I'm planning on doing a Reddit AMA for reversing in general -- as well as this work -- in the next hour or two, but if anyone has any questions I'll do my best to answer here. All I ask is no protocol details (paper and full code will be out tomorrow immediately following my talk) and no legal questions. Go wild.
Edit: Since this thread has blown up a bit, we may as well just do it here for real. If you have any reversing questions or background questions or whatnot, feel free.
Was it necessary to wear a t-shirt that reads "It's fun to use learning for evil!" in the photo shoot for a Forbes spread? This doesn't help the negative perception of the word "hacker". :-/
All due respect to the work you're doing – I'm a former member of the security industry myself (worked on the IPS engine at TippingPoint).
Random question: His former employer [..], sold the intellectual property behind Brocious’s hack to the locksmith training company the Locksmith Institute (LSI) for $20,000 last year.
Are these guys "buying up" security flaws in locks similar to others who sell these kinds of things for software?
> But on three Onity locks installed on real hotel doors he and I tested at well-known independent and franchise hotels in New York, results were much more mixed
This is a long shot, but I was in a chain hotel in midtown recently and heard someone tampering with the lock, and found the door ajar in the morning. I realize you probably can't name specific hotels, but was one by any chance a chain hotel in midtown around the 11th?
My university uses Onity locks for universal access with ID cards. This means our campus (and residences) are vulnerable, too, right? Are you aware of many universities that use similar systems?
Could you explain a little more why you didn't go for responsible disclosure to Onity?
In the article you suggest that you don't think they could fix it. Maybe true but shouldn't you (a) give them the oppurtunity to try (just cos you can't spot the fix doesn't mean it's impossible), and (b) give them the chance to say "yep, it's broken - give us 3 months to ship out new locks to all our customers" (yes, highly unlikely I know!).
Given that you sat on this for a year before publishing, there was ample oppurtunity to inform Onity before you publish.
Given the simplicity of the vulnerabilities (as mentioned in the article, you have full and unauthenticated memory access) and the length of time -- over a decade -- that these locks have been on the market, there is absolutely no doubt that they knew about this.
Given that, I felt that they would delay, delay, delay, and delay some more before finally going silent, at which point I would be forced to do this anyway. Simply put, I have zero confidence in their ability to mitigate this properly, and I believe that the only proper course of action is to make this public and let the hotels make themselves secure by whatever means possible.
I know that's a bit of a strange answer, but this is a strange situation; it's taken me a while to figure out the correct course of action, and I feel that this really is the best way for the safety of the public.
Edit: Toned down some of the wording; unnecessary.
It won't be a surprise to learn that these types of locks are vulnerable, but I'll be fascinated to learn the details especially since it sounds like you can get access to an internal bus easily.
"A readout of activity that took place on the hotel room's electronic door lock indicated that an attempt was made to reprogram al-Mabhouh’s electronic door lock at this time. The investigators believe that the electronic lock on al-Mabhouh’s door may have been reprogrammed and that the killers gained entry to his room this way. The locks in question, VingCard Locklink brand (Dubai police video, 21:42), can be accessed and reprogrammed directly at the hotel room door."
Interesting, but it's not as if hotels in general have been high security installations.
Very easy experiment: Just go to the front desk an thell them that you sadly seem to have lost your room card. 90% of the time they will just ask for your room number without requiring any kind of proof that it's actually your room.
Or there's those hotels where you have to leave the keys at the front desk. Each time you come back you say your room number and they give you the key.
duh? I'm sorry but low security systems like hotel rooms of course have wide vulnerabilities. The front desk will just give out keys based on trust since you don't have to register everyone staying in the room; they don't even have an audit trail if they wanted to use it.
Keyless entry cars are mostly crackable ... garage door systems are trivial, you can bump pin tumbler locks, many home security systems have no backup power. rfid skimmers are cheap and easy-to-use. almost every elock I've seen has the bus readily exposed on the outside (secured by a single screw at best).
