Hotel Lock Security Vulnerability is Reminder of Government’s Ambiguous Role in Protecting Security

This summer, at the Black Hat security conference, a security researcher presented details of a troubling security flaw: An electronic lock system, used in more than 4 million hotel rooms around the world, is vulnerable. The researcher, Cody Brocious, revealed that with less than $50 in electronic parts, a device can be built that will open one of the vulnerable locks in seconds. Just a few months after Brocious revealed the flaw, hotels in Texas reported a string of thefts by burglars from rooms, all protected by vulnerable locks.

Government agencies have known about this vulnerability for some time

Brocious, the security researcher, apparently discovered the vulnerability while working for a now-defunct startup that he co-founded. That startup licensed the vulnerability to an organization called the Lockmasters Security Institute (LSI) for $20,000 at some point in 2011. In July, long after Brocious’ startup had gone under, he gave a presentation describing the vulnerability in depth at the Black Hat security conference, and published code online to open locks using the flaw.

Shortly after he presented at Black Hat, Brocious acknowledged that he didn’t know what LSI was doing with the information about the hotel lock vulnerability. However, in a recent post to his blog, he stated that the vulnerability was sold to LSI for “law enforcement purposes.”

Among the many courses offered by LSI is a five-day course specifically focused on hotel locks, during which students will learn how to bypass hotel locks made by a number of companies—including Onity, the company whose locks Brocious reverse engineered. According to the LSI website, the course is only offered to attendees with a proven “need to know,” such as law enforcement agencies.

In August of this year, the Naval Special Warfare Command purchased $42,500 worth of training and course development from LSI. Now, it is quite possible that the special forces command were interested in sending soldiers through a two-day course focused on servicing safety deposit boxes. However, it is probably more likely that they wished to send a few dozen special forces commandos through LSI’s five-day tactical entry course that “provides the student with the tools and knowledge necessary to Surreptitious, Covertly and with some Forced Entry Techniques defeat most locking systems.” After all, LSI’s website notes that “ideal students for this training are those that may need to gain entry quietly and without being noticed such as:—Law Enforcement—Military Police—Special Ops.”

Law enforcement agencies don’t need hotel lock vulnerabilities

Brocious has stated that the vulnerability was sold to LSI for “law enforcement purposes.” This is a claim worth digging into.

Typically, when law enforcement agents wish to gain entry to a locked home or business, they will kick down the door or use a battering ram. Such methods are quick and easy, but loud, destructive and obvious. If law enforcement agents wish to be covert, such as to install a secret microphone in a target’s home or office, or to perform a sneak and peek search, breaking down the door isn’t a very good option. In such cases, it makes sense for law enforcement agents to pick locks or use other non-destructive methods to gain entry.

In the event that law enforcement agencies wish to covertly gain entry to a hotel room, they don’t need to engage in high-tech lock-picking. This is because they can simply ask the front desk staff to provide an extra key to the room. A court order permitting the government to gain covert entry to a hotel room can also compel the hotel staff to open the door and prohibit them from telling the guest.

As a related example, if the police believe that a Google mail user is exchanging child pornography through his email account, the police don’t covertly break into Google’s data center, locate and clone the hard disk containing the emails in question, and then sneak out of the back door. No, they simply compel Google to provide a copy of the emails as well as identifying information about the account holder. The same is true for hotels: if the police have good reason to believe that a crime is occurring in a hotel room, the owners of the hotel are likely more than happy to help the police.

Hotel lock vulnerabilities are far more useful for foreign military and intelligence operations

Although a Marriott in Washington DC would almost certainly provide assistance to the FBI seeking lawful entry to a room in the hotel, a hotel in Paris, Tehran or Beijing would be far less likely to provide assistance to US government agents unaccompanied by local law enforcement. Quite simply, when operating in foreign countries where US court orders are not valid, and local hotel companies are likely to be unwilling to provide assistance, covert-entry methods may be the preferred option. Such scenarios are extremely rare (if not unimaginable) in the law enforcement context, but quite common in the context of operations by intelligence agencies and military special forces teams.

Consider the assassination in 2010 of Mahmoud Al-Mabhouh, a top Hamas official, in a Dubai hotel room. Al-Mabhouh’s killers (part of a larger team that Dubai’s chief of police said he was 99% certain were agents of Mosad, Israel’s intelligence agency) apparently reprogrammed the lock of Mr. Al-Mabhouh’s room shortly before going inside and killing him. Given the covert (and illegal) nature of the assassination operation, lock-picking was the logical option for an operation like this.

Interestingly enough, although the locks used at the Dubai Hotel were not the same vulnerable locks proven to be vulnerable by Cody Brocious, and were instead made by a company called VingCard ElSafe. However, the marketing materials for the hotel locks course taught by Lockmasters Security Institute lists the name of ten different hotel lock manufacturers whose products students will learn to bypass. That list of companies includes VingCard ElSafe.

Offensive security techniques are only effective when the rest of us remain vulnerable

The management and staff of the Locksmithing Security Institute appear to be aware of a number of vulnerabilities in hotel locks. One of these vulnerabilities was purchased from Cody Brocious’s startup in 2011. We do not know how LSI learned of the other bypass techniques that they teach to their “need to know” clients. We also do not know if LSI has informed the manufacturers of the hotel locks about the vulnerabilities in their products, or the hotel companies that use these locks to protect millions of hotel rooms. What is clear is that LSI has not informed the general public about these vulnerabilities. The company and the law enforcement, intelligence and military agencies that have sent their staff to take LSI’s classes have opted to leave the public in the dark about critical security flaws that affect most (and likely all) hotel lock systems.

Major hotel chains such as Hyatt, Marriott and IHG have started the costly process of replacing the vulnerable circuit boards in locks in their hotels. White Lodging, the Hyatt franchisee that manages one of the Houston hotels where several high-tech thefts occurred this summer, claims that they only learned of the vulnerability in the Onity locks after reading a Forbes article describing Brocious’ research.

Had Brocious not presented his research at a public event like Black Hat, it is almost certain that the vulnerability in the Onity hotel lock system would still be a secret, known only to LSI and the “need to know” individuals (including employees of government agencies) who it has trained to covertly open those locks. Had Brocious not published his research, it is almost certain that all of the 4 million Onity locks installed around the world would still be vulnerable to easy, covert access.

Rather than exploiting the information for their own operational gain, any one of the US government employees that have taken LSI’s hotel locks class could have called up Onity and the other likely vulnerable lock manufacturers to let them know about the flaws taught in LSI’s class. The replacement of every electronic hotel lock in the country is an expensive, slow task, which could have been addressed in a more organized, and less frantic manner had the manufacturers been given sufficient notice by US law enforcement officials. Instead, Onity had the same amount of notice of the flaw as the criminals in Texas who exploited the vulnerability.

In this case, as with many other vulnerable technologies exploited by law enforcement and intelligence agencies, government officials prioritize their offensive, operational needs over the security of the population at large. In this case, US government agencies are likely exploiting vulnerabilities in hotel locks to aid in the surveillance of intelligence targets and to capture (or kill) military targets. Of course, the government’s offensive operational needs can certainly be legitimate. At the same time, it’s important to remember that our government can only really maintain its offensive edge if the population at large, including law abiding individuals and businesses, are also left vulnerable to the same security vulnerabilities. Unfortunately, our government isn’t the only entity to know about these flaws—foreign governments and criminals know about them (and exploit them too).

Whether the government is exploiting protocol vulnerabilities in the mobile phone system, 0-day flaws in commercial software, or hotel locks, the end result is the same: our government’s often legitimate law enforcement, military and intelligence operational needs directly conflict with its mission to protect us. Government agencies, like the FBI and NSA that have both offensive and defensive responsibilities are often faced with a tough choice. But typically, the protection of intelligence sources and methods takes priority over defense, even if doing so means that the general public is left vulnerable to criminals and state-sponsored attacks that could otherwise be prevented.

Part of the problem is that there may not be proper processes for balancing the imperatives of offense for government operatives versus security for the broad public. When national security operatives gain inside knowledge of exploits that gives them new, seductively powerful abilities, who is at the table representing the broader public’s security interests? In the atmosphere of out-of-control secrecy that pervades our national security establishment, it’s all too easy to imagine that the answer is: no one.

If cybersecurity is to be a national priority, those responsible for defending consumers, businesses and the underlying communications networks must be free to do their jobs without one hand tied behind their back. If conflicting missions make it impossible to prioritize defense, then those missions should be tasked to different agencies who can then dedicate 100% of their resources to the job.

Prioritizing offense over security and leaving the public vulnerable to criminals and state-sponsored attacks is not only unwise, but reckless.