Inside an Epic Hotel Room Hacking Spree

Almost exactly five years after seeing the first demonstration of Cody Brocious’ Onity hacking tool, I meet Aaron Cashatt face to face in the fluorescent-lit, cafeteria-style visiting room of the Cibola Unit of the Yuma State Prison Complex. Under his orange jumpsuit he’s bulked up from prison-yard weightlifting and seems clear-eyed and sharp. Despite the prevalence of drugs inside the Arizona corrections system, he says he’s gone clean since he started his third prison term, and even quit smoking.

A mugshot of Cashatt distributed by police before his arrest in Stockton, California.A mugshot of Cashatt distributed by police before his arrest in Stockton, California.scottsdale police department

Cashatt pleaded guilty to three hotel burglaries, the few for which prosecutors had the most airtight evidence. He’s serving a nine-year sentence, but hopes to be out in seven and a half. When he’s released, he swears that he’s done with hotel intrusions. He feels, he says, a complicated mix of regret for his thievery, shame for the trauma he caused his victims, and pride for the epic cleverness of his heists. (“No one took the Onity thing as far as I did,” he muses at one point in our visit.) He hopes someday to find a job in the security industry, or perhaps even market his own invention, which he hopes to patent for preventing check fraud. “Maybe I can work for Kevin Mitnick or Frank Abagnale,” he suggests, naming the world’s most famous reformed hacker and con artist.

But Cashatt also says he wants to warn the world that the Onity vulnerability Cody Brocious found and that he exploited is still out there. “I guarantee you that if you tried this at some hotel in the Midwest, it would still work 19 out of 20 times,” he says. For that, he blames Onity’s negligence. “They just don’t get it.”

When WIRED asked Onity about whether its lock vulnerability persists, the company responded in a statement that “mechanical solutions have been shipped to all known affected customers, enabling them to implement the security upgrade.” But it didn’t specify how many of those “mechanical solutions” consisted of the actual replacement boards that fix the security issue or the cheap plastic plugs that Cashatt easily defeated.

In December of 2012, four months after its security flaw was first revealed, Onity did make deals with some major hotel chains, including Marriott, Hyatt, and InterContinental Hotel Group, to cover all or part of the cost of fully replacing their vulnerable locks, according to leaked memos I obtained at the time. And aside from a handful of robberies in Texas, no other intrusions that exploited the Onity attack have been publicly reported.

Todd Seiders, director of risk management at hotel insurance firm Petra Risk Management, says that after the first year of the Onity debacle he didn’t hear about any other incidents. Contrary to Cashatt’s claims, Seiders says he thinks the problem is more or less fixed—after all, Cashatt has been in prison for years and wouldn’t really know, Seiders points out. “We really kept the pressure on them, and they finally relented,” Seiders says of Onity’s decision to pay for its customers’ lock replacements. “Since then, it’s gone off the radar.” But Seiders concedes that some number of small, family-run hotel franchises may still not have learned about the Onity vulnerability and could be using older, flawed locks even today.

The $50 lock-hacking setup the author built and tested in a series of New York hotels to determine if the Onity lock vulnerability still persists.The $50 lock-hacking setup the author built and tested in a series of New York hotels to determine if the Onity lock vulnerability still persists.Andy Greenberg

So I decided to test the present-day security of Onity’s locks myself. With a shopping bag full of RadioShack parts and the same publicly available code and instructions that Cashatt found on Cody Brocious’ website, I built my own Onity hacking tool. Brocious’ instructions were clear enough even for a technical poseur like me, and the device took just a few hours to assemble and troubleshoot with the help of some engineer friends. My lock-hacking gadget had none of the slick design features of Cashatt’s, just a tangle of boards, wires, and an external phone battery I switched on to power it. But when I plugged it into the used Onity lock I bought on eBay, the lock immediately whirred and its green light flashed, just as it had at Cashatt’s first Marriott.

I began retracing my steps from years earlier. First I visited the Waldorf Astoria, paying for a room to try my lock hacking tool in the wild. No luck: The locks there must have been replaced since the Onity scandal, it seems. I went across the East River to the Gowanus Holiday Inn. Again, I booked a room, inserted my device into its lock, and was met with anticlimactic silence. Finally, I crossed the city in the other direction to return to the Marriott Marquis in Times Square, the only hotel where Cody Brocious’ original, unrefined device had worked in 2012. The third lock I tried again remained entirely, crushingly unresponsive. In my first day as a hotel hacker, I’d struck out.

Having already invested close to $800 of WIRED’s money in booking and then failing to hack into hotel rooms, my editor agreed to throw good money after bad and let me try one more. I chose a franchise of a low-end but common chain that I’ll leave unnamed, deep in an industrial stretch of an outer borough neighborhood. When I checked in, the front desk gave me a key to a room on the basement floor, at the end of a twisting, sunless hallway.

As I arrived at that final door, I took a breath, then inserted the plug of my janky Onity hacking tool into the port underneath the silver lock, bracing for another failure. Instead, it emitted a whir and flashed a miraculous green light.

Read More HERE

Leave a Reply