There's at most 6 things I can think of that actually do not have trivial security issues.
If I knew I would become famous by informing the press that, for instance, a car model only has a handful of key patterns for millions of cars, I would have done it a long time ago, but I thought such things were just stupefyingly obvious.
> a car model only has a handful of key patterns for millions of cars
This reminds me of growing up in Eastern Europe. Story time: Under the Romanian communist regime, there was only one car factory (Dacia[1]) making cars for personal use. Their main model was essentially the same from the '70s until 2004. For the first 10 years or so after the '89 revolution, Dacia dominated the local car market (because their cars were cheap and really easy to fix).
Now that we have the oh-so-important context, your comment reminded me that when I was a kid, my parents bought a Dacia. What confused me at a time was that random people would periodically ask to borrow the key.
It turns out that for 30-something years, Dacia only used a few models of keys. In fact there were so few that if you locked your keys inside (doors were unlocked by key and they locked automatically) it was feasible to try keys from random cars until one worked.
To be fair, the engine key was different from the door key, and it didn't have this problem. But, getting back to your comment, if you're talking about a recent card model then that's just crazy.
Also, I would have thought that keyless entry systems use correctly implemented public key cryptography. Is that not the case?
I was always curious about elock systems, particularly about how they are reprogrammed. Presumably they are reprogrammed by the front desk, centrally, but how does the signal reach the lock? Presumably there must be wires attached (at least for power). So why is there an external port on the lock at all? Also, what is the possibility that a lock exploit could affect the central reprogramming system?
Edit: just read below that these things are battery powered, which raises two questions, first, ok, how are they reprogrammed, and second, how does a hotel not go bankrupt replacing thousands of batteries all the time?
how does a hotel not go bankrupt replacing thousands of batteries all the time?
A microcontroller in sleep state (or similar) draws extremely low power, micro or nano Amps. It only wakes up when it sees data on the card reader, reads the card reader data, and decides if it should open the lock. The motor that unlocks the door only runs for less than a second. Then the whole thing goes back into sleep state.
Hotel doors are only opened 10s of times per day, at most. A pair of couple Amp-hour batteries will last quite a while. Maybe replace them once a year. Tech with an electric screw driver maybe takes 1 minute per door, even a 600 room hotel only costs 2 days of labor once per year (max 1 week, if the tech is slow). That's not that expensive. And the tech's time is 10x the cost of the batteries, coin cells in bulk are dirt cheap.
The locks are programmed by the front desk, but then the data is transferred to the Portable Programmer which then is used to update the doors. The doors themselves are not connected to power, but are rather completely battery-driven. The likelihood of anything impacting the front desk equipment is effectively nil.
let's do this AMA thing right here, because my questions might get lost in the reddit noise. You seem like the prototype hacker to me - what's your personal stack? like OS, text editor, the computer you use daily?
My stack now is a Lenovo W520 running Ubuntu and KDE, and Sublime Text as my editor. Over the years when I did this, I was running everything from a cheapo, hacked-together box to a 13" Macbook Pro, all running Windows Vista/7.
I think that making this public is not a very good example of responsible disclosure
and I hope there will be a lawsuit before the presentation to prevent the details from being exposed.
I am all about exposing vulnerabilities but I honestly think there needs to be a dialog with the vendor first. Specially for exploits like this where there is a lot at stake.
I find the excuse of 'there is nothing they can do anyway' very poor. I have no doubt that this technique is known to locksmiths and law enforcement and maybe a smaller group of criminals. But making this public and exposing it to the world will allow any criminal with a soldering iron and an Arduino to start exploiting this.
Daeken, you have done an awesome job making this known. Maybe that it enough to get the ball rolling. Or do you just want to do damage for fame and profit?
This argument has been going around for as long as I can remember, and I think it's incredibly harmful to researchers (whether they be security or other).
Upon discovering the vulnerability, the only real action he could take which would be universally considered unacceptable would be to use that research to go around breaking into hotel rooms (which is illegal).
