IAmA Reverse engineer who broke millions of hotel locks. AMA

Oh man, this is great. It was because of you we had an emergency staff meeting at the hotel I worked at. I walked over to the nearest guest room door and told them we don't have ONITY locks.

I got to go home early, with pay, because of you. This beer is for you.

Hahahaha. Glad I could uh, be of service.

Oh, no, thank you.

None of our guests knew anything about it, so no having to deal with the fallout. Let me ask you, though, since I have your attention, what your beer of choice is?

Depends on my mood. Overall favorite is Clown Shoes Black IPA, but I'm also a huge fan of Anchor Steam.

Clown Shoes? Damn, just looked them up and they don't seem to be available to California.

Anchor Steam is a damn fine beer, though. Have you had their Breckel's Brown? So tasty and malty, like a biscuit.

Don't believe I have. I'll check it out :)

While there is no doubt that your expose' will only improve security in the long haul, what are you thoughts/feelings on the immediate impact of your findings?

Fellow reverse engineer here, so that question wasn't an attack. I'm genuinely interested in your thoughts on the ethics of it. To be honest, my drive to learn via RE supersedes any objections I would have about ethics. I'm not malicious in any way, I just want to learn. I'm curious if you feel similar.

At the end of the day, I know that people will use this for malicious purposes, just like any important vulnerability that's disclosed. However, I have to balance that out with a question that's been on my mind for a long time: How many people used this before I even thought of it? How many people have been robbed or worse, because of these buggy locks?

I'm not happy about any of this, but I think getting the info out there balances out the harm that may come from it being out there in the near future.

Did you do any sort of responsible disclosure such as contacting Onity before going public?

Covered at http://www.reddit.com/r/IAmA/comments/yeiac/iama_reverse_engineer_who_broke_millions_of_hotel/c5uwio0

Just tweeted this -- good enough proof? Could also post on the blog where my paper and such are published. Here's the tweet: https://twitter.com/daeken/status/236602748555116544

If a mod has a facebook account, Cody's linked to this AMA there.

Yep, this -should- be public: http://www.facebook.com/cody.brocious/posts/232724386849639

What are you working on over at Mozilla?

I work on Boot2Gecko, primarily doing gfx optimizations. Currently working on overscroll animations (what happens when you scroll a page too far).

Do you use Boot2Gecko as your primary phone or for any "serious"/actual normal stuff you'd use with your previous Android or iOS phone?

Not yet. I use it as a side phone when I need it, but honestly I break it too often to do so. Sometime soon I'll set a phone aside for stable testing and dogfood it properly.

Caleb from Hackaday.com here. Think they'll just ignore it like bump keys? Seems like so much money and trouble to go back and fix everything.

I think that it's public enough that they'll be forced to do the right thing eventually and release a fix/recall in the future. I just don't know when that'll be.

You have the chance to teach/show everyone in the world one thing and they will all listen what is it besides simple things like how to use their freaking blinker.

Hm, that's a tough one. Here's something awesome I learned recently, which everyone should know: While flying with a partner and the seats are in groups of three, select your seats such that you're leaving the middle seat open. Unless the flight is packed, it's unlikely anyone will pick the middle seat, and you have the group to yourself. Works great.

Also, even if someone books the middle seat, they would likely switch to the aisle or window upon request.

Yep! It's the perfect system.

I never have anyone to fly with. :(

Turn that frown upside down!

That's a smile, not an upside-down frown!

Does Onity actually think that people don't have access to Torx bits?

I'm sure they realize that people have them, but that it'll add quite a few seconds to the opening process, rather than it being instant. It also makes it harder to not be obvious that you're doing it or that you were there.

Honestly, it's not a bad solution, it just should be paired with fixing the underlying vulnerabilities.

Wikipedia tells me you were interested in computing by the age of four. What was it that got you interested at such a young age?

Well, I was always around computers -- my parents always had them, and my uncle used to build them. I don't know what sparked me to learn about programming particularly, but I do remember two things:

I discovered a book on BASIC for the Apple ][E in my school library, and started tweaking the code in there, then started writing little text-based games; that was probably kindergarten or first grade. It was short (maybe 30-40 pages?) and IIRC its cover was orange with white lettering, if anyone has a clue. Would love to get a copy again.

The other thing was that I learned about EDIT.COM and opened the game Pilgrim's Quest in it, on my old 386. I was maybe 6 or 7, and I had absolutely no idea what I was doing, but I mashed keys and typed in words and such; it wasn't source, it was a raw binary. I ran the game, and the screen was completely corrupted, but on pressing a key, you'd hear a sound. Each key had a different sound. It was then that I realized that if you understood what these things did, you could be the master of a little universe of your own.

Of course, playing Shadowrun on the Genesis when I was a little bit older helped a lot. I still want to be a decker; hell, I even named my old OS "Renraku".

How does a 30 year old newbie learn to code?

I'm not really sure. The hard part is just getting started, so maybe something like http://www.codecademy.com/ could be of help.

I want to be a white hat security guy; how do I get started? my background is unix sysadmin/qa, etc.

Well, there are a million ways you could go about it, but here's what I'd do:

1. Learn to program in at least one high-level language (Python, Ruby, JS, whatever), learn to program in at least one low-level language (C is best, C++ is almost as good). If you want to work on the reverse-engineering side of things, learning assembly for at least one ISA (x86 is best) is a very good thing. If you want to work on the web side of things (which you'll likely need, at some point or another) then you have to understand how web development is done, how the web itself works, how JS works, etc.

2. Start from the top down; first step is the web. OWASP has lots of good information, but use it to just get a feeling for what's out there, then Google around.

3. Run through some web security challenges, e.g. HackThisSite, and use WebGoat as a test.

4. Read up on native security a bit -- learn the basics of buffer overflows and all that fun stuff.

5. Grab old versions of open source software with known vulnerabilities, and rediscover them. This applies equally well to native and web software.

6. Practice, practice, practice. Every time you encounter a piece of technology or a security process, think about how you could attack it. Take a shot at every piece of software you come across (-NOT- web-based services; that's generally illegal).

7. Surround yourself with people smarter than you are on every topic you're interested in. This is easy to do in the age of the interwebs.

I'm also writing a book on getting into security; the outline is available at https://gist.github.com/3366052 . The point of it is not to be a complete guide to every detail of every part of security, but rather to expose you to enough different things that when you need to learn something, you're able to. It'll be out... sometime before I die :P

Are these generally the same set of instructions necessary for someone of less than honorable morals to learn to get into the criminal side of things? I ask out of curiosity if the difference is entirely intentions, because i'm really interested in psychology.

Totally not a criminal and stuff :P

The only difference between an honorable hacker and a dishonorable hacker is what they do with their knowledge, not the knowledge itself.

ask you ANYTHING? well why don't we start with how do you do it?

As in how it works? Well, there's a port on the bottom of the lock that's used to program the lock. That port allows direct memory access, enabling you to read the sitecode (unique code for the property) out of memory, then send it back up with the open command. No authentication is required, and it takes about 200ms for it to pop open. Full details are available at http://daeken.com/blackhat-paper if you want more details.

Or do you mean how I actually got to that point?

Well I was actually jokingly asking you to disclose the secrets of your trade. Answer was totally unexpected and satisfactory :)

Oh, hah, sorry. Though that was satisfactory, I'll answer the original question:

First step is to figure out what your goal is. For instance, you may want to understand the model format in a game, so you can render them yourself.

Once you have your goal, think about how you would design the system you're trying to reverse-engineer. It doesn't have to be detailed, just a general idea.

From that, come up with a set of assumptions about the system. E.g. "there will be a field in the header that is roughly the size of the file divided by 12 (3 x 4 byte floating point values, for coordinates)". Then check each of those.

Once you've done that, rethink your model of how it works using the new information, and repeat until you figure it out.

It helps massively to know a little about everything, so you can draw conclusions about how things work just by seeing what it does.

Yep. That example is real, btw -- I worked on reversing the Everquest file formats many, many years ago to write my own client for it. I was still in high school at the time; I printed out a couple pages of the hex dump of a few files in a given format, then I'd go over them with highlighters and figure out the specific bits. It's all about pattern matching and checking assumptions.

Do you think the lock manufacturer will fix the vulns at least for newly produced locks? Or are there maybe even inherent protocol weaknesses that would make a patched lock incompatible with existing programming devices or cards or so?

Fixing these vulnerabilities consists of two parts: changing the protocol for the portable programmer such that direct memory access is not possible, and changing the crypto to use a safe algorithm and a large key size (a 32-bit key on a terrible proprietary algorithm is very much Not Ok (TM)).

This means that the portable programmer and encoder both have to be changed, in addition to the locks. I can only hope they'll do all of this, and get it audited to know that it actually works properly.

So they need to replace 4 million locks and other stuff too. Wouldn't they be worried that a new RE will then come by and expose new vulnerabilities?

They should be concerned about that no matter what. That's why I strongly, strongly recommend them to have everything thoroughly audited by independent security professionals. Will they catch everything? No. Will they catch these sorts of horribly obvious vulnerabilities? Absolutely.

Thought the mfr issued a statement that they were fixing "most" of the locks with a physical deterrent and "firmware upgrade"? Am I missing something? Am I in the wrong thread again?? Fuck!

