A report by ABC News showing how easy it was to break into certain electronic door locks used by major hotels has prompted the Holiday Inn chain today to announce a drive to "expedite" efforts to fix the locks.
The ABC News report included a visit to the Holiday Inn Express Times Square on 39th Street, where we checked in to a room and demonstrated a major security flaw that allows guest doors to be opened without a hotel-issued key.
The problem centers around a particular model of hotel door lock made by Onity, a company which describes itself as the, "Worldwide Leader In Electronic Locks." However, on one of its most popular models sold to hotels globally, hackers claim to have discovered that the company left a security port uncovered that allows them to open any of the locks with a universal key of sorts.
Nick Percoco of Trustwave, a security consulting firm, visited the Holiday Inn Express along with ABC News and opened a room we had checked into without a key from the hotel. He did so by plugging a small device hidden in a magic marker into the bottom of our hotel door.
Percoco was not given previous access to our room. It took less than two seconds to open our door.
"I can go down the entire hallway and unlock every single door," Percoco said. "I would say millions of people worldwide would be at risk every single day until this problem is fixed."
Percoco said he was doing the demonstration for ABC News because the industry has not properly addressed the threat, even months after Mozilla software developer Cody Brocious first exposed it at a well known convention for hackers in July called the Black Hat security conference.
Recently, videos have popped up across the internet and on YouTube teaching others how to build a homemade device that can hack hotel locks made by Onity. Percoco says he hopes his company's demonstration prompts the hotels to fix the safety issue.
He also took the device his company built to a nearby Hilton Garden Inn. Once again, ABC News checked in to a room there and did not give him prior access. He was able to plug the hacking device into our door lock, and gain access to another room within a matter of seconds.
The manager of the Hilton Garden Inn we visited told us he had never heard of the problem with Onity locks before.
"I'm not aware of it," he said.
However, after seeing video of Percoco easily breaking into a room of his hotel, the hotel manager expressed concern.
"I would be happy to bring this to Hilton's attention because this is a security problem, yes," he said.
Onity did not respond to a request for an interview, but told ABC News in a statement, "…the company is working with its customers to deploy solutions."
Hotel industry consultants have told ABC News there are two options hotels have been given to fix the problem. One involves the installation of a plug that can be manually fixed to each door lock, blocking the access of hackers but also preventing door locks from being reprogrammed.
The second solution involves replacing a circuitboard inside each door lock, which to date Onity had told hotels they would have to pay for, even while the problem appears to be a product defect.
"Although the hotel industry does not think it is appropriate to incur costs around an Onity solution, each hotel is evaluating its effectiveness," Kathryn Potter told ABC News. Potter is a spokesperson for the American Hotel and Lodging Association.