The bad news: the fix requires hardware changes to every affected lock. And for hotels who want more than a bandaid-style repair, Onity wants its customers to pay for it.
Earlier this week, Onity issued a statement responding to last month's presentation at the Black Hat security conference by Cody Brocious, a Mozilla developer who showed that he was able to insert a device he built for less than $50 into the data port on the underside of Onity's locks, read their memory to find a decryption key, and use it to gain access to the lock's firmware and trigger its open command in a matter of seconds.
The company's response to that epic security bug has two parts-a quick fix, and a more rigorous one, both of which it plans to make available by the end of August: First, it's issuing caps that cover the data port Brocious's hack exploited, which can only be removed by opening the lock's case. To further stymie hackers who would try to open the locks and remove that cap, it's also sending customers new, more obscure Torx screws to replace those on the cases of installed locks.
The second fix is more substantial: Onity will offer its customers new circuit boards and firmware that ostensibly fix the problems Brocious demonstrated-But Onity is asking owners of some models of its locks of some to pay a "nominal fee" for the fix, while offering others "special pricing programs" to cover the cost of replacing components. It's also asking its customers to cover the shipping and labor costs of making hardware changes to the millions of locks worldwide.
In its first response to the hack last month, Onity downplayed the flaw as "unreliable, and complex to implement." Indeed, when I tested the hack with Brocious at three New York hotels, it only worked at one of the three.
But since then, two hackers who asked not to have their names revealed have claimed in emails to me that they independently replicated the exploit and refined it, so that it now works on any Onity hotel room lock. Brocious tells me he's spoken with eight or nine hackers who have all been able to replicate his work to some degree.
In a blog post responding to the company's latest response statement and fix, Brocious criticized Onity's move to put the financial onus for the fix on its customers after selling them what he's described as fundamentally insecure products. While the free mechanical cap solution could create hurdles for hackers, he says that's only a partial fix replacement until the lock's circuit boards are replaced-something that's not likely to happen if it requires millions of dollars in costs for Onity's customers. "This will not be insignificant, given that the majority of hotels are small and independently owned and operated. Given that it won't be a low cost endeavour, it's not hard to imagine that many hotels will choose not to properly fix the issues, leaving customers in danger," he writes.
"If such a significant issue were to exist in a car, customers would likely expect a complete recall at the expense of the manufacturer," Brocious adds. "I can't help but feel that Onity has the same responsibility to their customers, and to customers staying in hotels protected by Onity locks.