A woman’s hotel room was burglarized due to a known vulnerability in hotel key card readers from Onity, according to Forbes. The robbery occurred at a Hyatt in Houston, Texas.
According to Forbes, Janet Wolf’s laptop was stolen in September after Matthew Allen Cook allegedly used a hack made public at a security conference in July to force the locks and gain access to Wolf’s Hyatt House Galleria room. Cook was arrested and charged with theft.
Mozilla security researcher Cody Brocious first showed off his hack at the Black Hat conference in Las Vegas. Forbes reported the story a week before the conference, saying, Brocious didn’t plan on telling Onity before the presentation. Brocious created a device that plugs into a DC power port on the Onity hotel card readers. He said it cost him less than $50 to make it, and all he needed to do was plug it in, turn it on, and the lock would open.
In order to fix the issue, according to Forbes, the Hyatt House Galleria used putty to fill the holes, blocking off the DC port.
You might wonder why in three months the company hasn’t made a less damaging fix to this vulnerability, but it’s not that simple. It’s not like the key card readers are all linked together and can be updated remotely. In order to fix the reader, Onity would need to develop a new reader that did not have the vulnerability and then get hotels using its readers to replace all of the “compromised” ones. And a lot of those hotels likely don’t have the budget to do a lock upgrade.
We reached out to Onity for comment, but have not heard back from the company.