We first heard that keycard systems from manufacturer Onity were vulnerable to a hacking attack last month, and the company has confirmed the issue while offering a long-term solution: letting affected hotel owners foot the bill for an upgrade. The vulnerability, which was disclosed by Mozilla software engineer Cody Brocious, consists of hooking into the data port on the underside of certain Onity models; from there one can gain access to the device's decryption key and eventually its firmware.
In response, Onity is offering two solutions. On the one hand, it will ship out a free mechanical cap that will cover the port with a Torx screw to prevent tampering. The permanent solution, however, requires updating the firmware — but that can only be accomplished by replacing the control board, or the entire lock itself. Onity won't be offering anything for free in those cases. It will charge a "nominal fee" for the updated board, and all shipping and installation costs will be left up to the hotel owners. Those that replace their locks entirely will be given a token gesture of a "special pricing program," but it's hard to see the move as anything other the company using the vulnerability as an excuse to push customers to buy new systems.
Both solutions will be available by the end of the month, and we wouldn't be surprised to see more than a few hotel owners solve the problem by upgrading — to a different manufacturer.