Physical Securityhigh

Hotel Keycard Cloning: $300 Device Opens Every Onity Lock in the World

Security researcher Cody Brocious built a $300 device that could open any Onity hotel lock — used in approximately 4 million rooms across 10,000 hotels — by reading and spoofing the master key stored in the lock itself.

Onity / Global Hotel Industry·2012·2 min read

Background

Onity manufactured electronic door locks used in hotel rooms worldwide, including major chains. The locks used RFID-based keycards and stored configuration data including encryption keys in a port on the bottom of the lock — accessible from outside the door.

The Attack

Brocious reverse-engineered the Onity lock system and discovered that the lock stored its configuration — including the master key — in a non-volatile memory register accessible through a standard DC power port on the bottom of the lock. By building a device that provided power through this port while sending the appropriate serial commands, Brocious could extract the master key from any lock and then generate a valid room key for any room on that lock's system. The device could be built for approximately $50-300. He demonstrated the exploit at DEF CON 2012.

Response

Onity initially provided a partial mitigation (a plastic plug to cover the port) but not a proper firmware fix. The cost of replacing or properly patching all 4 million locks was estimated at $5-10 million — Onity pushed this cost to hotels. Many hotels did not deploy even the plastic plug fix. Brocious's device was later found to have been used in actual hotel burglaries.

Outcome

Onity locks used in hotel burglaries were identified in Texas within months of the DEF CON disclosure. The low cost of exploitation and the breadth of deployment (4 million rooms) created a broad vulnerable surface. The partial, cost-shifted response was criticised as inadequate. Physical security researchers began conducting formal audits of hotel lock systems.

Key Takeaways

  1. Physical access control devices (locks, access panels) must be designed with the same security rigour as digital systems
  2. Security-critical configuration data must never be accessible from the outside of a physical device
  3. Disclosure of vulnerabilities in widely deployed physical infrastructure creates real-world harm risk if the vendor response is inadequate
  4. Firmware update capability for deployed physical security devices is essential for responding to discovered vulnerabilities
hotel lockRFIDkeycard cloningphysical bypassDEF CON

More in Physical Security

2016medium

USB Drop Attack: 60% of People Plug In Dropped USB Drives

2 min readPhysical Security
2020high

FIN7 BadUSB Mail Drop: Ransomware Delivered via Fake Amazon Gift Cards to Hotels

2 min readPhysical Security
2009medium

Dumpster Dive: Hospital Records, Credit Card Statements, and Patient Files in the Trash

2 min readPhysical Security