Friday 24 August 2012

Onity HT hotel lock vulnerability revealed

Key point:
The system’s vulnerability arises, Brocious says, from the fact that every lock’s memory is entirely exposed to whatever device attempts to read it through that port. Though each lock has a cryptographic key that’s required to trigger its “open” mechanism, that string of data is also stored in the lock’s memory, like a spare key hidden under the welcome mat. So it can be immediately accessed by Brocious’s own spoofed portable device and used to open the door a fraction of a second later.
As the hacker (Brocious) pointed out, due to the nature of the security gap, the chances are excellent that it has already been discovered and exploited independently by others. It was just a matter of time before somebody decided to publish and (possibly) be damned.

Another article, this time from The Register.

The vendor has responded with several press releases and a risk mitigation plan. These are quoted and discussed at the Brocious' blog. His comments are incisive and informative.

My opinion: it is hard to design and develop a PACS device which is user-friendly and affordable AND which satisfies a reasonable security target for the intended application. Corners are cut, things are swept under the carpet - it happens. But it should not be considered acceptable. Due to the nature of the market for security products and services, stakes and demands are higher than in e.g. a commodity market. The customer is aware of this, and they willingly pay commensurate prices for the assurance that they will receive products which are fit for the intended purpose. Looking at the above articles, I would say Onity's HT line does not meet this requirement.

The only way to avoid situations like this is through proactive planning:
  1. the vendor must ensure that the project development leader makes security a part of the design from the beginning;
  2. the security of the product must be evaluated and certified by an independent external agency;
  3. potential weakness must be identified and a mitigation plan must be established before releasing the product into the wild.
Onity appears to have invested heavily in the approach of too-little, too-late mitigation.