A report by ABC News showing how easy it was to break into certain electronic door locks used by major hotels has prompted the Holiday Inn chain today to announce a drive to "expedite" efforts to fix the locks.
The ABC News report included a visit to the Holiday Inn Express Times Square on 39th Street, where we checked in to a room and demonstrated a major security flaw that allows guest doors to be opened without a hotel-issued key.
The problem centers around a particular model of hotel door lock made by Onity, a company which describes itself as the, "Worldwide Leader In Electronic Locks." However, on one of its most popular models sold to hotels globally, hackers claim to have discovered that the company left a security port uncovered that allows them to open any of the locks with a universal key of sorts.
Nick Percoco of Trustwave, a security consulting firm, visited the Holiday Inn Express along with ABC News and opened a room we had checked into without a key from the hotel. He did so by plugging a small device hidden in a magic marker into the bottom of our hotel door.
Percoco was not given previous access to our room. It took less than two seconds to open our door.
"I can go down the entire hallway and unlock every single door," Percoco said. "I would say millions of people worldwide would be at risk every single day until this problem is fixed."
Percoco said he was doing the demonstration for ABC News because the industry has not properly addressed the threat, even months after Mozilla software developer Cody Brocious first exposed it at a well known convention for hackers in July called the Black Hat security conference.
Recently, videos have popped up across the internet and on YouTube teaching others how to build a homemade device that can hack hotel locks made by Onity. Percoco says he hopes his company's demonstration prompts the hotels to fix the safety issue.
He also took the device his company built to a nearby Hilton Garden Inn. Once again, ABC News checked in to a room there and did not give him prior access. He was able to plug the hacking device into our door lock, and gain access to another room within a matter of seconds.
The manager of the Hilton Garden Inn we visited told us he had never heard of the problem with Onity locks before.
"I'm not aware of it," he said.
However, after seeing video of Percoco easily breaking into a room of his hotel, the hotel manager expressed concern.
"I would be happy to bring this to Hilton's attention because this is a security problem, yes," he said.
Onity did not respond to a request for an interview, but told ABC News in a statement, "…the company is working with its customers to deploy solutions."
Hotel industry consultants have told ABC News there are two options hotels have been given to fix the problem. One involves the installation of a plug that can be manually fixed to each door lock, blocking the access of hackers but also preventing door locks from being reprogrammed.
The second solution involves replacing a circuitboard inside each door lock, which to date Onity had told hotels they would have to pay for, even while the problem appears to be a product defect.
"Although the hotel industry does not think it is appropriate to incur costs around an Onity solution, each hotel is evaluating its effectiveness," Kathryn Potter told ABC News. Potter is a spokesperson for the American Hotel and Lodging Association.
However, in response to new pressure from the industry following ABC News' report, Onity's previous hard line with hotels may be softening.
In a statement released Sunday to ABC News, the parent company of the Holiday Inn group of hotels, IHG, told ABC, "Confidential negotiations are underway between Onity and the industry regarding costs for any firmware upgrades required."
IHG also said, "It has been reported that Onity has an installed customer base of about 4 million locks at thousands of hotels worldwide. Onity has notified the hotel industry that solutions to the problem are available."
IHG told ABC News the Holiday Inn Express in Times Square that we visited has now placed an order with Onity for the products that will help them address the problem at that location.
"The Holiday Inn Express New York City Times Square is awaiting delivery of Onity's solutions for their hotel's locks; and both the hotel's management and IHG have contacted Onity regarding distribution to this specific hotel," the statement said.
Corporatewide, IHG said, "We have advised our hotels to work directly with Onity to monitor, and expedite if possible, delivery of their lock solutions."
A spokesperson for Hilton Worldwide said, "The safety and security of our guests is always our highest priority, and we are working with Onity to investigate and address this issue."
Security experts say it is important for guests who are concerned about safety to increase their use of in room safes, deadbolts and chains.
ABC News is continuing to follow this story as it develops. If you have a related tip that can help us, please email Mark.P.Greenblatt@abc.com.