What they've described as their plan to fix these issues is, I believe, not actually going to solve everything. Details are at http://daeken.com/onitys-plan-to-mitigate-hotel-lock-hack

I think what you did is great... However, I think it's easier to just tell the people at the front desk you need a new key. 9 times out of 10 they will ask for what room, then make the key.
Also, I follow you on Twitter, and have been for awhile. Keep the updates coming.

Thanks for the kind words. I'll try to keep things interesting!

Also, something I was wondering earlier. Why didn't you give them a full heads up before releasing it full disclosure? Isn't it ethical to give them a warning you are going to release a pretty big vulnerability in a companies product?

tl;dr: I figured that getting the information out there and exposing this as the major issue it is was priority number 1; the safety issues involved make it a really risky proposition, and letting people know how bad things are was the best way.

I saw a couple options if I had gone to Onity with these issues ahead of time: 1) They file a lawsuit and keep me tied up in court to keep the info out of the public eye and save face. Result: information doesn't go public (and get fixed) for years. 2) They ignore it, I release everything. Result: same thing we have now. 3) They claim to fix it repeatedly and pressure me to hold off on releasing anything until X% of hotels are fixed. Result: nothing happens, ever; they fix it in an improper way and hotels never update. I eventually release, maybe. 4) They fix it quickly, get the fix out to hotels on their dime, and all is well. Result: Complete safety.

In my opinion, #1 and #3 are most likely. Either way, hotels continue to be unsafe for a very long time. That isn't okay in my book. This forced their hand such that they had to respond and fix the issues, and they're taking steps to do that now.

All of this is combined with the fact that I know I'm not the first person to discover this. It's simply too damn simple; how many people have used this in the past for malicious reasons? The cat has been out of the bag for many years, IMO.

What do you think about the "oh, we'll send out some screws to stick into the reprogramming hole" response from the vendor? Would you stay in a hotel room with that patch applied?

I think it's actually a really nice temporary fix, and I think it's good to have it there even once these issues are fixed -- after all, there are likely others there. It's not perfect, but it raises the bar slightly, and that's a good thing. The rest of the response... not so much.

Honestly, the likelihood of anything happening to you (even if you left the door latch off and had a vulnerable lock) is tiny. I always throw the door latch/chain on when it's available, but I don't stress about it. If someone wants to rob me or whatnot, they'll do it.

Why wasn't your presentation part of the normal blackhat briefings (the last two days)? Did one need more than a standard 'briefings only' badge to see your talk? I was frustrated to be excluded, having paid so much money for entry.

How many people actually came to your presentation? I assume only those from the trainings sessions ($5,000+ entry) were able to see your talk?

They decided they wanted a "fun" presentation for the Zero Day Briefings that happened the night before everything, and I was picked for it. You didn't need any special badge, but it was woefully under-advertised. Amazed I got as many people as I did, honestly. That said, the presentation sucked -- my timing was totally off, so I ran through my 60 minute slot in... 30.

For what it's worth, I'm planning on doing another one of it which will be livestreamed with a public Q&A. Not sure when, but I'll announce it on Twitter (@daeken) and my blog (http://daeken.com/) ahead of time.

How does one get started in reverse engineering?

My standard recommendations:

1. Learn C
2. Learn x86 assembly (start by compiling C you write down to assembly and reading it, then get your friends to write some stuff and compile it for you, then decompile it back to C by hand)
3. Start digging into every protocol and file format you can find. Pick a goal (e.g. I want to write a model viewer for WoW) and jump into it.
4. Practice, practice, practice.

If you want to go down that path, shoot me a PM on Freenode IRC; nick's Daeken.

Do you have more information on reversing the Emotive brain-computer interface that can be publicly released?

I wrote about my reversing process at http://daeken.com/emokit-hacking-the-emotiv-epoc-brain-computer-0 It's currently maintained as part of http://www.openyou.org/

If you have any questions about it beyond this stuff, feel free to ask. That was a fun project.

I heard that when they tested your hotel door unlock scheme on several randomly chosen hotel locks, it only worked on a small percentage.

Is this true, and if so why?

Covered that at http://www.reddit.com/r/IAmA/comments/yeiac/iama_reverse_engineer_who_broke_millions_of_hotel/c5uw4wk

Did you get any blow backs from this? Like did any hotels or security companies (the lock companies) get pissed at you?

I'm sure a lot of people are pissed at me, but outside of some rude comments on the internet (gasp) I haven't heard a thing.

Have you ever used your skills for something mischievous? or for a personal gain?

Mischievous, not really. For personal gain, nothing directly outside of just using my skills for work; my projects like these have ended up boosting my reputation and making it easier to get work, so that counts I guess.

