Thief Apparently Hacked Hotel-Room Lock
Well, that didn't take too long.
Three months after security researcher Cody Brocious showed how easy it was to hack into certain electronic hotel-room locks, at least one thief in Texas may have used the same method.
Janet Wolf, an IT services consultant for Dell Computer, told Forbes' Andy Greenberg that she returned to her room at the Hyatt House Houston Galleria on Sept. 13 to find her Toshiba laptop gone.
Wolf recalled that hotel management checked her room's electronic lock and found no record of anyone other than Wolf opening it. There was no sign of a break-in.
The laptop seemed to have disappeared on its own. Hyatt management was so spooked it posted a security guard in its lobby.
Two days later, the hotel management wrote Wolf a letter. The room's lock, the letter told her, had been hacked open, and at least two other rooms in the hotel had been burgled the same way.
On Oct. 31, Houston police arrested Matthew Allen Cook, 27, of Richmond, Texas, and charged with stealing items valued between $1,500 and $20,000. Cook had allegedly pawned a Hewlett-Packard laptop stolen from the hotel on Sept 7. He posted bail 10 days later.
Cook is also a suspect in the other two thefts at the hotel, including the theft of Wolf's laptop.
In correspondence with Greenberg, the hotel management said it suspected that whoever stole Wolf's laptop had done something similar to Brocious' hack, in which a $50 circuit board with attached wires could bypass electronic-card door locks made by Onity of Duluth, Ga.
Some Onity locks, which are used in thousands of hotels worldwide, have a power and data port on the underside that lets hotel staffers charge and override locks that have malfunctioned or lost power.
Brocious reverse-engineered the locks, built his device, opened the locks, demonstrated the method to Greenberg, then gave a presentation of his proof of concept in July at the Black Hat security conference in Las Vegas.
Brocious decided not to tell Onity before disclosing his hack. From his point of view, his method was so obvious that he suspected real thieves were already using it, and that hotel managers should know of it as soon as possible.
"It wouldn't surprise me if a thousand other people have found this same vulnerability and sold it to other governments," Brocious told Greenberg in July. "An intern at the NSA could find this in five minutes."
After Brocious' presentations, Onity offered its customers screws and plastic plugs to seal the lock ports.
Since then, others have refined Brocious' device. One tinkerer fit all the components into the case of a dry-erase marker, with the tip plugging into the port to open the lock.
Fully patching the locks would involve replacing the circuit boards in each unit. Onity insists that its customers pay for that option.