Professional Documents
Culture Documents
Bhtalk 2
Bhtalk 2
- Cody Brocious
Intro
This talk is all about the Onity HT lock system for hotels
Over 4 million locks are installed in hotels On the market since !!" #very one is vulnerable
Intro
&esi'n
(rimary components)
#ncoder * Makes keycards% loads data into the (ortable (ro'rammer (ortable (ro'rammer +((, * -oads data into the lock% opens locks -ock * In this talk% .e$ll be focused on standard 'uest room door locks
&esi'n
All e1uipment in the hotel kno.s it 2sed primarily as an encryption key Hidden% even from property o.ners
(ortable (ro'rammer
Initiali3e * -oad data into lock for the first time 2pdate * 2pdate the time and data in the lock Test * /ho.s dia'nostic data about the lock 4ead openin's * 4eads the audit report from the lock Open * Opens the lock
-ock communications
It attaches to the bottom of the front face of the lock The port is accessible .ithout removin' any hard.are
Communication happens over a one-.ire protocol .ith the other bein' a shared 'round
-ock communications
/ends pulses at re'ular intervals .hile communicatin' If one side .ants to transmit a bit% it$s done by pullin' the line lo. bet.een those pulses
That indicates a
bit
-ock communications
A 3ero and one% specifically 4ed pulses are from the master% the black pulse is from the lock
Hard.are
An Arduino or other microcontroller A 567k pull-up resistor from the "6"v line to your data line The &C barrel plu' to physically mate .ith the lock
This% dependin' on the board you 'et% can be 809 or less from 4adioshack
4eadin' memory
;iven an address% the lock .ill send back 7 bytes of memory from that point ;iven the sitecode for the property% the lock .ill open
If you can read the memory% the keys to the castle are there
Authentication
666
Authentication
Memory
=no.in' ho. to read memory is irrelevant if you don$t kno. .hat to read
But every 'uest room lock has their data at the same addresses
#>terior entry doors are different% but you can detect the type and act based on that
Memory
;iven that% you can decrypt or encrypt your o.n cards Or you can 'o the direct route% and <ust use it .ith the open command on the lock
Open command
Complete time for readin' the memory and openin' the lock is about 099 milliseconds
This can be lon'er if you need to try different addresses% due to supportin' multiple door types
Creates an entry in the audit report that sho.s the (( havin' been used to open the lock
But it doesn$t alter any data on the lock or inhibit normal functionin'
Memory
;uest code
Make your o.n 'uest card for the door Make copies of any master card pro'rammed into the lock This .on$t necessarily 'et you into every lock at the property
Master codes
(ro'rammin' cards
One code is loaded into every lock at the property 2sed for cases .here the encoder is out of service
A pro'rammin' card is put into the lock Then a $spare$ card is put into the lock
Hotels keep do3ens of these on file in case of front desk system issues
?e can read this code from memory and make a skeleton key
Card crypto'raphy
As a reminder% this is only "0-bit A naAve implementation of the crypto al'orithm 'ives you 0 million card encrypts or decrypts per second trivially That means that tryin' every sitecode on a key .ould take about "5 minutes on a normal desktop usin' one core
If you .anted to do it in a minute% it .ould cost less than a dollar on Ama3on #C0
Card crypto'raphy
It .orks in a linear fashion from be'innin' to end #ach step is a rotate and an BO4 =ey material is poorly distributed
If you kno. plainte>t in the card% it$s trivial to determine the sitecode used to encrypt it
Card crypto'raphy
Identifier for the door combined .ith the card copy field
C-bit fla's byte 7-bit e>piration date C-bit authori3ations byte 04-bit 3eros 04-bit code key value
Card plainte>t
?e do kno. the card copy field that takes up a fe. of the lo.er bits of the ident field And .hen the doors are added to the encoder% they$re added in a specific order and spaced out lo'ically
Dery possible that this could be 'uessed% thou'h validatin' it is ne>t to impossible .ithout outside info
Card plainte>t
If you 'et a card for a room% then 'et a ne. card for it +e6'6 lost the old one,
Card plainte>t
4ead in a couple cards .ith kno.n properties Bruteforce the sitecode and decrypt the cards
;iven the properties of the crypto% full brute force should not be necessary
/hould be able to fi'ure out .hich bits of the sitecode are correct and .hich are not
;iven all the vulnerabilities present in this system% the audit report is un1uestionably untrust.orthy
And this is all assumin' that it isn$t also possible to .rite to memory% in addition to readin'
&emonstration
4elease
It .ill be available and updated at http)EEdaeken6comE Full details on the openin' device% as .ell as protocol specifications% crypto code% etc are included There$s " years of .ork to release
This talk only sho.s a tiny section of it The paper includes a lot already and .ill 'et bi''er and bi''er as time 'oes on
Miti'ation
4edesi'n lock to provide safe interface for pro'rammin' 2pdate portable pro'rammer to be compatible /.itch to a lar'er key and industry standard al'orithm like A#/ 2pdate encoders and locks
Crypto'raphy
Miti'ation
At the very least% the circuit boards in over 4 million locks .ould have to be replaced
The (( is not much better off% but the #(4OM can be chan'ed ;iven the substantial chan'es that .ould be re1uired% it .ould be impossible to replace the locks .ithout replacin' all of the e1uipment at the front desk as .ell
And all of the locks at a property .ould have to be replaced at the same time This all adds up to a very substantial cost
Future .ork
Crypto'raphy
A crypto'rapher .ould likely be able to make si'nificant pro'ress to.ards simplifyin' and breakin' the crypto al'orithm beyond .hat .as presented here It is believed that the (( initiali3esEupdates the lock via direct memory .rites% but this is not reversed The complete memory maps of all of the locks are not available The Onity CT +commercial, locks may be vulnerable to the same sort of issues detailed here% but this has not been tested
(rotocol
Memory
CT locks
4ecap
Open the lock instantly Or create cards to open the other locks at the property
Guestions: