“It’s the older Onity locks that are subject to hacking,” Seiders said. “With the old locks, which were the best at the time, the encryption code that authorizes the lock to open has been installed on all of those individual locks. The hacking device, when it’s plugged into the lock, fools the lock into thinking it’s an authorized programmer. The newer locks don’t have the encryption code in each one; the code is issued at the front desk.”
Following a robbery at a Houston hotel in which thieves exploited security flaws in Onity locks first revealed at the Black Hat conference in July, Hotel Management spoke with Todd Seiders, director of risk management at Petra Risk Solutions and former director of loss prevention at Marriott, for tips on how hoteliers can keep their rooms secure.
“[Onity] immediately started offering the caps and screens to block the port that causes the vulnerability, but I don’t think that’s a very valuable option, because if you block these terminal ports and you have an emergency in the room and the lock has failed, you have to be able to plug in the portable programmer or you’ll have liability issues,” Seiders said. “The thing to take advantage of now is the motherboard switch out. If you mail it in within a reasonable amount of time they’ll replace it for free. The motherboard fix, that’s what these hotels should be doing.”
While Seiders noted that the recession has meant less money available for full-time security staff and new equipment like cameras, he emphasized the importance of staff training in hotel security. “My advice is to go walk the halls and if you see a person standing in the hallway go and look at him for 60 seconds. He’ll either go to a room, or, if not, approach him and say ‘what’s up,’ find out if you can help him. Customer service is the best security.”
Seiders also pointed out that the newer models are not as vulnerable to hacking.
In a statement from Onity, the company said, “Over the next several weeks, we will ensure all hotel properties in our database receive the mechanical solution. These mechanical caps and security screws block physical access to the lock ports that hackers use to illegally break into hotel rooms. The mechanical solution remains free of charge to customers. Technical solutions vary depending on the age, model and deployment of locks at properties.”