Hotel break-ins blamed on room key card security flaw

A couple months back there was some discussion stemming from a presentation at the Black Hat conference whereby someone detailed how it was possibly to unlock doors secured by a mag stripe key card without needing any key and without having the access logged in the system. At the time it was a theoretical issue, one where the details of the exploit were sufficiently documented that fixing it should have been reasonably easy. And, in defense of the manufacturer, they do have a fix available today for the flaw. But the company, Onity, only developed the fix well after someone allegedly burgled several Houston hotel rooms by taking advantage of the exploit. But there is a fix available. Problem solved, right??

Not so fast. The fix requires replacing a circuit board in the lock assembly and that is a pricey proposition. Onity currently is expecting that their customers will cover the costs of the new circuit board, as well as shipping and labor for the installation. Oh, and there are more than 4 million of these locks in service around the world. Not such a comforting thought, really.

Never miss another post: Sign up for email alerts and get only the content you want direct to your inbox.

Seth Miller

I'm Seth, also known as the Wandering Aramean. I was bit by the travel bug 30 years ago and there's no sign of a cure. I fly ~200,000 miles annually; these are my stories. You can connect with me on Twitter, Facebook, and LinkedIn.


  1. All the more reason to ensure valuables are in a safe and the deadbolt or other entry prevention method is used when in the room.

  2. In Prague a couple weeks ago I woke up to find my room door secured only by the security chain. It had been closed and dead bolted the night before. Needless to say, I checked out that morning and didn’t return. The front desk was indifferent.

    1. Lots of hotels use the locks, Andrew. More than 4 million rooms around the world. But they aren’t isolated to any one brand.

  3. @Corey — Safes can be opened using a similar methodology, so no guarantees there. Still better than nothing…

    @ZiipyPam — How do you think the deadbolt was opened? I thought that the electronic keys could not unlock the deadbolt. What hotel were you at?

  4. It was a small independent hotel in Prague, Alta something-or-other. Though it was just a couple weeks ago, I don’t remember if there was a key card or key but think it was a key. Perhaps I am wrong about saying “deadbolt” because the lock could have been opened with a key from the outside. It almost certainly was an employee because there was security at the front desk all night.

Comments are closed.