My Arduino can beat up your hotel room lock - Hakim

My Arduino can beat up your hotel roomlockHacking the Onity lock systemby Cody Brocious,Trapped Orbit Research

How locks workEvery hotel has a unique 32­bit sitecodeLocks are programmed with this sitecode and a code key value forhotel guest key cardsThey also contain timetables, look ahead ranges, master codes, andother info

How locks workEach guest key card gets a code key value that is one greater than thelast guest'sThis is how card cycling worksCards contain an identity value that represents the door it's for, butthe lock doesn't know this value...A card with a valid code key value, encrypted with the proper sitecode, will work regardless of which door it's intended for.

Code keysGuests and masters both have code key values in the lockThey're 24­bit but...Locks contain a look ahead value that can be 1­255, most propertiesuse ~50Any code key value between the current value in the lock and thatvalue plus the look ahead is validThis reduces the effective size of the code key value

Card format16­bit ident value. This is the door ID and the card copy numberOne to three 24­bit code key values16­bit expiration date8­bit bit field for authorizations8 bits of flagsImportant one is privacy override; allows you toopen the door when the deadbolt is thrown

Portable programmerThe locks are not networked, so the portable programmer (PP) isused to load data into themInitialize: Load first data into a lockUpdate: Update code key values, timetables, masters, etcRead openings: Reads in the audit trail for a lock, showing whichcards were used for accessOpen: Opens any door at the property

Portable programmerThe PP contains the property's site code and will only work withlocks matching itLocks must be reset using a button inside the door before they can beused with a different site codeBut what if the PP does this check, and the lock doesn't care aboutsite code... ?

Card cryptoThe crypto used for cards in the Onity system is a bit underwhelmingProprietary algorithm using the 32­bit sitecode as a keyEven if it wasn't flawed in its construction, thekeyspace alone makes it brokenWon't get into the crypto too deeply here, but refer to the paper forcode and complete details

Breaking the cryptoThere are a couple obvious vulns in their cryptosystemEach byte of the card is encrypted with the previous and a smallportion of the sitecode; this makes it easy to determine how muchof the sitecode you have right at any point in timeIf you can get two keys for the same room, you have enough data totrivially attain the site code for the property

Authentication and youAs alluded to before, the lock doesn't require any authentication forjust about anythingOnly function requiring the site code is the open commandBut what if the PP just reads straight from the lock's memory? Thesitecode has to be in there

OpenTurns out that the lock does indeed let you read out every bit of itsmemoryThe sitecode (and everything else) is there inplaintextSend it to the lock with the open command, and it pops right openBut surely this requires a lot of hardware knowledge, right?

5.6k to freedomThe lock protocol uses one wire bidirectionally and another forgroundA 5.6k resistor from 3.3v power to your communication pin is all thatyou needThe jack for communication is a standard DC barrel plug like you'dfind on a million devices for powerIt's clearly accessible on the bottom of the lock

Connect and openWith the information above, we can see that it's trivial to open OnitylocksAttach a resistor and connector to an ArduinoRead the sitecode out of memorySend the open command with the sitecodeWhen you do this, the lock just opens.It takes about 250 milliseconds and can be optimizedfurtherNo encryption, no protection.

Demonstrations

PerspectiveThis opens every Onity hotel lockThough some, e.g. wall readers commonly used forexterior doors, will store their sitecode at adifferent point in memoryThere are nearly ten million of these locks installed worldwideThat's approximately 50% of the electronic hotel locks in use,installed in about a third of all hotelsIf you cross the street to The Paris, you'll see an entire hotel full ofvulnerable locksThis is Bad (TM)

What can be done?Nothing, for a couple of reasonsThe locks aren't flashable, so at least the circuit board in them has tobe replacedAny protocol changes would require that the PP be replaced as wellCrypto changes would require all the front desk equipment to bereplacedIn essence, we're talking about tens – even hundreds – of thousandsof dollars to secure a hotelAnd fixed hardware doesn't even exist (will it ever?)

Going publicThis presentation contains only a small part of the work I've beendoing for the last three yearsWe (Unified Platform Management Corp, my startup) produced acomplete replacement for the Onity system: everything but the PPand locksWe're releasing it all open source today

Questions?