News for the Hospitality Executive |
Chicago — November 20, 2012 — Aftermath from the recent security breach impacting more than four million electronic door locks installed worldwide continues to wreak havoc on the hotel industry. First disclosed by Forbes.com and presented at the BlackHat security conference in July, hacker Cody Brocious released the necessary technical information and code on his website (http://daeken.com/) to over-ride an Onity lock by using tools disguised inside both a dry erase marker pen and an iPhone Case. Soon afterward, a Crime Alert was issued by a respected hospitality risk management group that reported "actual guestroom burglaries and guest thefts by use of these devices." According to the report: "Multiple rooms have been hit at several hotels". The casualties don't stop there. On November 5, Brocious published a link on Twitter that facilitated penetration within Onity servers. This made it possible for the criminal community to copy records needed to pinpoint the location of affected hotels that installed the compromised locks. Equally concerning, the infiltrated records provide details that hackers could leverage to perform new attacks via social engineering. Although the breached server-access was eventually closed -- it took an extremely long time to re-secure the servers -- criminals would have had plenty of time to copy records from these exposed hotels. This new attack demonstrates that the hacker remains extremely focused on Onity, and is likely not to be completed with his attacks on the company and its products. Significant media coverage of these attacks are further energizing the entire hacking community, keeping hotels and travelers at risk. Background of the Attack and Possible Cure While Onity responded to initial hacker attacks with a proposed plan (http://daeken.com/onitys-plan-to-mitigate-hotel-lock-hack), Brocious publicly challenged the efficiency and security of the possible cure. To date, the company has not been able to provide a complete end-to-end security audit of its full system conducted by independent, and highly reputable security firms. According to security experts, the four-page report provided by Onity is said to be extremely limited, incomplete and non-conclusive. Hotels purchasing the proposed replacement control board as a cure remain extremely exposed to a variation of the initial attack, as the fundamental issues of the locking system are still not resolved and continue to be in the public domain. As part of the proposed plan, hotels are instructed to use a cap secured by a torx screw. This, however, is only a short-term security solution for affected hotels until a long-term and proven fix developed by the manufacturer is applied to all locks. It is recommended to increase physical security at a property when using this temporary fix. Several consequential and serious security threats were not published by the hacker but security experts were able to identify them, further increasing the risk for hotels of new attacks even after having invested in a costly lock control board replacement. To inform qualified hoteliers about these and other risks, a restricted version of a White Paper is made available upon execution of a confidentiality agreement. Proven, Audited LOCKFIX available from OpenWays A truly effective alternative cure developed independently from the lock manufacturer is now available from OpenWays, the world leader in mobile-based access management solutions. LOCKFIX is fully audited by several highly reputable security firms, confirming its effectiveness. Management software, along with the Android smartphone application to use LOCKFIX, is available via freeware license (free of charge license) from OpenWays. "LOCKFIX is the only long-term solution available today to truly cure the affected locks," said Pascal Metivier, OpenWays Founder and CEO. "LOCKFIX addressed the risk related to the incriminated lock communication port breach. It's proven, easy to deploy, highly effective and available immediately from OpenWays." About OpenWays OpenWays is a global solutions provider of mobile-based access-management and security solutions. With offices in Chicago, Las Vegas, Seoul and in Europe, OpenWays provides technology solutions allowing for the secure issuance and delivery of access rights and keys processed via any cell phone operating on any network. The OpenWays solution is truly unique as it is built on the concept of credential dematerialization. The OpenWays mobile room key solution works on ALL the 6.5 billion cell phones in service in the world today. For more information, please contact Andrew Sanders at +1 732 707-1869 or email [email protected]. More information can be found by visiting www.OpenWays.com. OpenWays has developed its cure for the impacted locks independently and no endorsement of the affected lock manufacturer is intended or implied. (*) other major non published security threats were discovered. In the interest of everyones safety, it is OpenWays policy to not publicly disclose security threats. Such “reserved “information will only be made available to pre-qualified hoteliers. |
Contact: Barb Worcester PRPRO /OpenWays Tel: (440) 930-5770 [email protected] or Andrew Sanders OpenWays Tel: (732) 707-1869 [email protected] |