If he decided to go into business selling devices to bypass hotel room locks, there would also probably be a majority opinion that that isn't really "above-board". Even that isn't necessarily universally agreed on though (as there are a lot of people who argue that providing access to tools isn't criminal)
But he didn't do that either.
He decided that this was a pretty severe vulnerability (made worse by the fact that remediating it isn't trivial), and that he wanted people to know about it.
Hoping that the vendor will sue him to prevent that information from being disseminated is about the worst possible outcome from research of any kind; ignoring the fact that you don't seem to posit any rationale for what exactly they'd be suing about (protected trade secrets? violation of a license agreement?)
The thing about "responsible disclosure" is that it isn't something that exists by fiat. It's an intentional reframing of disclosure policies by vendors to attempt to steer the research community towards doing what's in the vendors best interests.
I understand their desire to reframe that policy, but that doesn't make it "the only ethically responsible way to conduct vulnerability disclosures".
Recently, there's been a lot of news about BMW's being able to be stolen trivially through access to the OBD port on certain models. There's an OSVDB entry for it and everything‡.
That's another example where providing information to the public was considered to be very important (like the issue Cody discovered, it's also not something that can be easily fixed. It's also been ignored by the vendor).
In virtually all other regards, making research public is considered the responsible thing to do.
While I'm not a card-carrying member of the full-disclosure sentiment, I strongly disagree that releasing research publicly is boolean irresponsible.
I'm not certain, but in the picture from the Forbes article the lock looks exactly like the kind used on many doors in my university - the shape is exactly the same, and ours had the same type of electrical connector in the same place at the bottom of the lock. I remember because I considered attacking this interface before noticing the torx security screw next to the connector; removing this screw allows the panel covering the bottom part of the lock to be removed (the edge of this panel is visible in the Forbes photo), exposing the bolt mechanism of the lock. Turning this mechanism one way opened the lock, turning it the other double-locked it so it couldn't be opened with the proper keycard.
I wonder if any HN readers have access to an Onity lock to check whether this method works on them?
I'm looking at my test lock (which doesn't have panels on it) and it looks to me that there's no way you could access the lock mechanism from the battery panel. With the HT locks I've played with, the locking mechanism sits inside the door, between the lock itself (with the circuit board, card reader, batteries, etc) and the back plate containing the deadbolt and such. Don't think it's vulnerable to what you're describing. However, it should be noted that if it's used in the university, it's almost definitely the Integra/CT line from Onity, which is different.
Probably because if the system glitches out and they can't into the room anymore (even with maintenance keys) then they wouldn't ever be able to fix it?
What tools do you use for reversing hardware? Did you have to open up the lock and tap into it with something like a logic analyzer? Or was it as simple as creating a DC port adapter so you could read the data from the portable programmer?
So, reversing it was sort of all over the place. I first had to reverse the front desk system and all that; that was primarily done by sitting between the equipment with a serial proxy and working from there. Once I had a good bit of data captured, I'd write software to emulate being one side or the other. Everything is RS232 and RS485, pretty straightforward.
In terms of reversing the actual lock protocol, that was a bit more tricky. First step was tapping the line between the portable programmer and lock with an o-scope (a 70s-era HP scope; only thing I could afford at the time, haha) to figure out the voltage levels involved and the basic properties of the communication. From there, I hit it with the Saleae Logic to see what the communication actually looked like.
From there, I wrote some Python scripts to walk over the data from the logic analyzer and attempt to decode the data. With some tweaking, I managed to finally see some data that I knew, specifically the site code (which I knew from other parts of the system).
After I knew all that, it was a matter of figuring out the actual hardware level. Given that I have effectively no experience with this level of things, this was a lot of asking questions, googling, and experimenting. I knew that it was a one-wire protocol, so by reading up on other one-wire protocols I managed to figure out a lot. Once that was done, everything just fell into place; making the opening device work initially took maybe a day given all the info I had.
