Vulnerable keycard locks linked to Texas hotel room burglaries

lock security

A string of break-ins and thefts at Texas hotels using vulnerable Onity keycard locks has left security firms concerned that the issue "will only get bigger." The technique was first unveiled by programmer Cody Brocious at Black Hat in July, and involves hacking the card reader system using less than $50 in equipment that can easily be concealed in an iPhone case or dry erase marker.

Janet Wolf's laptop was stolen from her locked room in the Houston Hyatt in September, Forbes reports. While police won't release information on how the room was broken into, Hyatt franchisee White Lodging believes the room was accessed using Brocious' hack. Insurance company Petra Risk Solutions also released an alert in mid-October stating that "multiple rooms at several hotels" had been broken into potentially using this technique, and that similar incidents had occurred in Florida.

Onity released a statement on August 13th saying that it would provide hotels with a way to plug the port hackers use to access the lock, and switch to less common Torx screws to make the lock harder to open. Onity also offers a control board replacement to counter the vulnerability, but requires hotels to pay for shipping, handling, and installation. Petra Risk Solutions' Todd Seiders told Forbes that over 80 percent of the company's customers have implemented some form of fix, but due to ignorance or financial concerns, there are likely many hotels that remain open to this line of attack.

The Verge
Log In Sign Up

Log In Sign Up

Forgot password?

We'll email you a reset link.

If you signed up using a 3rd party account like Facebook or Twitter, please login with it instead.

Forgot password?

Try another email?

Almost done,

By becoming a registered user, you are also agreeing to our Terms and confirming that you have read our Privacy Policy.



Choose an available username to complete sign up.

In order to provide our users with a better overall experience, we ask for more information from Facebook when using it to login so that we can learn more about our audience and provide you with the best possible experience. We do not store specific user data and the sharing of it is not required to login with Facebook.