Known keycard hack suspected in hotel room burglary

A security bypass demonstrated at the BlackHat conference in July appears to have been utilized in at least one burglary, Forbes reports.

Steven Musil Night Editor / News
Steven Musil is the night news editor at CNET News. He's been hooked on tech since learning BASIC in the late '70s. When not cleaning up after his daughter and son, Steven can be found pedaling around the San Francisco Bay Area. Before joining CNET in 2000, Steven spent 10 years at various Bay Area newspapers.
Expertise I have more than 30 years' experience in journalism in the heart of the Silicon Valley.
Steven Musil
2 min read

A known hack of a popular hotel keycard reader was allegedly employed in the burglary of a woman's hotel room in Texas.

The hack, which was detailed at a security conference in July, was allegedly used in September to break in to the Houston Hyatt hotel room of Janet Wolf, a Dell IT services consultant, who reported the theft of her laptop. Lacking any sign the lock had been picked, suspicion immediately fell upon the maid service. However, hotel management soon determined that none of the maids' keys had been used to open the room at the time of the theft.

A couple of days later, according to Forbes, Wolf learned from the hotel's management that her room had been accessed via a digital tool that sprang the door's lock. Houston police have arrested Matthew Allen Cook, 27, in connection with that theft, as well as others at the hotel. Cook, who reportedly has a history of arrests for burglary and theft, was linked to the burglary through a local pawn shop that received a stolen laptop.

White Lodging -- the franchisee that manages the Houston Hyatt -- told Forbes that it believes the door were opened using a device that took advantage of a vulnerability in keycard door locks made by Onity -- locks that are used in more than 4 million hotel rooms around the world. The vulnerability was detailed at the Black Hat security conference by Cody Brocious, who demonstrated how he was able to open hotel doors with a gadget he built with materials costing less than $50.

Brocious' device spoofed a portable programming device used to control door locks. In a demonstration, the 24-year-old Mozilla developer and security researcher showed how a plug inserted into a DC port on the underside of the lock could spring the hotel door lock. The vulnerability occurs because the exposed port allows any device to read the lock's memory, where a string of data is stored that will trigger its "open" mechanism.

White Lodging told Forbes that Onity implemented a fix only after the September break-in and told guests that it had resorted to applying an "epoxy putty" at the bottom of the locks to block access to the port.

Onity criticized hackers for targeting hotel room cardkey locks for security bypass and publishing those methods "under the guise of protecting public safety."

"Immediately following the hacker's public presentation of illegal methods of breaking into hotel rooms, Onity engineers quickly developed both mechanical and technical solutions to address the issue," an Onity spokesperson told CNET. "These solutions have been tested and validated by two independent security firms, and are available to customers worldwide. All requests for these solutions have already been fulfilled, or are in the process of being fulfilled."

Updated at 3 p.m. PT with Onity comment.