My Arduino can beat up your hotel room lock

- Cody Brocious

Intro

This talk is all about the Onity HT lock system for hotels

Over 4 million locks are installed in hotels On the market since !!" #very one is vulnerable

Intro

If you$ve stayed at a hotel% you$ve probably seen this lock

&esi'n

(rimary components)

#ncoder * Makes keycards% loads data into the (ortable (ro'rammer (ortable (ro'rammer +((, * -oads data into the lock% opens locks -ock * In this talk% .e$ll be focused on standard 'uest room door locks

&esi'n

/itecodes are "0-bit uni1ue values that identify a property +hotel,

All e1uipment in the hotel kno.s it 2sed primarily as an encryption key Hidden% even from property o.ners

(ortable (ro'rammer

The portable pro'rammer does the follo.in'

Initiali3e * -oad data into lock for the first time 2pdate * 2pdate the time and data in the lock Test * /ho.s dia'nostic data about the lock 4ead openin's * 4eads the audit report from the lock Open * Opens the lock

-ock communications

The (( uses a &C barrel-type connector

It attaches to the bottom of the front face of the lock The port is accessible .ithout removin' any hard.are

Communication happens over a one-.ire protocol .ith the other bein' a shared 'round

-ock communications

The master +((, drives the communication

/ends pulses at re'ular intervals .hile communicatin' If one side .ants to transmit a bit% it$s done by pullin' the line lo. bet.een those pulses

That indicates a

bit

-ock communications

This is a case of the lock sendin' data to the master

A 3ero and one% specifically 4ed pulses are from the master% the black pulse is from the lock

Hard.are

To communicate .ith the lock physically% you$ll need the follo.in'

An Arduino or other microcontroller A 567k pull-up resistor from the "6"v line to your data line The &C barrel plu' to physically mate .ith the lock

This% dependin' on the board you 'et% can be 809 or less from 4adioshack

But .hat can .e do:

There are a fe. key commands in the protocol

4eadin' memory

;iven an address% the lock .ill send back 7 bytes of memory from that point ;iven the sitecode for the property% the lock .ill open

Openin' the lock

But .hat can .e do:

But it$d be cra3y to <ust let anyone do this

If you can read the memory% the keys to the castle are there

Ho. do .e deal .ith authentication:

Authentication

666

Authentication

4eadin' memory re1uires no authentication

/end it an address% it sends you memory That$s it

Memory

=no.in' ho. to read memory is irrelevant if you don$t kno. .hat to read

But every 'uest room lock has their data at the same addresses

#>terior entry doors are different% but you can detect the type and act based on that

Memory

The most obvious piece of data is the sitecode

;iven that% you can decrypt or encrypt your o.n cards Or you can 'o the direct route% and <ust use it .ith the open command on the lock

Open command

All you need is the sitecode

?e 'ot that from memory

Complete time for readin' the memory and openin' the lock is about 099 milliseconds

This can be lon'er if you need to try different addresses% due to supportin' multiple door types

Creates an entry in the audit report that sho.s the (( havin' been used to open the lock

But it doesn$t alter any data on the lock or inhibit normal functionin'

Memory

But there$s more)

;uest code

Make your o.n 'uest card for the door Make copies of any master card pro'rammed into the lock This .on$t necessarily 'et you into every lock at the property

Master codes

@ot all masters are assi'ned to all doors

(ro'rammin' cards

Also in memory is the pro'rammin' card code Truly ma'ical cards

One code is loaded into every lock at the property 2sed for cases .here the encoder is out of service

A pro'rammin' card is put into the lock Then a $spare$ card is put into the lock

That spare card is no. the actual 'uest card

Hotels keep do3ens of these on file in case of front desk system issues

?e can read this code from memory and make a skeleton key

Card crypto'raphy

As mentioned previously% the sitecode is the crypto key for cards

As a reminder% this is only "0-bit A naAve implementation of the crypto al'orithm 'ives you 0 million card encrypts or decrypts per second trivially That means that tryin' every sitecode on a key .ould take about "5 minutes on a normal desktop usin' one core

