Forbes

If you're a hotel security professional, you may want to take a look at the research one hacker presented at last week's Black Hat security conference in Las Vegas. If you're anyone who stays in hotels, it will probably interest you as well.

Cody Brocious, a Mozilla software developer and security researcher, presented a paper at the conference on the vulnerabilities of the Onity HT lock system, which he claims is installed on about 10 million hotel guest room doors worldwide.

In the paper, Brocious claims the locks are "insecure by design" and exposes a number of what he calls "critical, unpatchable vulnerabilities."

The security hole Brocious was able to exploit is the DC port that exists at the bottom of the locks, which with the right device and a simple piece of open-source software offers access to the lock's memory. Brocious can plug his device, which he built for less than $50, into an Onity HT lock and, most of the time, gain access to the room, according to Forbes. Brocious claims it's not 100 percent reliable at the moment, but it's only a matter of time before he successfully tweaks his software to increase its success rate.

His paper is not an easy read, geared toward an audience of hackers, computer programmers and cryptographers. It even includes the software program that would allow such a device to pick the Onity HT locks. The Forbes article is much more accessible to the non-programmer reader.

Though he presented his research last week, Brocious's hack is not news to everyone. According to Forbes, Brocious's former employer, a startup that tried to re-engineer Onity's hotel front desk system and develop a cheaper alternative, sold the intellectual property behind his hack to the Locksmith Institute last year for $20,000. “With how stupidly simple this is, it wouldn’t surprise me if a thousand other people have found this same vulnerability and sold it to other governments,” Brocious told Forbes. “An intern at the NSA could find this in five minutes.”

Next time I'm at a hotel I'll be sure to run my fingers underneath the door lock and feel for a DC port.

Bruce Schneier makes a strong argument against the case for profiling at U.S. airports in his column for Forbes. In addition to believing profiling is a bad idea for a number of reasons—it's inaccurate, serves to alienate those "who are in the best position to discover and alert authorities about Muslim plots before the terrorists even get to the airport," and just plain wrong—he also argues that "it actually puts us all at risk."

Past events have proven that terrorists come in all shapes, sizes, sexes and skin colors—from Umar Farouk Abdul Mutallab, the Nigerian underwear bomber, to Jose Padilla, the Hispanic-American accused of plotting a dirty bomb attack on American soil. Terrorists will find ways to avoid profiing, which is why Schneier argues that randomized secondary screening is more effective because it creates too much uncertainty and acts as a deterrent. "Focusing on a profile increases the risk that TSA agents will miss those who don’t match it," Schneier writes.

Schneier points out that what people really want when they argue for profiling are TSA agents who can apply judgement in their decisions of who to screen more carefully. And with controversial headlines about TSA agents patting down wheelchair-bound senior citizens (including, last week, former Secretary of State Henry Kissinger) and four-year-old girls, who doesn't think TSA agents may be a little out of touch with reality. (Though TSA agents did just last week discover weapons in a child's stuffed animals and an elderly person's walker.) Unfortunately, Schneier points out it's unlikely TSA agents will be applying good judgment any time soon. "Judgment requires better-educated, more expert, and much-higher-paid screeners." Schneier writes. "And the personal career risks to a TSA agent of being wrong when exercising judgment far outweigh any benefits from being sensible."

As usual, Schneier does a good job arguing against "security theater" and for sensible security practices that strike the right balance between managing risk and allowing people to travel without fear of molestation.