Top Nav

Ink brush drawing by David Mack

About Matt

Matt Neely a penetration tester and security researcher located in the Cleveland Ohio area.

Learn more here.

Search

Blog Labels
Blog Archive
Links
Powered by Squarespace
« Changing for the Better | Main | Can Anyone Identify This Lock? »
Saturday
14Jun2008

Security Alert - Insecure Hotel Locks

DateSaturday, June 14, 2008 at 9:54PM

A few weeks ago I stayed at an absolutely horrible hotel. While there I made an alarming discovery regarding the magnetic card locks used to secure the guest rooms.

Anyone who has stayed at a modern day hotel has seen a magnetic card lock similar to the one above. What many people do not realize is these electronic locks also have a manual lock built into them which can override the electronic lock in case the battery dies or the lock malfunctions. The locks used at this hotel had the manual lock located on the bottom of the metal enclosure, see photo below. The manual lock appears to be a SFIC (Small Format Interchangeable Core) pin tumbler lock.

While at the hotel I was moved between a number of different rooms. I noticed something interesting with the second room I was given. The manual override lock on the bottom of the lock was missing! Note the figure eight shaped hole in the lock below. Inside the hole was two metal rods. When I rotated the rods the door unlocked. Upon discovering this I reported the problem to the front desk and requested yet another room. On my third attempt I finally got a clean room with a working lock.

Later that night while visiting some co-workers’ rooms I examined their door locks and discovered about half of them were also missing the manual override lock! For obvious reasons I only examined locks where I know the person staying in the room and did not try to manipulate any locks other than the one on my door.

Moral of the story? Next time you stay in a hotel be sure to verify the manual override lock is still present. If it is not at least get a different room and seriously consider going to a different hotel. If the hotel doesn’t care enough to keep the locks in working order what else is in disrepair?

Given the information released in this article I will not name the specific hotel. However I will say the hotel is part of a major chain. Needless to say the hotel management has been made aware of the problems. Hopefully they will resolve it. In 30 days I plan to contact the local media in the area so they can pay the hotel a visit and make sure the issue has been resolved.

Until next time be paranoid and stay safe in your travels.

Cheers,
Matt

AuthorMatt | Comment2 Comments |
in ,

Reader Comments (2)

Wow..that is just crazy. Scary thing is that most people wouldn't even notice or know what to look for. I wonder how easy some of these locks would be to manipulate with the mag stripe reader as well. Did you catch the make/model of the door lock?

July 3, 2008 | Unregistered Commenteragent0x0

I could not figure out the make or model of the lock in the article. The security of mag stripe protect locks varies greatly between different makes and models. At the next NEO InfoSec meeting I'll be doing a presentation that touches on this. So stay tuned for more details!

July 3, 2008 | Unregistered CommenterMatt Neely

PostPost a New Comment

Enter your information below to add a new comment.

My response is on my own website »
Author Email (optional):
Author URL (optional):
Post:
 
Some HTML allowed: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <code> <em> <i> <strike> <strong>