be unbolted and removed from the room.

http://gizmodo.com/5837561/can-000000-secretly-open-your-hot...


> Little hard to lock the door with door chains while you're not in the room.

A little hard, maybe, but I've seen a vid of some guy unlocking a door chain using a rubber band, coat hanger wire and a stick.

So I guess that with a little effort locking the door from outside is possible.


"always use the physical security mechanisms provides, e.g. door chains"

Sliding chain locks which can be defeated with a rubber band... :-) http://www.youtube.com/watch?v=7INIRLe7x0Y&t=60s


That seems like an implementation problem. (warning: anecdote ahead:) All sliding chain locks I've used are up at eye level, which would make this much more complicated, if not impossible. That, or they have the hard-bar-over-ball lock, also at eye-level.

Plus, my large hands wouldn't have been able to do that trick. :/


>trust the physical

A lock-picker might say different, no?


Probably not.

Wait until you see the flaws, man. Not being robbed is sort of a matter of being slightly more tedious to pick than the next guy.

The stuff Daeken has worked makes it ludicrously easy.


Now I wonder, how big is this then? 4M hotels in the US, what slice of the pie is that compared to the whole number of hotels in the US? And how many in Europe/Australia/Asia, do they use completely different locks?

Also, just because you leaked the details today (yesterday?), how realistic is his worry that evil parties might copy the tech before the weekend? :)

And indeed, doesn't every hotel room have a small safe, I don't just keep my passport there, but also my laptop, camera and phone if I don't take them with me.

And indeed indeed, I never even considered whether the door to my hotel room would be "secure", if maintenance and cleaning have a universal key, it's mostly a privacy measure, rating somewhat above a bathroom stall lock. It might be different if they wouldn't all have a small safe, though.

Now I do wonder how secure those safes are, in general :) Any idea? (edit: whoops I should've read the thread further, this has already been discussed--great discussion though, keep it up!)


Do you think all the locks are going to be fixed by Monday?


> But on three Onity locks installed on real hotel doors he and I tested at well-known independent and franchise hotels in New York, results were much more mixed

This is a long shot, but I was in a chain hotel in midtown recently and heard someone tampering with the lock, and found the door ajar in the morning. I realize you probably can't name specific hotels, but was one by any chance a chain hotel in midtown around the 11th?


I used to travel fairly extensively for work, on at least 3 separate occasions I had Marriott check me into an already occupied room.


You don't lock the bolt or the chain mechanism when you stay in a hotel room? Or are you saying they bypassed those also?


I think the primary threat in this situation is burglary of an unoccupied hotel room.

Security chains are fairly easy to defeat; a bent clothes hanger will do. Deadbolts are probably pretty hard if there's no external key hole. Someone intending harm to the occupants of a hotel room might just break a window.


Not necessarily. Sometimes the master key card opens the deadbolt as well.


Nope, I was in Europe at the time; we did the photoshoot late last month, though I can't recall when.


My university uses Onity locks for universal access with ID cards. This means our campus (and residences) are vulnerable, too, right? Are you aware of many universities that use similar systems?


So, those locks are the CT (commercial, Integra) locks. I strongly suspect that they're vulnerable to roughly the same thing, but I haven't tested them to see for sure. There are two reasons I believe this to be the case: the only difference between the PP20 (portable programmer used in the Onity HT system for hotels) and the CT PP is a swapped out EPROM. Given the similarity of the systems from a high-level perspective and the PP differences, I'd be very surprised if they weren't similarly vulnerable.

At some point I'd love to test the CT side, but 1) the hardware is tough to get hold of, and 2) it's not a very popular system, so it's not that interesting. I think it'd be pretty straightforward, though.


Neat. I've often wondered about the port on the bottom of the lock. Thanks for clarifying.


The article mentions Onity - what about other companies?


Everything I'm releasing is specific to Onity. I can't speak to the security of any of the others, as I haven't looked at them yet, but I'm planning on doing so in the near future. Next up is most likely Ving, though Timelox is a really clever system, so that could be fun.


The room I'm in has a Ving lock. I witnessed it being reprogrammed by hotel staff when I was having problems opening my door.

Ving may have security flaws but I'm assuming it will be a bit more expensive to exploit.


I can't speak to the actual security, but I know that it requires a contact card inside the slot to actually program the lock. That's not something you can likely build for a couple bucks in parts at Radioshack, so at least the barrier to entry is higher.


At least, higher. If you were in the business of robbing hotel rooms, I'm sure a onetime fee wouldn't be much of a barrier. Keep the small-time thieves at bay though.


I wonder if you could legally squad empty hotel rooms like this?


Exactly my point. :)




Consider applying for YC's Fall 2026 batch! Applications are open till July 27.

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: