"Onity places the highest priority on the safety and security provided by its products. And even now it declined to confirm its agreement with Marriott or other firms to pay for their hardware replacements. After I initially wrote about its response plan, it removed all information about the security bug from its website. Onity has been less than transparent about its security issues. “I can’t help but feel that Onity has the same responsibility to their customers, and to customers staying in hotels protected by Onity locks." That response drew sharp criticism from the security community, who put the onus for the flaw on Onity's engineers. “If such a significant issue were to exist in a car, customers would likely expect a complete recall at the expense of the manufacturer,” Cody Brocious wrote in his blog at the time. In a statement in August, the company said it would offer "special pricing plans" to replace the affected locks' hardware at a "nominal fee." Onity's free option consisted of plastic plugs to insert into the locks' vulnerable port, which could be removed only by opening the locks' case. Onity, for its part, initially seemed to intend to pass the cost of the security imbroglio on to hotels. Some managed to squeeze Brocious's lock-opening hardware to fit into a iPhone case or even a dry-erase marker. By September, Onity's security vulnerability was already being exploited to perpetrate a series of break-ins at Houston, Texas hotels. But soon other hackers began posting videos to YouTube showing their refinements of the trick, tweaking it so that it consistently and effortlessly opened hotel doors. The technique, which I tested with Brocious in New York hotels ahead of his public demonstration, was initially unreliable. Onity's security embarrassments began in July at the Black Hat hacker conference in Las Vegas: Cody Brocious, a security researcher and Mozilla software developer, demonstrated that he was able to insert a tool he'd built for less than $50 in parts into a port on the bottom of any Onity hotel keycard lock, read a digital key stored in the lock's memory, and open it in seconds. I've copied the full text of Onity's agreement with the Marriott as an example below. "Onity’s proposal for franchisees is conditioned on the franchisee’s acknowledgement that Onity does not guarantee a lock’s invulnerability to hacking," the agreement with Marriott adds, perhaps in a bid by Onity to limit any further liability if its new hardware is shown to be susceptible to another attack. Instead of its reimbursement program, the company has agreed to replace those older locks' vulnerable hardware for $21 per lock including service fees, or to ship free plastic plugs to cover the vulnerable port on the locks' underside, a band-aid fix it has offered since its security vulnerability was first uncovered over the summer. Hotels with locks purchased before 2005 or those outside the U.S., however, aren't so fortunate. "They’re trying hard to react in a way that is supportive and addresses the security issues as quickly as they can." "They’re trying to be very consistent," the executive says. It also mentions a $10 charge per lock for on-site firmware upgrades, as opposed to the free firmware upgrades in the other two deals.īut one source in the hotel industry who has dealt with Onity's response to several hotel chains but asked not to be named says the company has generally agreed to cover the full costs of the fix. Just how much of the fix Onity is paying for in each customer's case seems to vary: Though Onity seems to be offering the full price of the hardware fix for returned circuit boards from IHG and Marriott, the Hyatt memo states that Onity would charge $11 for every new circuit board it installed and repay only $6 for the replaced ones.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |