Onity HT lock systems are used in approximately ten million hotels worldwide, approximately a third of all hotels. At last week's Black Hat security conference Cody Brocious, a Mozilla software developer and security researcher, presented a paper on the vulnerabilities of this particular lock (slides).
The security hole Brocious was able to exploit is the DC port that exists at the bottom of the locks. Using just an Arduino Mega 128, a resistor and a DC barrel connector he can, albeit unreliably, open the lock in a matter of seconds. "I plug it in, power it up, and the lock opens," he says simply. By connecting this device you can read the memory of the lock which contains sitecodes which allows encryption and decryption of your won cards and use it with the open command to unlock the door. Access to the memory requires no authentication "Send it an address, it sends you memory". You can also use this information to make your own guest cards and make copies of master cards (which may or may not allow you into other doors). More details are included in his paper where he details the lock protocols and example audrino code.
Paper - demoseen.com/bhpaper.html
The security hole Brocious was able to exploit is the DC port that exists at the bottom of the locks. Using just an Arduino Mega 128, a resistor and a DC barrel connector he can, albeit unreliably, open the lock in a matter of seconds. "I plug it in, power it up, and the lock opens," he says simply. By connecting this device you can read the memory of the lock which contains sitecodes which allows encryption and decryption of your won cards and use it with the open command to unlock the door. Access to the memory requires no authentication "Send it an address, it sends you memory". You can also use this information to make your own guest cards and make copies of master cards (which may or may not allow you into other doors). More details are included in his paper where he details the lock protocols and example audrino code.
Hak5 interview (skip to 9:35, sorry for all the adverts)
Read more
Slides - demoseen.com/bhtalk2.pdfPaper - demoseen.com/bhpaper.html
Three of the old levels are back online:
The rest should be online fairly soon, along with the other parts of the site which are currently unavailable.
- Real Xmas
- Coding level 1
- Coding level 2
- Real level 4
The rest should be online fairly soon, along with the other parts of the site which are currently unavailable.
The speed demon medal has been removed. It seemed to present nothing but a great deal of confusion. It was also unobtainable for those members who failed to get it on their first attempt. I intend to reintroduce it at some point but for the time being I am focusing my efforts on the adding levels and getting the forum up and running.
Welcome back, or to our new members hello. The site has been offline for a number of months, this was due to performance issues in the code of the previous version. We took this opportunity to re-factor the entire site. This has created a significantly speedier user experience and much easier to maintain. As well as this there has been two major additions in the new version; firstly each user now has a personalised feed on their profile of their activity on the site, secondly is the introduction of medals.
I hope everyone enjoys the rebooted site, all comments and suggestions are welcome. Have fun and play safe,
Flabby Rabbit
Medals
Medals are awarded to users for achieving certain goals; such as uploading an image to their profile, reaching a certain score or logging in consecutively for a week. You can see a list of all the medals currently available here. New medals will be added in the near future so keep an eye out for them. Each medal comes with a small point bonus:- 25 for bronze
- 50 for silver
- 100 for gold
Articles and forum
The articles portion of the site is ready to be launched and you can see a preview of an article here but we need more content. If you could help us out then please let us know by using the contact us link. We will accept 1/2 written articles on any related topic. As for the forums we still have a bit more work to do on that section. We want to achieve a completely integrated experience with the main site adding in a lot of nice features to promote quality helpful posts.Levels
As you may have noticed a number of levels have been taken offline. This is entirely down to running out of time to prepare them for the relaunch. They will be back up very soon. New levels are in the pipeline and should be released around the same time. Again your help would be much appreciated, please submit any level ideas using the contact us link. All contributions to the site will be rewarded with a special medal!I hope everyone enjoys the rebooted site, all comments and suggestions are welcome. Have fun and play safe,
Flabby Rabbit
"TweetDeck is currently down while we look into an issue. Apologies for the inconvenience." - @TweetDeckAccording to TechCrunch, Twitter has taken down its Tweetdeck application after a vunerability was found that allowed access to hundreds of other users accounts. The bug was flagged up by Geoff Evanson [tweet], describing the issue:
"A bug has given me access to hundreds of twitter and facebooks account through tweetdeck. I didn't do anything special to make this happen. I just logged in one day, the account was was slower than normal, and I could post from many more accounts."
Update
Tweetdeck is working again
"As soon as we learned about the issue today, we took TweetDeck down to diagnose the situation. We discovered a bug that caused a very small number of TweetDeck users to have access to other TweetDeck users' accounts. (The accounts that could be accessed were random; it was not possible to select specific accounts and access them.)
No one's password was compromised, and we aren't aware of any instances where this access was used maliciously. As a precaution, we removed account credentials associated with affected TweetDeck users; they will need to log in to authorize the TweetDeck application to access their accounts."
No one's password was compromised, and we aren't aware of any instances where this access was used maliciously. As a precaution, we removed account credentials associated with affected TweetDeck users; they will need to log in to authorize the TweetDeck application to access their accounts."
