The $50 homebrew tool that unlocks hotel doors
At the Black Hat Security conference in July, researcher Cody Brocious unveiled a device could semi-reliably open electronic door locks made by Onity. Onity locks are found on 4 million doors in thousands of hotels across the world, including high-profile chains like Hyatt, Marriott, and IHG (which owns both Holiday Inn and Crowne Plaza). Based around an Arduino microcontroller and assembled for less than $50, the tool can be built by any crook with pocket change and some coding skills, and there's at least one report of a similar tool being used to break into hotel rooms in Texas.
Scary stuff, to be sure. Perhaps more worrying was Onity's response to the situation, which was basically "Put a plug over the port and change the screws."
The company eventually developed an actual solution for the vulnerability, but it involves swapping out the circuit boards of affected locks--and Onity refuses to foot the costs for doing so. A December ArsTechnica report suggests the company may be more willing to subsidize replacement boards in the wake of the Texas crime spree, though as of November 30th, Onity had only supplied a total of 1.4 million "solutions for locks"--including those plastic plugs--to hotels globally. In other words, the vulnerability is still very widespread. Epic fail.
Death by a thousand cuts
The year didn't see a massive database breach in the vein of 2011's PlayStation Network take-down, but a series of smaller penetrations came fast and furious throughout the spring and summer. While the release of 6.5 million hashed LinkedIn passwords may have been the most notable hack, it was buoyed by the posting of more than 1.5 million hashed eHarmony passwords, 450,000 Yahoo Voice login credentials, an unspecified number of Last.fm passwords, and the full login and profile information of hundreds of Nvidia forum users. I could keep going, but you get the point.
What's the takeaway? You can't trust a website to keep your password safe, so you should use different passwords for different sites to minimize the potential damage if hackers do manage to puzzle out your login credentials for a given account. Check out our guide to building a better password if you need some pointers.
Dropbox drops its guard
Back in July, some Dropbox users began noticing that they were receiving a large amount of spam in their inboxes. After some initial denials followed by some deeper digging, Dropbox found that hackers had compromised an employee's account and gained access to a document containing user email addresses. Oops! The damage was minor, but the egg in the face was major.
Sign up for Computerworld eNewsletters.