Hotel Locks Easily Hacked

As someone always travels with a laptop, smartphone, and other expensive toys, and who spends a bit of time staying in hotels from time to time, I am always reluctant to leave my trove in the room, usually opting to take my laptop with me and keep it locked in the car truck (like that is really more secure.)

We recently stayed at a Holiday Inn in Rochester MN where this issue was brought to mind.  The keys that the registration desk gave us would not open our room.  Replacement keys did not do the trick either, and the maintenance engineer arrived with a master key which also did not work.  Then he used another key to reset the logic in the lock and presto – all of our keys worked again.  He mentioned casually that someone had been through the hotel with a reset key and they weren’t sure how many locks had been affected.  This caused my paranoia alarm to go off big time – someone had been breaking into rooms???  Or maybe they had been trying, but without much success?

Today I read an article on TechDirt that explains how $50 worth of hardware can get you into almost any hotel room in America.  There is a companion article about this hack on Forbes.  If you are into the details, please click through to the articles and continue.  My message here is this:  that lock on the hotel room door can be breached, and the method has been published online and is openly available.

The company that manufactures these locks has stepped up with some repairs to cover the data ports and replace the simple screws with more challenging Torx screws and replacement logic on new circuit boards.  The problem is that they are charging the hotels for this fix, and we can assume that some hotels will skip the upgrade “until it becomes necessary.”  (Like when they are sued by a guest.)  In the meanwhile, you might want to make sure your valuables do not stay in the room when you are not there.  Keep them with you in your locked car truck, or leave them with the front desk and let them keep them locked up for you.


About the Author:

I am a cybersecurity and IT instructor, cybersecurity analyst, pen-tester, trainer, and speaker. I am an owner of the WyzCo Group Inc. In addition to consulting on security products and services, I also conduct security audits, compliance audits, vulnerability assessments and penetration tests. I also teach Cybersecurity Awareness Training classes. I work as an information technology and cybersecurity instructor for several training and certification organizations. I have worked in corporate, military, government, and workforce development training environments I am a frequent speaker at professional conferences such as the Minnesota Bloggers Conference, Secure360 Security Conference in 2016, 2017, 2018, 2019, the (ISC)2 World Congress 2016, and the ISSA International Conference 2017, and many local community organizations, including Chambers of Commerce, SCORE, and several school districts. I have been blogging on cybersecurity since 2006 at

Add a Comment

This site uses Akismet to reduce spam. Learn how your comment data is processed.