Earlier this week, Cody Brocious (Daeken) gave a presentation at the Black Hat conference in Las Vegas showing how it was possible to hack and open hotel door locks (Onity HT lock systems), using an Arduino Mega 128 board, a 5.6 kOhm resistor and a DC barrel plug to physically mate with the lock (Total price: around $20). He explains that 4 million hotel rooms are fitted with this type of lock, which means you could potentially stay for free anywhere in the world. Obviously, you could also end-up in another type of room (including free food) for a longer period of time. That looks like a win-win situation to me 🙂
Each locks contain a 32-bit unique value (sitecode) that identifies a property, and is used for encryption. Cody’s Arduino’s based solution can communicate with the lock over a 1-wire communication protocol read memory to get the sitecode (no authentication required) and open the lock. Opening the door usually takes 200ms, but it may take longer if several addresses need to be read, and it seems it does not work for all locks.
Coby also explains how you could use the sitecode to create your own key cards, and that it possible to hack those magnetic cards within 35 minutes with a single core CPU, or less than 1 minute using Amazon EC2 for less than 1 dollar.
In the last part of his presentation, he explains how to mitigate this weak security, and since the lock firmware cannot be upgraded, they would have to replace all 4 million locks and front desk equipment.