Skip to main content

    Keycard system manufacturer charging hotels to fix its hackable locks

    Keycard system manufacturer charging hotels to fix its hackable locks


    A vulnerability in the keycard systems from Onity was recently revealed, and the company has responded with a solution: letting owners foot the bill for an upgrade.

    Share this story

    We first heard that keycard systems from manufacturer Onity were vulnerable to a hacking attack last month, and the company has confirmed the issue while offering a long-term solution: letting affected hotel owners foot the bill for an upgrade. The vulnerability, which was disclosed by Mozilla software engineer Cody Brocious, consists of hooking into the data port on the underside of certain Onity models; from there one can gain access to the device's decryption key and eventually its firmware.

    In response, Onity is offering two solutions. On the one hand, it will ship out a free mechanical cap that will cover the port with a Torx screw to prevent tampering. The permanent solution, however, requires updating the firmware — but that can only be accomplished by replacing the control board, or the entire lock itself. Onity won't be offering anything for free in those cases. It will charge a "nominal fee" for the updated board, and all shipping and installation costs will be left up to the hotel owners. Those that replace their locks entirely will be given a token gesture of a "special pricing program," but it's hard to see the move as anything other the company using the vulnerability as an excuse to push customers to buy new systems.

    Both solutions will be available by the end of the month, and we wouldn't be surprised to see more than a few hotel owners solve the problem by upgrading — to a different manufacturer.