Hotel key cards open to hacking, developer says

image captionA hacker claims his $50 device can access millions of hotel rooms

A hacker has developed a device he says can act as a universal hotel key card to access millions of rooms around the world.

Using a home-made gadget, security researcher Cody Brocious said he had mimicked a master key card to gain access to any room with an Onity lock.

Details will be revealed at the Black Hat conference in Las Vegas this week.

Onity said it would look at Mr Brocious's work and address "any potential issues".

Reverse engineering

"We will review and analyse Mr Brocious's presentation and any other information that he publishes on this subject," the company told the BBC in a statement.

"Onity places the highest priority on the safety and security provided by its products and works everyday to develop and supply the latest security technologies to the marketplace.

"Onity is prepared to address any potential issues posed by the presentation."

Onity has about 10 million locks installed in hotels around the globe.

Mr Brocious said he had used a cable connected to a DC power port below the door lock, and plugged it into a portable programming device he had built for $50 (£32).

The device is based on the Arduino microcontroller and mimics the system used by hotels to control which master keys open which doors.

Mr Brocious said he had discovered by reverse engineering hotel locks that every lock's memory was exposed to whatever device attempts to read it through the DC power port.

In tests Mr Brocious conducted with Forbes news site, the system did not prove entirely successful - only one of the three doors, at three hotels in New York, opened.

Mr Brocious plans to release all his research and source code on his website.

He said he had spotted the vulnerabilities in Onity's locks while working as the chief technology officer for a startup called Unified Platform Management Corporation, which sought to compete with bigger players in the hotel lock industry.

More on this story

Related Internet Links

The BBC is not responsible for the content of external sites.