TECHNOLOGY : EYEBROW SECURITY free replacement or damages , and might well lose . Hoteliers mostly want to fix the problem as soon as possible to avoid future liability . A speedy fix of all vulnerable locks protects hotel guests and prevents them from becoming plaintiffs against hoteliers or Onity .”
However , owners may be accepting Onity ’ s fix at their own financial peril if the locks remain vulnerable afterward . While U . S . hotels are protected by legal limits to property theft liability , they are not protected from liability for the physical assault of a guest enabled by a guestroom lock failure . “ If someone gets raped or stabbed in their hotel room , that is a multimillion-dollar claim if the doors were locked and a hacking device was used , and a hotelier will have a hard time defending against that lawsuit ,” says Todd Seiders , director of risk management at Petra Risk Solutions , a Cerritos , California-based insurance broker for the hospitality industry .
Onity ’ s solutions Major brands such as IHG and Marriott International say they are directing franchisees to work with Onity to implement solutions .
“ As a primarily franchised hotel company , we have advised our hotels to work directly with Onity to monitor , and expedite if possible , delivery of their lock solutions ,” IHG said in a press statement . “ IHG is requiring all affected hotels worldwide to implement Onity solutions .”
Onity , Duluth , Georgia — a subsidiary of United Technologies Corp ., Hartford , Connecticut — says it has already shipped 1.4 million solutions for locks to hotel properties as of November 30 , 2012 . “ Onity engineers developed both mechanical and technical solutions , which have been tested and validated by two independent security firms . These solutions began shipping to customers in August 2012 ,” Onity said in a press statement .
The free mechanical solution involves capping the port the hacker accessed with Torx screws . According to the Marriott memo , as a technical solution Onity is offering to send refurbished upgraded circuit boards to replace those in affected locks installed post-2005 for a free reimbursement . Owners will have to pay for Onity to send replacements for locks installed pre-2005 .
When contacted by HOTELS for this article , Onity declined to comment beyond what was stated in its press release .
How secure is the fix ? Other vendors such as OpenWays are also offering fixes for the Onity locks and criticizing both the mechanical and technical fixes Onity is offering .
OpenWays points out that a robber could bypass the mechanical fix by using a T-10 screwdriver to remove the cap blocking the port . “ The mechanical solution is a laughingstock — a 12-year-old could defeat that ,” says Tom Daly , principal , The Hospitality Security Consulting Co ., Reno , Nevada .
OpenWays also describes the technical fix as only a Band-Aid , arguing in a white paper critical of Onity ’ s solutions that “ without changing the entire authentication process between the portable programmer and the lock it is simply a matter of time until the hacker community defeats this fix , as the direct access to the lock control board has not been effectively prevented .”
Hotel technology consultants point out that Onity ’ s locks could remain in the crosshairs of hackers , who may soon crack the technical solution Onity is offering .
“ The combination of the portable programmer , direct memory access , small crypto key and no cryptography whatsoever on the ‘ spare ’ cards does not sound like something fixable with a little software upgrade ,” says Robert Cole , hotel technology consultant and founder of RockCheetah , Menomonee Falls , Wisconsin . “ I think that hackers will be eagerly awaiting every software patch to claim bragging rights on being the first one to hack it .”
One outcome from the exposure of magnetic stripe locks — now a two-decade-old technology — to this hacking may be the installation of more radio-frequency identification ( RFID ) guestroom locks . These newer locks typically feature a higher bit level encryption .
“ The exposure of the security flaw in a specific brand has created a crisis for the industry due to the widespread use of these locks around the world . It has also created an unwelcome expense and risk for hoteliers ,” says Bill Oliver , president – North America for hotel lock manufacturer VingCard Elsafe . “ The most reliable ‘ fix ’ for affected properties is to upgrade their locking systems by replacing them entirely .”
“ MANY OF THE AFFECTED HOTELS WOULD FACE SIGNIFICANT COST AND EFFORT TO SUE ONITY FOR A FREE REPLACEMENT OR DAMAGES , AND MIGHT WELL LOSE .”
– JIM BUTLER , GLOBAL HOSPITALITY GROUP , JEFFER MANGELS BUTLER & MITCHELL
www . hotelsmag . com January / February 2013 HOTELS 49