If you .anted to do it in a minute% it .ould cost less than a dollar on Ama3on #C0

Card crypto'raphy

Brute force is obviously viable The crypto al'orithm is proprietary

It .orks in a linear fashion from be'innin' to end #ach step is a rotate and an BO4 =ey material is poorly distributed

If you kno. plainte>t in the card% it$s trivial to determine the sitecode used to encrypt it

Card crypto'raphy

-et$s look at the card format

7-bit ident value

Identifier for the door combined .ith the card copy field

C-bit fla's byte 7-bit e>piration date C-bit authori3ations byte 04-bit 3eros 04-bit code key value

Card plainte>t

Ident values may be predictable

?e do kno. the card copy field that takes up a fe. of the lo.er bits of the ident field And .hen the doors are added to the encoder% they$re added in a specific order and spaced out lo'ically

Dery possible that this could be 'uessed% thou'h validatin' it is ne>t to impossible .ithout outside info

?e can$t kno. the code key value

04-bit space% effectively randomly distributed

But .e kno. the e>piration date and the 3ero bytes

Card plainte>t

If you 'et t.o cards .hen you check into a hotel

The ident value .ill be separated by one

If you 'et a card for a room% then 'et a ne. card for it +e6'6 lost the old one,

The code key value .ill be incremented by one

Card plainte>t

All of this 'ives us enou'h plainte>t to determine the sitecode

4ead in a couple cards .ith kno.n properties Bruteforce the sitecode and decrypt the cards

Check to see that those properties are upheld in the plainte>t

;iven the properties of the crypto% full brute force should not be necessary

/hould be able to fi'ure out .hich bits of the sitecode are correct and .hich are not

Audit reports considered harmful

;iven all the vulnerabilities present in this system% the audit report is un1uestionably untrust.orthy

And this is all assumin' that it isn$t also possible to .rite to memory% in addition to readin'

&emonstration

Openin' a lock .ith an Arduino

4elease

The paper is bein' released in a beta form

It .ill be available and updated at http)EEdaeken6comE Full details on the openin' device% as .ell as protocol specifications% crypto code% etc are included There$s " years of .ork to release

This talk only sho.s a tiny section of it The paper includes a lot already and .ill 'et bi''er and bi''er as time 'oes on

Miti'ation

At the moment there$s no miti'ation% but there are possibilities

&irect memory access

4edesi'n lock to provide safe interface for pro'rammin' 2pdate portable pro'rammer to be compatible /.itch to a lar'er key and industry standard al'orithm like A#/ 2pdate encoders and locks

Crypto'raphy

Miti'ation

Bi''est impediment to miti'ation is that the locks are not up'radeable

At the very least% the circuit boards in over 4 million locks .ould have to be replaced

The (( is not much better off% but the #(4OM can be chan'ed ;iven the substantial chan'es that .ould be re1uired% it .ould be impossible to replace the locks .ithout replacin' all of the e1uipment at the front desk as .ell

And all of the locks at a property .ould have to be replaced at the same time This all adds up to a very substantial cost

Future .ork

There$s a lot of .ork still to be done

Crypto'raphy

A crypto'rapher .ould likely be able to make si'nificant pro'ress to.ards simplifyin' and breakin' the crypto al'orithm beyond .hat .as presented here It is believed that the (( initiali3esEupdates the lock via direct memory .rites% but this is not reversed The complete memory maps of all of the locks are not available The Onity CT +commercial, locks may be vulnerable to the same sort of issues detailed here% but this has not been tested

(rotocol

Memory

CT locks

4ecap

Arbitrary memory access

;ives us the sitecode

Open the lock instantly Or create cards to open the other locks at the property

Includin' the pro'rammin' card skeleton keys

Completely unauthenticated Crypto'raphy is broken

Tiny keyspace (roprietary al'orithm leaks data

Guestions: