Millions of hotel rooms vulnerable to £30 hack

Millions of hotel rooms across the world could be opened using technology that costs just £30, with a hacker saying it is "stupidly simple" to do.

American software engineer Cody Brocious demonstrated a method of hacking into key card entry systems on hotel room doors.

With the help of an Arduino microcontroller unit – essentially a very small computer, he showed that it was possible to read the code needed to open the door from the lock itself. Once the code has been read from the lock, the Arduino can then play the code back to the lock and the door will open. It took just 200 milliseconds for the code to be read and the lock to open.

"With how stupidly simple this is, it wouldn't surprise me if a thousand other people have found this same vulnerability and sold it to other governments," Mr Brocious told Forbes.com. The hack was demonstrated at the Black Hat conference in Las Vegas.

Read more: Crime news

The Onity lock system has nearly 10 million locks installed in hotels worldwide, including chains such as Marriott, Hilton, Hyatt and Sofitel.

Onity downplayed the issue, saying the hack was difficult and unreliable.

The company said: "Onity understands the hacking methods to be unreliable, and complex to implement. However to alleviate any concerns, the company is developing a firmware upgrade that will be available to customers to address any potential risks."

Mr Brocious explained that the hack was possible because the lock doesn't authenticate against devices plugged into it. Every Onity key card lock has a small port for charging and adding new codes. The Arduino can be plugged into this and then be used to control the lock. In his report on the hack Mr Brocious described the key card locks as "inherently flawed".

"For guests staying in any hotel, we recommend the use of door chains or latches whenever possible to add an extra layer of protection," Mr Brocious said.