Wednesday, July 25, 2012

Hacked Hotel Doors

The Black Hat security conference in Las Vegas always exposes interesting security vulnerabilities. This year is no different, with news that the Onity card lock used on millions of hotel rooms is vulnerable to a hack attack. With about $50 worth of hardware parts and a bit of programming, an unauthorized person can open a locked door from the outside. See the Forbes article here and the presentation and paper here.

A couple of points to consider. Not all hotels use Onity locks (VingCard, CISA, and Safelok are a few other popular brands). There's a higher probability of a corrupt hotel employee accessing your room without your permission than a hacker. Most doors feature some type of mechanical lock in the form of a chain or swing lock that secure the room from the inside when occupied (it's worth noting that these locks do not offer 100% security, and can be readily defeated by a knowledgable person).

A cheap and simple solution to securing a hotel room while you're inside (or a room with any door that opens inward) is to use rubber door stopper. Jam the stopper between the door and floor. There is usually enough friction to prevent the door from opening. Give it a try.

International Security/Espionage Trivia: Some security practitioners may recall the 2010 assassination of Hamas member Mahmoud Al-Mabhouh in Dubai. The Mossad was alleged to have hacked the card lock on Mabhouh's hotel room and waited for his return. The Al Bustan Rotana hotel, where Mabhouh stayed, uses VingCard locks. Dubai authorities reported there was evidence that someone reprogrammed the lock at the door to gain access to the room before Mabhouh was killed.


Saturday, July 07, 2012

Afghanistan School Poisonings - Mass Hysteria?

If you do work in Afghanistan, you've likely heard stories about large numbers of students at girls' schools that have come down sick. The Taliban has been widely blamed for these incidents, allegedly conducting a poisoning campaign to stop or disrupt girls' education programs. Despite Taliban denials, if poison is indeed being used as a weapon, there are obvious security implications for NGOs with a presence in Afghanistan.

The World Health Organization has been investigating these incidents for the past three years and just released a report that concludes there is no conclusive evidence of poisoning. Instead, researchers are attributing the events to mass hysteria. If the report is correct (and its conclusions seem to be spot on), this is a fascinating case study of how a perceived threat can snowball into something that takes on a life of its own.


Sunday, July 01, 2012

Dadaab Abductions (and Rescue)

Two vehicles carrying a high-level Norwegian Refugee Council delegation were ambushed outside of a Dadaab camp. A driver was killed and four international staff were abducted. Kenyan military and police units were said to be pursuing the kidnappers into Somalia. This marks the first high-profile abduction in the camp since October 2011, when two Spanish staff members of MSF were kidnapped (and are still being held). That incident prompted a Kenyan military incursion into Somalia and widespread use of guards by NGOs working in Dadaab. Initial reports indicate the NRC delegation was not traveling with a security detail as the area was thought to be safe. 7/2/12 Update - The four NRC staff members were safely rescued in a military operation by Kenyan and Somali troops. There are unconfirmed reports a Western special operations force was significantly involved in the rescue.

Labels: ,