Update: 12/28/2012 – I’m a bit late on this, but this has actually been exploited for criminal activity. Imagine that. Apparently, it’s not as “unreliable, complex and difficult to implement” as Onity thought.
Update: 8/19/2012 – Anxiously awaiting delivery of ATtiny85 chips to convert this into an even more compact device (also would be cheaper and able to be mass-produced).
Cody Brocious did a presentation at Black Hat 2012 on how to exploit the Onity hotel locks, and is the main source of information for this page. His original page for the talk is located here. Please take the time to visit Cody’s site if you’re interested in how this works. I’m only going to present a brief overview, so as not to detract from his paper.
Unfortunately, I don’t have my own personal hotel locks to play with, and hotels thus far have either not had a GM available when I stopped in or the GM has dismissed this as nonsense. One even said “If I feel there’s a problem with our locks, I’ll contact our Onity rep. We pay them good money, so I’m sure this is all taken care of.” An engineer at Holiday Inn was very interested in resolving it, but I’m not aware of anyone making progress in getting the PP codes. (If you have a PP, there are plenty of us interested in engineering a software solution, rather than forcing a hardware update.)
A quick survey shows about 60-75% of the hotel locks in Pittsburgh (city, not region) are vulnerable to this at the time of this writing.
If you’ve stayed in a hotel, you’ve probably seen this lock. Cody asserts this lock is one of the more popular brands and gives a figure of over 4 million installed. What you probably haven’t seen is the programming port, located on the bottom of the lock (red arrow). It uses a size “K” DC adapter (5.0mm OD x 2.1mm ID, center positive) to communicate with the programming device (Portable Programmer, PP). I’ll refer you to Cody’s site for specifics on the communication protocol. Essentially, the PP and lock work as master-slave, with the PP as the master. The PP transmits a 3.3v signal (HIGH) when idle, and the signal drops into a LOW state in order to communicate.
When the locks are installed, a sitecode is written to the lock’s memory. This is a 32-bit value that’s unique to the facility, but shared among all equipment in that hotel. After that, there are several other values, including the code for the Master keys and the Programming key (more on this later).
Using the PP, staff are able to open the lock manually. The PP issues an “OPEN” command in combination with the sitecode. Since the sitecode is hidden from even the property owner, this is supposed to provide a bit of security against anyone just opening the lock, right?
(Of course not, you wouldn’t be reading this if that were the case!)
All we have to do is read the sitecode from the lock’s memory, and mix it in with the OPEN command (which is the same for every lock). This takes around 220 milliseconds to perform.
The lock simply opens, and the access log reads as though the PP was used by staff to open the door. This is done by programming the Arduino to continuously send “open” commands via the DC plug. In practice, it takes around 1-2 seconds to open the lock, due to timing problems and at what point in the code you insert the plug into the lock. For all intents and purposes, it’s instantaneous.
If you haven’t heard of the Arduino yet, it’s similar to the BASIC Stamp microprocessor, but faster, cheaper and open-source. It uses it’s own open-source programming language, which is heavily based on C. An Arduino Uno runs around $35 at RadioShack and the Arduino Mega is around $65. Additional parts you’ll need (if starting from scratch) are:
- An A to B USB adapter (the big square one that’s probably plugged into your printer)
- Two “K” size DC barrel plugs (5.0mm OD x 2.1mm ID). Center is positive for both.
- A few pieces of wire and a 5.6k resistor (green-blue-red for those people)
- A 9v battery plug. Wire this to one of the DC plugs. This will be the power source for your Arduino. (You can run it off of USB power, but it won’t be as stealthy if you have a computer attached to it)
- The Arduino software (Free – arduino.cc)
- The source code – not provided here. (It’s not hard to find, but I’m not giving handouts)
I also used some heat-shrink tubing and a lighter (hence the black smoke marks on the clear tubing), as well as two small pieces of 22ga solid wire. Everything is twisted together (not soldered) and held together with heat-shrink tubing.
I modified the code to blink the LED on pin 13 five times (50ms on/off) at the beginning of each loop, because I like feedback. I’m also working on code that will intercept the transmissions between the lock and a PP and send it back to my computer, on the off chance one of the managers calls me back and says “Yeah, sure, take a look”.
It’s not pretty, but it gets the job done (power supply not shown). Add a cool project enclosure, and you have yourself a portable master key to any room in any hotel that uses Onity locks.
Onity has acknowledged the problem (+1 point to Onity), but claims “the hacking methods [are] unreliable, and complex to implement.” If by “complex”, they mean “anyone with a few pieces of wire and a BIC lighter can throw this together in the middle of Starbucks in 10 minutes”, then yes, it’s very complex. Cody claims varying success with this device, but I don’t know that I’d call it “unreliable”. (In my limited tests, it has worked 100% of the time.)
Onity is currently manufacturing plugs (see above link) to block the programming pin and also providing a TORX screw to replace the battery cover. That will stop anyone without a TORX bit (Less than a dollar, if I recall correctly) from using this method. They totally won’t spend that extra dollar at RadioShack.
They’re also talking about a “firmware” update, by which they apparently mean “replace the circuit board in all 4 million locks and issue new programming devices to each hotel”. It’ll probably only be a matter of time until this new “firmware” is broken, too.
Case-in-point: Don’t let them fool you, this is inexpensive, shockingly easy to implement, and more reliable than it should be.
I don’t want to sound like I’m suggesting a boycott of anyone using Onity locks, but if you’re concerned about your safety, you may want to choose a hotel with a different lock (given the option). A brief look at Pittsburgh hotels (city, not suburban) shows that around half of them have Onity locks.
It goes without saying that you should be using the chain lock /bar latch on the door (but this can be kicked in easily or opened with a rubber band). Hopefully, you’d wake up if this was going on, but I’ve slept through much more.
While the old adage “locks are meant to keep honest people out” still holds true, this particular lock requires almost zero skill to open. If you can install iTunes, transfer music to your iPod, then plug it into your car sound system, you can do this.