Today we introduce a new post to the blog. We tell a singular story that we think may help us to think about some aspects of security and which may be a source of learning.
In 2012, the security analyst Cody Brocious, discovered a vulnerability which affected the electric handles manufactured by the Onity brand (installed in doors in many hotels all over the world) and created a little portable device which was able to open 10 million hotel doors.
The discovery, apart from the company being informed, was communicated in specialised forums for hackers and computer security and in some media (like the journalist Andy Greenberg of Forbes magazine) echoed this. Despite some disclosures and the fact that on internet different devices were replicated (increasingly small ones) that were able to take advantage of this vulnerability, the company was slow to respond and many hotels did not want to change the handles which were no longer secure.
Aaron Cashatt, a youngster from Arizona, with drug-related problems, a brief criminal background and knowledge of computers and electronics saw a television programme which explained the system used to pirate the door handles to hotel rooms. In the summer of 2012, with an investment of 50 dollars, he was able to copy the device and he tried it out in a hotel from which he stole a few towels. Seeing how effective it was, he began to perfect his break-ins, with an increase in the value of the objects stolen (first televisions and room fittings and later the belongings of the hotel guests) as he perfected the tool that gained him entry to rooms without leaving a trace. For over a year, Arizona’s police authorities and those of other states like Ohio and California were trying to track down a ghost that was entering hotel rooms without leaving a trace. And in spite of being arrested and imprisoned for a short time for previous crimes, it was not until the summer of 2013 that they were able to relate him with the almost 100 crimes that had been committed during that time and he was finally arrested, sentenced and imprisoned for the hotel robberies.
Greenberg, published Cashutt’s story in the magazine Wired in the summer of 2017 and, despite a lack of computer knowledge he was able to copy the device conceived by Brocious. He tried to use the device in four different hotels (he stayed in the rooms that he was trying to gain entry to in order to avoid committing an offence) and, surprisingly, five years after the vulnerability involved was made public, the device worked in one of the rooms.
This story enables us to reflect on the following aspects as well as others:
- The many actors responsible for security (in this case the police, hotels, handle manufacturers … and hackers who discover vulnerability)
- The importance of taking measures once vulnerabilities are detected. Cashatt spent a year exploiting the vulnerability detected by Brocious … and Greenberg showed that five years later this still involved a risk for establishments that had not changed or updated their handles.
- The need to follow security-related information. Although this had been communicated publicly and had been published by the media, police forces did not discover Cashatt’s modus operandi until he was arrested and they found the devices he was using to enter the rooms.