With millions of Onity guestroom locks at risk of being broken into with a publicly accessible hack , the hotel industry has a choice .
EYEBROW
RECALL ’ S
SECURITY
RISKS
Is accepting
Onity ’ s hacked lock solution the best decision for hoteliers ?
by NATHAN GREENHALGH , ASSOCIATE EDITOR
With millions of Onity guestroom locks at risk of being broken into with a publicly accessible hack , the hotel industry has a choice .
Hotel owners could take on the lock company in court for its locks ’ vulnerability , or accept Onity ’ s offer to upgrade the faulty locks and forgo a legal challenge should the locks again be hacked . So far , they are choosing the latter .
It all started when Cody Brocious , a computer security researcher and Mozilla software developer , revealed at the Black Hat USA 2012 security conference in July that he had discovered a hack that could open Onity guestroom locks in a matter of seconds using an Arduino , a single-board microcontroller that can fit into an iPhone case or even a dry erase marker . Brocious ’ presentation is available on his website at daeken . com / blackhat-paper .
Afterward , Brocious tried the technique at New York City hotels with Forbes reporter Andy Greenberg . Although it proved unreliable , it sparked a movement on YouTube of tinkerers posting updated , more reliable versions of the hack . Before long , criminals caught on .
There has already been one burglary case allegedly involving the hacking of Onity locks in the United States , when in November 2012 , Matthew Allen Cook was arrested in Houston for allegedly robbing guestrooms at the 147-room Hyatt House Houston Galleria .
Question of liability To upgrade the locks , hotel owners are accepting a deal from Onity that offers a free mechanical fix for all its locks and a free technical fix for locks installed after 2005 , but the fix “ is conditioned on the franchisee ’ s acknowledgement that Onity does not guarantee a lock ’ s invulnerability to hacking ,” according to a Marriott International internal memo to franchisees .
Jim Butler , partner and chair of the Global Hospitality Group at the Jeffer Mangels Butler & Mitchell law firm , says the liability release is not unusual . “ With all factors considered , the Onity offer seems to be a fair one for everyone ,” Butler says . “ The lock worked fine for its intended purpose for a number of years until July 2012 when the flaw was first exposed by hackers and has since been refined and exploited by criminals . Good business dispute resolutions generally reflect a realistic assessment of each party ’ s potential legal exposure to the other . Many of the affected hotels would face significant cost and effort to sue Onity for a