I'm planning on doing a Reddit AMA for reversing in general -- as well as this work -- in the next hour or two, but if anyone has any questions I'll do my best to answer here. All I ask is no protocol details (paper and full code will be out tomorrow immediately following my talk) and no legal questions. Go wild.
Edit: Since this thread has blown up a bit, we may as well just do it here for real. If you have any reversing questions or background questions or whatnot, feel free.
Was it necessary to wear a t-shirt that reads "It's fun to use learning for evil!" in the photo shoot for a Forbes spread? This doesn't help the negative perception of the word "hacker". :-/
All due respect to the work you're doing – I'm a former member of the security industry myself (worked on the IPS engine at TippingPoint).
Counterpoint: I love that you wore it, I think the content of the article makes it hard to come to a negative conclusion (especially the comments about stopping development), and most anything that supports dieselsweeties.com is a good thing!
It's fairly easy to change a T-shirt. Whether or not anyone agrees with his appearance or not being relevant, he wasn't photographed in the audience at the conference or up on stage.
He posed for a photograph in a hotel.
Even if he didn't have a spare shirt, the gift shop in a hotel generally does. That's if he had thought of that issue. No problem with telling the photographer you had to change. Even if they noted that in the story it's the picture that's worth 1000 words.
I had a story done a number of years ago and they sent a photographer to the office. I took several hours to arrange everything to get a good setup for the photo. It paid off. The photo was good and the photo editor liked and made it the centerpoint of a story where many people were quoted. It ran all over in syndication. My point is simply it's important to think ahead when the media comes knocking. (Along those lines hmm, maybe he did the right thing with that t-shirt publicity wise).
In any case people can now learn from the "nitpick" and decide for themselves if they are ever in the spotlight what they want to do.
Forgive me if I'm just naive but I don't get the 'scary' part. Locks have always been 'advisory' and people who have wanted to circumvent them for both good and evil rate them by their 'time to disable'.
Hotel locks with hard keys had their issues as well, and were pretty trivially picked with simple tools. But the key is always that you need to bring the 'simple tools' which is to say that they aren't vulnerable in a way that someone who decides on the spur of the moment to enter the room can easily duplicate. They need the plug that fits the power cord, they need the software which does the JTAG wiggler etc etc.
So if it is 'scary' that people who are not affiliated with the hotel either as guests or as staff can, with pre-meditation, open a hotel room door without damage. Then you need to re-define scary. This has always been true, and will probably always be true by the nature of hotels and motels.
It should be noted that [some] hotel doors with electronic key cards also have physical key holes (as a backup) that are hidden, but are still susceptible to being picked.
This just supports your point that hotel doors are not 100% secure for anyone who really wants to get through.
Edit: Replaced all with some. The doors at the hotels I worked had backup physical keys in case the battery failed. It's cool that Onity locks can be powered externally if the battery fails. Thanks for the correction.
That's not really the case. While some of these do exist, Onity's locks themselves do not contain any physical keyhole and I've never seen them installed in such a configuration. Other vendors may be different.
The most important thing was that you gave it thought in advance! That is good. You had your reason for wearing the shirt it might not be the same decisions others would have made but the decision is yours to make based on what you were trying to achieve.
I mean the vulnerabilities. While my exploit has issues (which, as far as I can tell, are issues with timing when reading data from the lock; I lose the first bit of every byte) it's only a matter of time before someone fixes that and has these rolling off the assembly line. All you need is a microcontroller, a resistor, and a connector; that scares me.
Fair enough, and that's why I attempted to tone down the message with my statement of respect. I've followed Cody's work with interest for years.
I do stand by my general point, though. I think it's worth thinking about how we represent ourselves to the general public. The word "Hacker" has an unfortunate negative reputation, and I don't think messages like this help. It really jumped out at me when I opened the article (otherwise I would have kept this nit to myself).
It's pretty obviously tongue-in-cheek. He doesn't look at all evil (sorry Daeken, you look kind of... Jolly) and any real evil people don't let Forbes take their picture.
Random question: His former employer [..], sold the intellectual property behind Brocious’s hack to the locksmith training company the Locksmith Institute (LSI) for $20,000 last year.
Are these guys "buying up" security flaws in locks similar to others who sell these kinds of things for software?
Don't know what they're doing, quite honestly. Though I should mention that they didn't buy it from us, they got a non-exclusive license to use the technology. Just wanted to clarify.
It's the Locksmith Institute. Locksmiths are who you call to get into a door to something own, but to which you lost the key. So presumably there's situations where a hotel can't get their keys working, and they'd like to have locksmiths in their city who are trained in this. Don't think it's any more complicated than that...
Regardless of which hotel you're in and what locks they use, always use the physical security mechanisms provides, e.g. door chains. Deadbolts are engaged by the lock mechanism and will be retracted by, say, maintenance key cards.
While this definitely opens up new bad things, the message is the same: don't trust the software, trust the physical. Then again, after doing this for a few years, I may be a bit on the paranoid side.
Little hard to lock the door with door chains while you're not in the room.
Hotel occupancy is a lot lower on the weekend. I'm sure many people living in hotel rooms with more belonging than can fit in the safe will appreciated this information being released on a weekend.
That seems like an implementation problem. (warning: anecdote ahead:) All sliding chain locks I've used are up at eye level, which would make this much more complicated, if not impossible. That, or they have the hard-bar-over-ball lock, also at eye-level.
Plus, my large hands wouldn't have been able to do that trick. :/
Now I wonder, how big is this then? 4M hotels in the US, what slice of the pie is that compared to the whole number of hotels in the US? And how many in Europe/Australia/Asia, do they use completely different locks?
Also, just because you leaked the details today (yesterday?), how realistic is his worry that evil parties might copy the tech before the weekend? :)
And indeed, doesn't every hotel room have a small safe, I don't just keep my passport there, but also my laptop, camera and phone if I don't take them with me.
And indeed indeed, I never even considered whether the door to my hotel room would be "secure", if maintenance and cleaning have a universal key, it's mostly a privacy measure, rating somewhat above a bathroom stall lock. It might be different if they wouldn't all have a small safe, though.
Now I do wonder how secure those safes are, in general :) Any idea? (edit: whoops I should've read the thread further, this has already been discussed--great discussion though, keep it up!)
> But on three Onity locks installed on real hotel doors he and I tested at well-known independent and franchise hotels in New York, results were much more mixed
This is a long shot, but I was in a chain hotel in midtown recently and heard someone tampering with the lock, and found the door ajar in the morning. I realize you probably can't name specific hotels, but was one by any chance a chain hotel in midtown around the 11th?
I think the primary threat in this situation is burglary of an unoccupied hotel room.
Security chains are fairly easy to defeat; a bent clothes hanger will do. Deadbolts are probably pretty hard if there's no external key hole. Someone intending harm to the occupants of a hotel room might just break a window.
My university uses Onity locks for universal access with ID cards. This means our campus (and residences) are vulnerable, too, right? Are you aware of many universities that use similar systems?
So, those locks are the CT (commercial, Integra) locks. I strongly suspect that they're vulnerable to roughly the same thing, but I haven't tested them to see for sure. There are two reasons I believe this to be the case: the only difference between the PP20 (portable programmer used in the Onity HT system for hotels) and the CT PP is a swapped out EPROM. Given the similarity of the systems from a high-level perspective and the PP differences, I'd be very surprised if they weren't similarly vulnerable.
At some point I'd love to test the CT side, but 1) the hardware is tough to get hold of, and 2) it's not a very popular system, so it's not that interesting. I think it'd be pretty straightforward, though.
Everything I'm releasing is specific to Onity. I can't speak to the security of any of the others, as I haven't looked at them yet, but I'm planning on doing so in the near future. Next up is most likely Ving, though Timelox is a really clever system, so that could be fun.
I can't speak to the actual security, but I know that it requires a contact card inside the slot to actually program the lock. That's not something you can likely build for a couple bucks in parts at Radioshack, so at least the barrier to entry is higher.
At least, higher. If you were in the business of robbing hotel rooms, I'm sure a onetime fee wouldn't be much of a barrier. Keep the small-time thieves at bay though.
Edit: Since this thread has blown up a bit, we may as well just do it here for real. If you have any reversing questions or background questions or whatnot, feel free.