1625
IAmA Reverse engineer who broke millions of hotel locks. AMA
I'm Cody Brocious, a reverse engineer and security researcher. At BlackHat this year, I released major, unpatchable vulnerabilities in 4-10 million hotel locks. You can read more at http://www.forbes.com/sites/andygreenberg/2012/07/23/hacker-will-expose-potential-security-flaw-in-more-than-four-million-hotel-room-keycard-locks/ and http://www.forbes.com/sites/andygreenberg/2012/08/17/hotel-lock-firms-fix-for-security-flaw-requires-hardware-changes-for-millions-of-locks/
I previously worked on reversing the Emotiv brain-computer interface, the iTunes music store (the PyMusique project), and unlocking the iPhone. Got questions about reversing, security, or anything other than legal-related questions? Go for it.
Update: I'm heading to bed as I'm way, way too tired to keep going. Thanks for all the great questions. Keep them coming and I'll answer once I get up. Hope this was as fun for you all as it was for me!
Update 2: I'm awake, or something like it. I'll be answering questions until this dies, so keep them coming.
Reversing IRC: Due to the massive number of requests for info on reversing and all that, I started up ##reversing on irc.freenode.net. Come on by.
negkarmafarmer192 karma
Oh, no, thank you.
None of our guests knew anything about it, so no having to deal with the fallout. Let me ask you, though, since I have your attention, what your beer of choice is?
daeken210 karma
Depends on my mood. Overall favorite is Clown Shoes Black IPA, but I'm also a huge fan of Anchor Steam.
negkarmafarmer114 karma
Clown Shoes? Damn, just looked them up and they don't seem to be available to California.
Anchor Steam is a damn fine beer, though. Have you had their Breckel's Brown? So tasty and malty, like a biscuit.
ryanmaynard267 karma
While there is no doubt that your expose' will only improve security in the long haul, what are you thoughts/feelings on the immediate impact of your findings?
Fellow reverse engineer here, so that question wasn't an attack. I'm genuinely interested in your thoughts on the ethics of it. To be honest, my drive to learn via RE supersedes any objections I would have about ethics. I'm not malicious in any way, I just want to learn. I'm curious if you feel similar.
daeken363 karma
At the end of the day, I know that people will use this for malicious purposes, just like any important vulnerability that's disclosed. However, I have to balance that out with a question that's been on my mind for a long time: How many people used this before I even thought of it? How many people have been robbed or worse, because of these buggy locks?
I'm not happy about any of this, but I think getting the info out there balances out the harm that may come from it being out there in the near future.
nexterday91 karma
Did you do any sort of responsible disclosure such as contacting Onity before going public?
daeken230 karma
Just tweeted this -- good enough proof? Could also post on the blog where my paper and such are published. Here's the tweet: https://twitter.com/daeken/status/236602748555116544
daeken33 karma
Yep, this -should- be public: http://www.facebook.com/cody.brocious/posts/232724386849639
daeken278 karma
I work on Boot2Gecko, primarily doing gfx optimizations. Currently working on overscroll animations (what happens when you scroll a page too far).
desparadacido46 karma
Do you use Boot2Gecko as your primary phone or for any "serious"/actual normal stuff you'd use with your previous Android or iOS phone?
daeken47 karma
Not yet. I use it as a side phone when I need it, but honestly I break it too often to do so. Sometime soon I'll set a phone aside for stable testing and dogfood it properly.
calebkraft110 karma
Caleb from Hackaday.com here. Think they'll just ignore it like bump keys? Seems like so much money and trouble to go back and fix everything.
daeken62 karma
I think that it's public enough that they'll be forced to do the right thing eventually and release a fix/recall in the future. I just don't know when that'll be.
redbluetwo104 karma
You have the chance to teach/show everyone in the world one thing and they will all listen what is it besides simple things like how to use their freaking blinker.
daeken259 karma
Hm, that's a tough one. Here's something awesome I learned recently, which everyone should know: While flying with a partner and the seats are in groups of three, select your seats such that you're leaving the middle seat open. Unless the flight is packed, it's unlikely anyone will pick the middle seat, and you have the group to yourself. Works great.
bad_religion105 karma
Also, even if someone books the middle seat, they would likely switch to the aisle or window upon request.
daeken79 karma
I'm sure they realize that people have them, but that it'll add quite a few seconds to the opening process, rather than it being instant. It also makes it harder to not be obvious that you're doing it or that you were there.
Honestly, it's not a bad solution, it just should be paired with fixing the underlying vulnerabilities.
liveinmymind67 karma
Wikipedia tells me you were interested in computing by the age of four. What was it that got you interested at such a young age?
daeken107 karma
Well, I was always around computers -- my parents always had them, and my uncle used to build them. I don't know what sparked me to learn about programming particularly, but I do remember two things:
I discovered a book on BASIC for the Apple ][E in my school library, and started tweaking the code in there, then started writing little text-based games; that was probably kindergarten or first grade. It was short (maybe 30-40 pages?) and IIRC its cover was orange with white lettering, if anyone has a clue. Would love to get a copy again.
The other thing was that I learned about EDIT.COM and opened the game Pilgrim's Quest in it, on my old 386. I was maybe 6 or 7, and I had absolutely no idea what I was doing, but I mashed keys and typed in words and such; it wasn't source, it was a raw binary. I ran the game, and the screen was completely corrupted, but on pressing a key, you'd hear a sound. Each key had a different sound. It was then that I realized that if you understood what these things did, you could be the master of a little universe of your own.
Of course, playing Shadowrun on the Genesis when I was a little bit older helped a lot. I still want to be a decker; hell, I even named my old OS "Renraku".
daeken55 karma
I'm not really sure. The hard part is just getting started, so maybe something like http://www.codecademy.com/ could be of help.
atowntommy42 karma
I want to be a white hat security guy; how do I get started? my background is unix sysadmin/qa, etc.
daeken114 karma
Well, there are a million ways you could go about it, but here's what I'd do:
Learn to program in at least one high-level language (Python, Ruby, JS, whatever), learn to program in at least one low-level language (C is best, C++ is almost as good). If you want to work on the reverse-engineering side of things, learning assembly for at least one ISA (x86 is best) is a very good thing. If you want to work on the web side of things (which you'll likely need, at some point or another) then you have to understand how web development is done, how the web itself works, how JS works, etc.
Start from the top down; first step is the web. OWASP has lots of good information, but use it to just get a feeling for what's out there, then Google around.
Run through some web security challenges, e.g. HackThisSite, and use WebGoat as a test.
Read up on native security a bit -- learn the basics of buffer overflows and all that fun stuff.
Grab old versions of open source software with known vulnerabilities, and rediscover them. This applies equally well to native and web software.
Practice, practice, practice. Every time you encounter a piece of technology or a security process, think about how you could attack it. Take a shot at every piece of software you come across (-NOT- web-based services; that's generally illegal).
Surround yourself with people smarter than you are on every topic you're interested in. This is easy to do in the age of the interwebs.
I'm also writing a book on getting into security; the outline is available at https://gist.github.com/3366052 . The point of it is not to be a complete guide to every detail of every part of security, but rather to expose you to enough different things that when you need to learn something, you're able to. It'll be out... sometime before I die :P
FdubPrime12 karma
Are these generally the same set of instructions necessary for someone of less than honorable morals to learn to get into the criminal side of things? I ask out of curiosity if the difference is entirely intentions, because i'm really interested in psychology.
Totally not a criminal and stuff :P
daeken44 karma
The only difference between an honorable hacker and a dishonorable hacker is what they do with their knowledge, not the knowledge itself.
daeken66 karma
As in how it works? Well, there's a port on the bottom of the lock that's used to program the lock. That port allows direct memory access, enabling you to read the sitecode (unique code for the property) out of memory, then send it back up with the open command. No authentication is required, and it takes about 200ms for it to pop open. Full details are available at http://daeken.com/blackhat-paper if you want more details.
Or do you mean how I actually got to that point?
Dreamtrain43 karma
Well I was actually jokingly asking you to disclose the secrets of your trade. Answer was totally unexpected and satisfactory :)
daeken56 karma
Oh, hah, sorry. Though that was satisfactory, I'll answer the original question:
First step is to figure out what your goal is. For instance, you may want to understand the model format in a game, so you can render them yourself.
Once you have your goal, think about how you would design the system you're trying to reverse-engineer. It doesn't have to be detailed, just a general idea.
From that, come up with a set of assumptions about the system. E.g. "there will be a field in the header that is roughly the size of the file divided by 12 (3 x 4 byte floating point values, for coordinates)". Then check each of those.
Once you've done that, rethink your model of how it works using the new information, and repeat until you figure it out.
aydiosmio22 karma
It helps massively to know a little about everything, so you can draw conclusions about how things work just by seeing what it does.
daeken47 karma
Yep. That example is real, btw -- I worked on reversing the Everquest file formats many, many years ago to write my own client for it. I was still in high school at the time; I printed out a couple pages of the hex dump of a few files in a given format, then I'd go over them with highlighters and figure out the specific bits. It's all about pattern matching and checking assumptions.
thejh40 karma
Do you think the lock manufacturer will fix the vulns at least for newly produced locks? Or are there maybe even inherent protocol weaknesses that would make a patched lock incompatible with existing programming devices or cards or so?
daeken67 karma
Fixing these vulnerabilities consists of two parts: changing the protocol for the portable programmer such that direct memory access is not possible, and changing the crypto to use a safe algorithm and a large key size (a 32-bit key on a terrible proprietary algorithm is very much Not Ok (TM)).
This means that the portable programmer and encoder both have to be changed, in addition to the locks. I can only hope they'll do all of this, and get it audited to know that it actually works properly.
zipzap2122 karma
So they need to replace 4 million locks and other stuff too. Wouldn't they be worried that a new RE will then come by and expose new vulnerabilities?
daeken65 karma
They should be concerned about that no matter what. That's why I strongly, strongly recommend them to have everything thoroughly audited by independent security professionals. Will they catch everything? No. Will they catch these sorts of horribly obvious vulnerabilities? Absolutely.
illevator13 karma
Thought the mfr issued a statement that they were fixing "most" of the locks with a physical deterrent and "firmware upgrade"? Am I missing something? Am I in the wrong thread again?? Fuck!
daeken21 karma
What they've described as their plan to fix these issues is, I believe, not actually going to solve everything. Details are at http://daeken.com/onitys-plan-to-mitigate-hotel-lock-hack
AaronMickDee20 karma
I think what you did is great... However, I think it's easier to just tell the people at the front desk you need a new key. 9 times out of 10 they will ask for what room, then make the key.
Also, I follow you on Twitter, and have been for awhile. Keep the updates coming.
AaronMickDee24 karma
Also, something I was wondering earlier. Why didn't you give them a full heads up before releasing it full disclosure? Isn't it ethical to give them a warning you are going to release a pretty big vulnerability in a companies product?
daeken76 karma
tl;dr: I figured that getting the information out there and exposing this as the major issue it is was priority number 1; the safety issues involved make it a really risky proposition, and letting people know how bad things are was the best way.
I saw a couple options if I had gone to Onity with these issues ahead of time: 1) They file a lawsuit and keep me tied up in court to keep the info out of the public eye and save face. Result: information doesn't go public (and get fixed) for years. 2) They ignore it, I release everything. Result: same thing we have now. 3) They claim to fix it repeatedly and pressure me to hold off on releasing anything until X% of hotels are fixed. Result: nothing happens, ever; they fix it in an improper way and hotels never update. I eventually release, maybe. 4) They fix it quickly, get the fix out to hotels on their dime, and all is well. Result: Complete safety.
In my opinion, #1 and #3 are most likely. Either way, hotels continue to be unsafe for a very long time. That isn't okay in my book. This forced their hand such that they had to respond and fix the issues, and they're taking steps to do that now.
All of this is combined with the fact that I know I'm not the first person to discover this. It's simply too damn simple; how many people have used this in the past for malicious reasons? The cat has been out of the bag for many years, IMO.
causal_friday19 karma
What do you think about the "oh, we'll send out some screws to stick into the reprogramming hole" response from the vendor? Would you stay in a hotel room with that patch applied?
daeken34 karma
I think it's actually a really nice temporary fix, and I think it's good to have it there even once these issues are fixed -- after all, there are likely others there. It's not perfect, but it raises the bar slightly, and that's a good thing. The rest of the response... not so much.
Honestly, the likelihood of anything happening to you (even if you left the door latch off and had a vulnerable lock) is tiny. I always throw the door latch/chain on when it's available, but I don't stress about it. If someone wants to rob me or whatnot, they'll do it.
bsmartt18 karma
Why wasn't your presentation part of the normal blackhat briefings (the last two days)? Did one need more than a standard 'briefings only' badge to see your talk? I was frustrated to be excluded, having paid so much money for entry.
How many people actually came to your presentation? I assume only those from the trainings sessions ($5,000+ entry) were able to see your talk?
daeken18 karma
They decided they wanted a "fun" presentation for the Zero Day Briefings that happened the night before everything, and I was picked for it. You didn't need any special badge, but it was woefully under-advertised. Amazed I got as many people as I did, honestly. That said, the presentation sucked -- my timing was totally off, so I ran through my 60 minute slot in... 30.
For what it's worth, I'm planning on doing another one of it which will be livestreamed with a public Q&A. Not sure when, but I'll announce it on Twitter (@daeken) and my blog (http://daeken.com/) ahead of time.
daeken38 karma
My standard recommendations:
- Learn C
- Learn x86 assembly (start by compiling C you write down to assembly and reading it, then get your friends to write some stuff and compile it for you, then decompile it back to C by hand)
- Start digging into every protocol and file format you can find. Pick a goal (e.g. I want to write a model viewer for WoW) and jump into it.
- Practice, practice, practice.
If you want to go down that path, shoot me a PM on Freenode IRC; nick's Daeken.
syberphunk13 karma
Do you have more information on reversing the Emotive brain-computer interface that can be publicly released?
daeken10 karma
I wrote about my reversing process at http://daeken.com/emokit-hacking-the-emotiv-epoc-brain-computer-0 It's currently maintained as part of http://www.openyou.org/
If you have any questions about it beyond this stuff, feel free to ask. That was a fun project.
Penroze12 karma
I heard that when they tested your hotel door unlock scheme on several randomly chosen hotel locks, it only worked on a small percentage.
Is this true, and if so why?
IPatientZero11 karma
Did you get any blow backs from this? Like did any hotels or security companies (the lock companies) get pissed at you?
daeken43 karma
I'm sure a lot of people are pissed at me, but outside of some rude comments on the internet (gasp) I haven't heard a thing.
TheLAWLBOT11 karma
Have you ever used your skills for something mischievous? or for a personal gain?
daeken14 karma
Mischievous, not really. For personal gain, nothing directly outside of just using my skills for work; my projects like these have ended up boosting my reputation and making it easier to get work, so that counts I guess.
daeken14 karma
That was the point, by and large. The Onity vulnerabilities are terrible and obvious, and obviously need to be fixed, but I think the bigger picture is: there are plenty of other lock vendors, and I'm sure they aren't that much better. Security -- real, hard security -- needs to be the norm here, and that won't happen without getting some knocks.
IHateWaffles8 karma
Did you ever fear repercussions by Onity? I mean you're hurting their business and public image quite a bit.
daeken14 karma
Fear? Not so much; I feel I've done the right thing and stayed within the bounds of the law. I'm surprised there hasn't been an attempt to 'shut me up', though.
virtual13310 karma
How did you become so smart? College? Self-learning? If so, what did you read or follow?
daeken42 karma
Everything I know was self-taught. I just found interesting things and started doing them. I'm actually a high school dropout, no college at all haha.
iyunoichi9 karma
One of the reports mentions your code/device failing to open some locks in a few cases. Was that just a matter of your stuff being mostly proof of concept code that needed refinement, or were the locks any different from what you had been working on previously?
daeken18 karma
I know that the locks were different (in that they used slightly different boards), but the key problem was a timing issue with my Arduino sketch. The night before the Forbes demo, I hacked the sketch up to add some extra functionality (reading out the code key values needed to make master cards, in addition to just opening the door) and I'm fairly confident that screwed up the timing, which I calibrated carefully a long while back.
Outside of some random documentation issues and a little bug in the code, I'm fairly certain that the code that I released in my paper (largely the original code) works 100% of the time. That's definitely been what I've heard from people who have tested it. Not sure how I feel about that.
danjayh7 karma
How I'd solve this: Port it to a much faster uC, run your communications code in a fast high priority interrupt handler, will be rock solid. I think a PIC32MX7 would probably do it.
daeken8 karma
Yep, a number of people have built independent implementations on random uCs and had full success.
mistuh_fier9 karma
Is there anything else that you like to do with your spare times besides reverse engineering things?
daeken9 karma
In terms of tech, I spend a lot of time working on demoscene productions and writing random little apps/tools. Otherwise, just doing things with the girlfriend; seeing movies, going to plays, bowling, shopping, etc. I'm pretty boring, generally.
ImNotGoodInEnglish10 karma
Well it's a real life paper magazine in a doctor's waiting room, I don't have access to it now. You are a bigger celebrity than you think! I'm even impress to see you here actually.
daeken15 karma
Well, that's officially weird. If you remember what it was, let me know please. I've only had passing mentions in magazines (well, and an article in Hacker Monthly, but that doesn't count), so it'd be cool.
slavy7 karma
How long did this particular RE take and what were the mechanics of the whole process? Did you have a lock to work with or did you spend the whole time in a hotel?
daeken8 karma
So, it's tough to say how long this took. This specific part of it (the communication between the portable programmer and lock) was actually the last thing I did. The whole process was a period of 3 years (about a year and a half working full time, 6-9 months working part time) and consisted of reverse-engineering every part of the Onity lock system and implementing my own front desk replacement.
As far as how it was done, it was all done via black-box reversing of the protocols and card format. I'd sit between each portion of the system (most of it is RS-485, with the exception of the PP<->Lock communication) and read the data, then start emulating one side or the other and digging deeper.
The crypto was figured out by writing a card on the encoder (which automatically encrypts/decrypts cards) then reading it back on my own encoder, an MSR805. I'd then flip a bit in the plaintext/ciphertext or sitecode and try again. Eventually I figured it all out.
All of the reversing could probably be compressed into 9-12 months of work, if I had to take a guess. I did have a lock, along with all the other needed hardware.
splynncryth5 karma
Being an independent RE, what sort of tools are you using? Do you find yourself building a lot of your own tools for this stuff? How often do you collaborate with other REs, and is that done mostly online or in 'meat space'?
daeken7 karma
I use IDA Pro (an old copy of 5.1; never bothered to upgrade my license) heavily for native reversing, Burp for websec stuff, and a lot of my own tools. I generally end up writing a custom tool suite for each project, if it's not a trivial gig; e.g. I might write serial proxies, or write code to parse logic analyzer dumps.
I rarely collaborate with other REs -- haven't in quite a few years, really, outside of some random little things over Skype.
BreeBree2144 karma
I just want to let you know that's really cool! In high school I reverse engineered a key to everybody's locker and was suspended for a week. It helped me decide on Mechanical Engineering for my major of study in college (I'm starting my fourth year). I want to let you know reading your story just now has really motivated me even more. Hopefully I can be as awesome someday!
What made you decide to go into security research? Did working in reverse engineering just lead you there?
daeken6 karma
Haha, neat.
Yea, reversing just sort of led into security. Definitely one of the more interesting applications.
justguessmyusername3 karma
I thought reverse engineer was something you did, not something you are. What is your degree?
negkarmafarmer856 karma
Oh man, this is great. It was because of you we had an emergency staff meeting at the hotel I worked at. I walked over to the nearest guest room door and told them we don't have ONITY locks.
I got to go home early, with pay, because of you. This beer is for you.
View HistoryShare Link