[deleted]

That was the point, by and large. The Onity vulnerabilities are terrible and obvious, and obviously need to be fixed, but I think the bigger picture is: there are plenty of other lock vendors, and I'm sure they aren't that much better. Security -- real, hard security -- needs to be the norm here, and that won't happen without getting some knocks.

Did you ever fear repercussions by Onity? I mean you're hurting their business and public image quite a bit.

Fear? Not so much; I feel I've done the right thing and stayed within the bounds of the law. I'm surprised there hasn't been an attempt to 'shut me up', though.

How did you become so smart? College? Self-learning? If so, what did you read or follow?

Everything I know was self-taught. I just found interesting things and started doing them. I'm actually a high school dropout, no college at all haha.

I like the cut of your jib!

Why thank you!

One of the reports mentions your code/device failing to open some locks in a few cases. Was that just a matter of your stuff being mostly proof of concept code that needed refinement, or were the locks any different from what you had been working on previously?

I know that the locks were different (in that they used slightly different boards), but the key problem was a timing issue with my Arduino sketch. The night before the Forbes demo, I hacked the sketch up to add some extra functionality (reading out the code key values needed to make master cards, in addition to just opening the door) and I'm fairly confident that screwed up the timing, which I calibrated carefully a long while back.

Outside of some random documentation issues and a little bug in the code, I'm fairly certain that the code that I released in my paper (largely the original code) works 100% of the time. That's definitely been what I've heard from people who have tested it. Not sure how I feel about that.

How I'd solve this: Port it to a much faster uC, run your communications code in a fast high priority interrupt handler, will be rock solid. I think a PIC32MX7 would probably do it.

Yep, a number of people have built independent implementations on random uCs and had full success.

Is there anything else that you like to do with your spare times besides reverse engineering things?

In terms of tech, I spend a lot of time working on demoscene productions and writing random little apps/tools. Otherwise, just doing things with the girlfriend; seeing movies, going to plays, bowling, shopping, etc. I'm pretty boring, generally.

Occasional acid flashback?

We don't talk about that these days. Not after the incident.

I saw you in a magazine! GREAT WORK!

Wait, what? ... Link/pic?

Well it's a real life paper magazine in a doctor's waiting room, I don't have access to it now. You are a bigger celebrity than you think! I'm even impress to see you here actually.

Well, that's officially weird. If you remember what it was, let me know please. I've only had passing mentions in magazines (well, and an article in Hacker Monthly, but that doesn't count), so it'd be cool.

How long did this particular RE take and what were the mechanics of the whole process? Did you have a lock to work with or did you spend the whole time in a hotel?

So, it's tough to say how long this took. This specific part of it (the communication between the portable programmer and lock) was actually the last thing I did. The whole process was a period of 3 years (about a year and a half working full time, 6-9 months working part time) and consisted of reverse-engineering every part of the Onity lock system and implementing my own front desk replacement.

As far as how it was done, it was all done via black-box reversing of the protocols and card format. I'd sit between each portion of the system (most of it is RS-485, with the exception of the PP<->Lock communication) and read the data, then start emulating one side or the other and digging deeper.

The crypto was figured out by writing a card on the encoder (which automatically encrypts/decrypts cards) then reading it back on my own encoder, an MSR805. I'd then flip a bit in the plaintext/ciphertext or sitecode and try again. Eventually I figured it all out.

All of the reversing could probably be compressed into 9-12 months of work, if I had to take a guess. I did have a lock, along with all the other needed hardware.

Being an independent RE, what sort of tools are you using? Do you find yourself building a lot of your own tools for this stuff? How often do you collaborate with other REs, and is that done mostly online or in 'meat space'?

I use IDA Pro (an old copy of 5.1; never bothered to upgrade my license) heavily for native reversing, Burp for websec stuff, and a lot of my own tools. I generally end up writing a custom tool suite for each project, if it's not a trivial gig; e.g. I might write serial proxies, or write code to parse logic analyzer dumps.

I rarely collaborate with other REs -- haven't in quite a few years, really, outside of some random little things over Skype.

I just want to let you know that's really cool! In high school I reverse engineered a key to everybody's locker and was suspended for a week. It helped me decide on Mechanical Engineering for my major of study in college (I'm starting my fourth year). I want to let you know reading your story just now has really motivated me even more. Hopefully I can be as awesome someday!

What made you decide to go into security research? Did working in reverse engineering just lead you there?

Haha, neat.

Yea, reversing just sort of led into security. Definitely one of the more interesting applications.

I thought reverse engineer was something you did, not something you are. What is your degree?

No degree, high school dropout.

Is it true that you find this easy but riding a bike very difficult?

Quite so.