I was working on a replacement of the Onity front-desk system at the time, and I suspected it existed for a while. In another comment I detail how I reversed everything, but everything was done on my own hardware, not just random hotels.
so reverse engineering seems cool. What skills do you find most useful/versatile/neat/groovy or otherwise necessary for your reverse engineering projects?
I can't really narrow it down to a single specific skill. When I'm reversing, my steps are generally: figure out how I would design the system, come up with a set of assumptions based on that, check the assumptions as quickly as possible, then refactor your model of the system based on what you find. It's really all about making educated guesses and then checking those; as you gain experience, you start making better guesses.
EDIT: Actually, this kid of thing needs to get a lot more attention and awareness. I could suggest a certification of some kind, but there's often a reaction against that. But a certification that just indicated:
- No passwords in plaintext
- Not vulnerable to replay attacks
- No "toy" encryption
[+] [-] daeken|13 years ago|reply
Edit: Since this thread has blown up a bit, we may as well just do it here for real. If you have any reversing questions or background questions or whatnot, feel free.
[+] [-] mpakes|13 years ago|reply
All due respect to the work you're doing – I'm a former member of the security industry myself (worked on the IPS engine at TippingPoint).
[+] [-] stfu|13 years ago|reply
Are these guys "buying up" security flaws in locks similar to others who sell these kinds of things for software?
[+] [-] shimon_e|13 years ago|reply
Thanks from all us who spend our weekdays living in hotels.
[+] [-] paulgb|13 years ago|reply
This is a long shot, but I was in a chain hotel in midtown recently and heard someone tampering with the lock, and found the door ajar in the morning. I realize you probably can't name specific hotels, but was one by any chance a chain hotel in midtown around the 11th?
[+] [-] nja|13 years ago|reply
[+] [-] ars|13 years ago|reply
[+] [-] unknown|13 years ago|reply
[deleted]
[+] [-] screwt|13 years ago|reply
In the article you suggest that you don't think they could fix it. Maybe true but shouldn't you (a) give them the oppurtunity to try (just cos you can't spot the fix doesn't mean it's impossible), and (b) give them the chance to say "yep, it's broken - give us 3 months to ship out new locks to all our customers" (yes, highly unlikely I know!).
Given that you sat on this for a year before publishing, there was ample oppurtunity to inform Onity before you publish.
[+] [-] daeken|13 years ago|reply
Given that, I felt that they would delay, delay, delay, and delay some more before finally going silent, at which point I would be forced to do this anyway. Simply put, I have zero confidence in their ability to mitigate this properly, and I believe that the only proper course of action is to make this public and let the hotels make themselves secure by whatever means possible.
I know that's a bit of a strange answer, but this is a strange situation; it's taken me a while to figure out the correct course of action, and I feel that this really is the best way for the safety of the public.
Edit: Toned down some of the wording; unnecessary.
[+] [-] jgrahamc|13 years ago|reply
The assassination of Mahmoud Al-Mabhouh (http://en.wikipedia.org/wiki/Assassination_of_Mahmoud_al-Mab...) allegedly by Mossad involved attacking an electronic hotel lock to get access to his room:
"A readout of activity that took place on the hotel room's electronic door lock indicated that an attempt was made to reprogram al-Mabhouh’s electronic door lock at this time. The investigators believe that the electronic lock on al-Mabhouh’s door may have been reprogrammed and that the killers gained entry to his room this way. The locks in question, VingCard Locklink brand (Dubai police video, 21:42), can be accessed and reprogrammed directly at the hotel room door."
[+] [-] daeken|13 years ago|reply
As for Ving, I think they're going to be next up; spent years honing my skills in reversing this sort of thing, seems like a shame to stop now.
[+] [-] ulope|13 years ago|reply
Very easy experiment: Just go to the front desk an thell them that you sadly seem to have lost your room card. 90% of the time they will just ask for your room number without requiring any kind of proof that it's actually your room.
[+] [-] otoburb|13 years ago|reply
Anecdotally, I was asked for ID each time my wife or I lost hotel room cards on 4 occasions (3 for me, once for my wife).
