Sometimes cybercrime seems abstract. For the luddites (techno-muggles?) among us, the idea of stealing data doesn’t always come across as frightening or immoral as the theft of physical property.
Unfortunately for Hyatt Houston guest Janet Wolf, a Dell IT services consultant, cyber crime and physical crime came together in a perfect storm when a criminal was able to exploit a vulnerability in her hotel room’s electronic key card reader, allowing the thief to enter her room and steal her laptop.
Initially, hotel management suspected the maid staff, but after discovering that none of the maid’s keys had been used to open the door, other culprits were investigated, eventually leading police to 27 year-old Matthew Allen Cook who was caught after selling the stolen laptop to a local pawnshop.
It turns out Cook used software and a device originally developed by Mozilla developer and security researcher Cody Brocious who detailed the key card hack at the Black Hat security conference. Brocious’ device, as he demonstrated, could be built for less than $50 and utilized the DC port on the bottom of the door lock to access the locks memory where a data string is stored that can trigger the door to open.
Fortunately, this is, so far, an isolated incident. But, White Lodging, the franchise that manages the Houston Hyatt, said the vulnerable locks made by a company called Onity are used on more than 4 million hotel room doors worldwide.
So how do you patch a security flaw like this? As it turns out, quite literally, with a patch. White Lodging said they put putty in the DC ports of all of their hotel room locks to prevent further access.
Onity has also released a technical and mechanical solution to their lock problem and is currently filling orders for the new systems.