Hotel Locks Easily Hacked

As someone always travels with a laptop, smartphone, and other expensive toys, and who spends a bit of time staying in hotels from time to time, I am always reluctant to leave my trove in the room, usually opting to take my laptop with me and keep it locked in the car truck (like that is really more secure.)

We recently stayed at a Holiday Inn in Rochester MN where this issue was brought to mind.  The keys that the registration desk gave us would not open our room.  Replacement keys did not do the trick either, and the maintenance engineer arrived with a master key which also did not work.  Then he used another key to reset the logic in the lock and presto – all of our keys worked again.  He mentioned casually that someone had been through the hotel with a reset key and they weren’t sure how many locks had been affected.  This caused my paranoia alarm to go off big time – someone had been breaking into rooms???  Or maybe they had been trying, but without much success?

Today I read an article on TechDirt that explains how $50 worth of hardware can get you into almost any hotel room in America.  There is a companion article about this hack on Forbes.  If you are into the details, please click through to the articles and continue.  My message here is this:  that lock on the hotel room door can be breached, and the method has been published online and is openly available.

The company that manufactures these locks has stepped up with some repairs to cover the data ports and replace the simple screws with more challenging Torx screws and replacement logic on new circuit boards.  The problem is that they are charging the hotels for this fix, and we can assume that some hotels will skip the upgrade “until it becomes necessary.”  (Like when they are sued by a guest.)  In the meanwhile, you might want to make sure your valuables do not stay in the room when you are not there.  Keep them with you in your locked car truck, or leave them with the front desk and let them keep them locked up for you.


About the Author:

Cybersecurity analyst, pen-tester, trainer, and speaker. Serving small business owners in the St Paul, Minneapolis, and western Wisconsin area since 2001. Cybersecurity and hacking have been a passion of mine since I entered the computer and networking business in 2000. I hold several cybersecurity certifications including Certified Information Systems Security Professional (CISSP), Certified Advanced Security Pratitioner (CASP), and Certified Ethical Hacker (CEH). Other computer industry certifications include A+, Network+ and Microsoft Certified System Engineer (MCSE). As Cybersecurity Analyst at The WyzCo Group, I help our clients experience high levels of security on their computers, networks, and websites. In addition to consulting on security products and services, we also conduct security audits, vulnerability assessments and full penetration tests. We also work with companies and organizations that need to certify compliance with regulations such as PCI-DSS (credit card processing), HIPAA/HITECH (medical records), and GLBA. We also provide Cybersecurity Awareness Training for clients and their employees. I am a frequent speakers at cybersecurity conferences such as the Minnesota Bloggers Conference, Secure360 Security Conference, the (ISC)2 World Congress, and the ISSA International Conference, and many local community organizations, Chambers of Commerce, SCORE, and several school districts. I have been blogging on cybersecurity since 2008.

Add a Comment

This site uses Akismet to reduce spam. Learn how your comment data is processed.