I believe they were 2 Courtyard Marriotts, 1 Residence Inn (Marriott), and a Sheraton (don't remember the hotel class).
EDIT: Grammar
[+] [-] petitmiam|13 years ago|reply
[+] [-] kristopolous|13 years ago|reply
Keyless entry cars are mostly crackable ... garage door systems are trivial, you can bump pin tumbler locks, many home security systems have no backup power. rfid skimmers are cheap and easy-to-use. almost every elock I've seen has the bus readily exposed on the outside (secured by a single screw at best).
There's at most 6 things I can think of that actually do not have trivial security issues.
If I knew I would become famous by informing the press that, for instance, a car model only has a handful of key patterns for millions of cars, I would have done it a long time ago, but I thought such things were just stupefyingly obvious.
[+] [-] lgeek|13 years ago|reply
This reminds me of growing up in Eastern Europe. Story time: Under the Romanian communist regime, there was only one car factory (Dacia[1]) making cars for personal use. Their main model was essentially the same from the '70s until 2004. For the first 10 years or so after the '89 revolution, Dacia dominated the local car market (because their cars were cheap and really easy to fix).
Now that we have the oh-so-important context, your comment reminded me that when I was a kid, my parents bought a Dacia. What confused me at a time was that random people would periodically ask to borrow the key.
It turns out that for 30-something years, Dacia only used a few models of keys. In fact there were so few that if you locked your keys inside (doors were unlocked by key and they locked automatically) it was feasible to try keys from random cars until one worked.
To be fair, the engine key was different from the door key, and it didn't have this problem. But, getting back to your comment, if you're talking about a recent card model then that's just crazy.
Also, I would have thought that keyless entry systems use correctly implemented public key cryptography. Is that not the case?
[1]: http://en.wikipedia.org/wiki/Automobile_Dacia [2]: http://en.wikipedia.org/wiki/Romanian_Revolution_of_1989
[+] [-] twodayslate|13 years ago|reply
[+] [-] javajosh|13 years ago|reply
Edit: just read below that these things are battery powered, which raises two questions, first, ok, how are they reprogrammed, and second, how does a hotel not go bankrupt replacing thousands of batteries all the time?
[+] [-] bradfa|13 years ago|reply
A microcontroller in sleep state (or similar) draws extremely low power, micro or nano Amps. It only wakes up when it sees data on the card reader, reads the card reader data, and decides if it should open the lock. The motor that unlocks the door only runs for less than a second. Then the whole thing goes back into sleep state.
Hotel doors are only opened 10s of times per day, at most. A pair of couple Amp-hour batteries will last quite a while. Maybe replace them once a year. Tech with an electric screw driver maybe takes 1 minute per door, even a 600 room hotel only costs 2 days of labor once per year (max 1 week, if the tech is slow). That's not that expensive. And the tech's time is 10x the cost of the batteries, coin cells in bulk are dirt cheap.
[+] [-] daeken|13 years ago|reply
(Note: This is all specific to Onity locks)
[+] [-] mark_g|13 years ago|reply
[+] [-] jcfrei|13 years ago|reply
thanks for answering those 3 little questions.
[+] [-] daeken|13 years ago|reply
My stack now is a Lenovo W520 running Ubuntu and KDE, and Sublime Text as my editor. Over the years when I did this, I was running everything from a cheapo, hacked-together box to a 13" Macbook Pro, all running Windows Vista/7.
[+] [-] st3fan|13 years ago|reply
I am all about exposing vulnerabilities but I honestly think there needs to be a dialog with the vendor first. Specially for exploits like this where there is a lot at stake.
I find the excuse of 'there is nothing they can do anyway' very poor. I have no doubt that this technique is known to locksmiths and law enforcement and maybe a smaller group of criminals. But making this public and exposing it to the world will allow any criminal with a soldering iron and an Arduino to start exploiting this.
Daeken, you have done an awesome job making this known. Maybe that it enough to get the ball rolling. Or do you just want to do damage for fame and profit?
[+] [-] m0nastic|13 years ago|reply
Upon discovering the vulnerability, the only real action he could take which would be universally considered unacceptable would be to use that research to go around breaking into hotel rooms (which is illegal).
If he decided to go into business selling devices to bypass hotel room locks, there would also probably be a majority opinion that that isn't really "above-board". Even that isn't necessarily universally agreed on though (as there are a lot of people who argue that providing access to tools isn't criminal)
But he didn't do that either.
He decided that this was a pretty severe vulnerability (made worse by the fact that remediating it isn't trivial), and that he wanted people to know about it.
Hoping that the vendor will sue him to prevent that information from being disseminated is about the worst possible outcome from research of any kind; ignoring the fact that you don't seem to posit any rationale for what exactly they'd be suing about (protected trade secrets? violation of a license agreement?)
The thing about "responsible disclosure" is that it isn't something that exists by fiat. It's an intentional reframing of disclosure policies by vendors to attempt to steer the research community towards doing what's in the vendors best interests.
I understand their desire to reframe that policy, but that doesn't make it "the only ethically responsible way to conduct vulnerability disclosures".
Recently, there's been a lot of news about BMW's being able to be stolen trivially through access to the OBD port on certain models. There's an OSVDB entry for it and everything‡.
That's another example where providing information to the public was considered to be very important (like the issue Cody discovered, it's also not something that can be easily fixed. It's also been ignored by the vendor).
In virtually all other regards, making research public is considered the responsible thing to do.
While I'm not a card-carrying member of the full-disclosure sentiment, I strongly disagree that releasing research publicly is boolean irresponsible.
‡ http://osvdb.org/83707
[+] [-] tmpaccount|13 years ago|reply
I wonder if any HN readers have access to an Onity lock to check whether this method works on them?
[+] [-] daeken|13 years ago|reply
[+] [-] webjprgm|13 years ago|reply
And you can still have a DC power port on the outside in case of a powered-down door, just no programming access.
Why have they not done it that way???
[+] [-] endianswap|13 years ago|reply
[+] [-] kylebrown|13 years ago|reply
[+] [-] daeken|13 years ago|reply
In terms of reversing the actual lock protocol, that was a bit more tricky. First step was tapping the line between the portable programmer and lock with an o-scope (a 70s-era HP scope; only thing I could afford at the time, haha) to figure out the voltage levels involved and the basic properties of the communication. From there, I hit it with the Saleae Logic to see what the communication actually looked like.
From there, I wrote some Python scripts to walk over the data from the logic analyzer and attempt to decode the data. With some tweaking, I managed to finally see some data that I knew, specifically the site code (which I knew from other parts of the system).
After I knew all that, it was a matter of figuring out the actual hardware level. Given that I have effectively no experience with this level of things, this was a lot of asking questions, googling, and experimenting. I knew that it was a one-wire protocol, so by reading up on other one-wire protocols I managed to figure out a lot. Once that was done, everything just fell into place; making the opening device work initially took maybe a day given all the info I had.
[+] [-] unknown|13 years ago|reply
[deleted]
[+] [-] unknown|13 years ago|reply
[deleted]
[+] [-] thornofmight|13 years ago|reply
[+] [-] daeken|13 years ago|reply
[+] [-] wheelerwj|13 years ago|reply
[+] [-] daeken|13 years ago|reply
[+] [-] rdl|13 years ago|reply
[+] [-] bugmenot|13 years ago|reply
[deleted]
[+] [-] stcredzero|13 years ago|reply
You have my attention...
> security flaw in 4m
sounding really interesting...
> hotel room keycard locks.
Oh. Well, still pretty cool.
EDIT: Actually, this kid of thing needs to get a lot more attention and awareness. I could suggest a certification of some kind, but there's often a reaction against that. But a certification that just indicated:
Would be of great benefit in today's world.