September brought a series of mysterious break-ins to the Hyatt House Galleria in Houston, Texas. In the latest, a 66-year-old woman's laptop was stolen from her room, and the lock's records showed that no key, be it the woman's, the maid's, or a duplicate, had been used.
Police told NBC News that they arrested Matthew Allen Cook on Oct. 31, after the stolen laptop showed up at a pawn shop and employees identified the suspect. But police said that they are leaving the issue of how he entered the rooms to the prosecution.
The strange circumstance of a locked door being opened without a key would be a mystery worthy of Sherlock Holmes, if not for one thing: The lock was one with a well-known security exploit made public by a hacker earlier this year.
The lock in question is from Onity, a major supplier of electronic and keycard locks for hotels like the Hyatt. Cody Brocious, a software engineer at Mozilla and hobbyist hacker, demonstrated a vulnerability in many of their locks in July, afterwards showing a refined technique onstage at the Black Hat hacker conference. Andy Greenberg at Forbes reports that the method used in the recent break-ins is more than suggestive of the hack.
Keycard locks like those in hotels often have a port on the bottom used to access the lock's electronic memory or activate it when its battery has run out. Brocious showed that the security inside the lock is extremely easy to circumvent using a cheap and portable device made with off-the-shelf parts. It was unreliable at first, but other hackers have improved the technique and even fit the device into the shell of a dry-erase marker.
Onity, for its part, has acknowledged the flaw but offers only a temporary solution: blocking the port with a bit of plastic or putty. The flaw is baked into the device's firmware, and the only way to fix it permanently is to replace it entirely, which could be costly with at least hundreds of thousands of locks affected by the flaw. The Hyatt hotel in question has opted to glue the port shut.
In the meantime, the case against the suspect is progressing in Harris County. But even if he is charged and found guilty, the hack that opens hotel doors around the world is still at large. As Todd Seiders, a security expert at Petra Risk Solutions, told Forbes: "We’re expecting incidents in which these devices are used to explode nationally... We’re going to get hit hard over the next year."
Devin Coldewey is a contributing writer for NBC News Digital. His personal website is coldewey.cc.
