Hotel Locks Easily Hacked

As someone always travels with a laptop, smartphone, and other expensive toys, and who spends a bit of time staying in hotels from time to time, I am always reluctant to leave my trove in the room, usually opting to take my laptop with me and keep it locked in the car truck (like that is really more secure.)

We recently stayed at a Holiday Inn in Rochester MN where this issue was brought to mind.  The keys that the registration desk gave us would not open our room.  Replacement keys did not do the trick either, and the maintenance engineer arrived with a master key which also did not work.  Then he used another key to reset the logic in the lock and presto – all of our keys worked again.  He mentioned casually that someone had been through the hotel with a reset key and they weren’t sure how many locks had been affected.  This caused my paranoia alarm to go off big time – someone had been breaking into rooms???  Or maybe they had been trying, but without much success?

Today I read an article on TechDirt that explains how $50 worth of hardware can get you into almost any hotel room in America.  There is a companion article about this hack on Forbes.  If you are into the details, please click through to the articles and continue.  My message here is this:  that lock on the hotel room door can be breached, and the method has been published online and is openly available.

The company that manufactures these locks has stepped up with some repairs to cover the data ports and replace the simple screws with more challenging Torx screws and replacement logic on new circuit boards.  The problem is that they are charging the hotels for this fix, and we can assume that some hotels will skip the upgrade “until it becomes necessary.”  (Like when they are sued by a guest.)  In the meanwhile, you might want to make sure your valuables do not stay in the room when you are not there.  Keep them with you in your locked car truck, or leave them with the front desk and let them keep them locked up for you.


About the Author:

Cybersecurity guru to business owners in the St Paul, Minneapolis, and western Wisconsin area. Computer security and hacking have been a passion of mine since I entered the computer and networking business in 2000. In 2013 I completed a course of study and certification exam to become a Certified Ethical Hacker (CEH). In 2016 I was certified as a Certified Information Systems Security Professional (CISSP). As Senior Cybersecurity Engineer at Computer Integration Technologies, I help our clients experience high levels of computer security, network security, and web site security. In addition to consulting on security products and services, we also conduct security audits, vulnerability assessments and full penetration tests. We also provide Cybersecurity Awareness Training for clients and their employees. We also work with companies and organizations that need to certify compliance with regulations such as PCI-DSS (credit card processing), HIPAA/HITECH (medical records), and GLBA. The views expressed on this Web site are mine alone and do not necessarily represent the views of my employer.

Add a Comment