Recently, a security flaw in hotel-room locks manufactured by a company called Onity, which supplies thousands of electronic door locks to hotels around the world, demonstrated that certain hotel door locks can be easily unlocked with a simple device which costs about $30 and plugs into an open port at the bottom of the hotel room locks. The person who discovered the flaw in the door lock says he can access what may be as many as millions of hotel rooms worldwide. Apparently the only way to fix the problem is to replace the locks’ entire circuit board —and on millions of locks, that’s a process that could take a long time.
The company who makes the locks has begun to offer hotels with these locks two solutions. The first is a mechanical fix that does not actually repair the software vulnerability: Onity will provide hotels with caps for the open ports on its locks, along with a security screw. Together, that solution will mean that potential hackers will have to partially dismantle the lock to get at the open port. The mechanical caps are free. The second solution, though—and the only one that actually fixes the software problem—is far from free. Here’s an excerpt from a statement the company released last week:
The second solution Onity will offer to our customers, if they choose to use this option, is to upgrade the firmware of the HT and ADVANCE series locks. The firmware is currently complete for the HT24 lock, and by early next week should be complete for the entire HT series of locks. By the end of August we should have the firmware complete for the ADVANCE lock as well.
The deployment of this second solution, for HT series locks, will involve replacement of the control board in the lock. For locks that have upgradable control boards, there may be a nominal fee. Shipping, handling and labor costs to install these boards will be the responsibility of the property owner. For locks that do not have upgradable control boards, special pricing programs have been put in place to help reduce the impact to upgrade the older model locks.
It’s good to see that Onity is taking steps to repair this vulnerability. But business travelers should be aware that hotels secured with Onity-brand locks that have open ports on the bottom may be hackable for some time to come. Watch the video below to see a recent news report about the problem.