Is the local.at a reliable source ? Seems like the only article talking about the incident in german is from the german version of Russia Today [0]. It doesn't make sense that an austrian hotel choose this media to communicate.
For me it's :
A - It's the hacker that contacted RT with the story
B - It's part of a fearmongering campaign to ransom hotels
The German in the article is fairly ambiguous. Interestingly it could even be interpreted as simply that arriving hotel guests could not get into their rooms because new keys could not be programmed. In that case guest who already had keys would be fine. The bigger problem seems to have been that all their IT systems including reservations were down.
I was wondering about that. In the US a system that could prevent guests from leaving during a fire or medical emergency would never be allowed, and I can't imagine Germany is much different.
In general you'd also want the possibility of gaining entrance quickly, even if the latter might require use of a fire axe or something (typically emergency keys, though).
Both for evacuation in case of fire (a guest might be unconscious in a room) or in the case of a medical emergency (a guest might call down and complain about chest pain, and pass out before opening the door).
Piling on to the misreported news, are the door locks themselves actually network devices? I was under the impression that the door locks were static devices and the key cards were reprogrammed to say "let me into this room".
Can a malicious agent actually prevent previously working key cards from working (during the guest's stay - I know there is a time limit encoded on the key cards) or just prevent new cards from being programmed?
I don't think this can be the case - what if you lose a key card/have it taken from you: In order to deactivate it you'd need to somehow tell the lock that that card is not valid anymore.
I have had that happen to me, and at least in that instance nobody had to come and reprogram the lock.
NO. "thelocal.at" is not a reliable source. Moreover, the same folks run a bunch of identical "thelocal" sites with a vareity of country specific TLDs and they're all over the top, agenda pushing, clickbait.
"We were hacked, but nobody was locked in or out," the
hotel's Managing Director Christopher Brandstaetter told
Bleeping Computer. "For one day we were not able to make
new keycards."
The solution to all of this requires only 2 words: criminal negligence.
Prosecute a CEO or 2 from tech companies for criminal negligence, and you will see companies actually investing in actual security. Put some business school graduates in a jail cell on criminal charges for their hiring and corporate practices, which would be criminal negligence if they were building bridges or doing any sort of work in any other industry.
Hiring the cheapest, least experienced engineers you can find, not even mentioning the word security on your job listing requirements for software or hardware design engineers, depriving the engineers of the time, tools, and environment they need to do competent work, putting business concerns ahead of engineering concerns when determining product development schedules, etc are things that executives should be judged in a court of law for. They are criminal acts that put not just money in jeopardy but frequently lives.
Gucifer more or less said this at DefCon this summer, blame the IT companies, and I'm definitely in agreement.
I don't think anyone should go to jail, like pretty much ever (let me pay a fine or kill me rather than lock me up), but I don't see a reason why whoever set this up, for example, shouldn't be held liable in the same way a doctor is liable with malpractice insurance to cover it.
It seems it'd fit the US laws very well, tech companies would buy insurance policies that'd pay out when their shit software or infrastructure is hacked.
Huge companies like Google or Apple could self insure.
That'd also give some incentive to the MBA's to take security seriously, as proving they take the extra steps would lower their premiums.
Fines and insurance would provide compensation for the victims, but would provide less pressure to fix the problematic practices at their roots, compared with otakucode's plan. Tech profits are high enough to swallow premiums for that sort of insurance without provoking substantial changes in business practices.
No way, this is not the answer. Should the CEO of a bank be prosecuted every time one of their branches is robbed because they didn't hire enough security guards?
It's not about security guards. It's about risk assessment. It's very much like the PCI-DSS for online bankcard usage, at least that forces people to think a bit about it.
Document your thinking, sign off of it and upload it to some authority. It should be that easy, and when something bad happens take that document and let's review.
And if there is self-assessment questionnare and you went through the checkboxes and signed off of it and uploaded it, but you acutally did jack shit nothing at all, then you're liable.
It's not a hard ethical quagmire, it's best practices, it's 80-20, and we're currently at somewhere like 5-95.
We don't hold car companies accountable when their locks are not thief proof or window companies when someone breaks your window.
Usually, this isn't a problem because we deal with this through law enforcement, but law enforcement is very difficult and expensive on the internet, particularly now that you can accept payment in bitcoin.
The reason we have insecure systems is because we deal with systems that require constant vigilance to make sure we do not make mistakes in the face of adversaries. This doesn't scale for users and this doesn't scale for developers either.
There are certainly people who take security more and less seriously, and this would definitely move the needle on that, but I am not really sure it would move the needle on actual security, since actual security is hard.
Say good bye to startups if criminal negligence becomes a thing.
We need to hold car companies liable when they make trivially breakable key systems and ignition systems. Then they will make them more reliable.
A guest at that hotel should be able to ask for a refund or sue the hotel for damages (to their time, their trip?), esp. if it was found the hotel didn't take basic steps to secure the card keys (like separating that system from the internet). The hotel should be able to sue the key manu system if they didnt keep their system safe.
I stayed in a hotel in Canada recently and their card key system was not on the internet - you had to type in the room number on a keypad. That seems fraught with potential for wrong number or time, but it also keeps that from getting infected from the internet.
I think unfortunately the conclusion reached by the non-Hacker-News world will be "the solution to all of this requires banning Bitcoin".
This explosion of ransoms is getting nastier and nastier. It appears to have no end. Bitcoin's block chain has been stalled at 1mb blocks for a year now, it isn't adding users and their plans to make it scale aren't implemented. At what point do the political winds shift and the cost/benefit ratio of keeping Bitcoin around, at least in the USA, tips over to cost > benefit?
I don't want to see Bitcoin exchanging sent underground in the west, but it's clear that community has no intention of getting ransomware under control.
Which community? The Bitcoin community? Or the blockchain community? They know that the effectiveness of ransomware is a direct consequence of quasi-instant almost-anoymous money transfer on the internet.
And yes, to a degree it's their responsibiltiy too to solve this, but the dominant share of the responsibiltiy is not really on them, it's on the various service providers that don't care about IT security, yet meddle with IT.
Sure. Of course it goes without saying that the programmers who actually make the coding mistakes through insufficient attention to security best practices should be fully prosecuted as well. That will get their attention. Pour encourage les autres and all that. </s>
I don't want to prosecute programmers. But how can we incentivize the companies to do better and make more secure systems? By suing companies that have tech that is hacked, it should make them more careful in their security.
Lawsuits (even fines) against the company, in addition to the inevitable consequences to the business, seem like perfectly reasonable consequences of security carelessness. That's rather different from randomly tossing managers in jail however.
Be careful what you wish for though. In many industries, releasing product requires getting explicit permission from government regulators based on trials/plans/etc. often assembled at considerable effort by licensed engineers and others.
I'll amend that to say "can't be opened without the application of unreasonable force". The possibility of a power outage causing the same scenario also worries me.
A previous employer's office had electronically locked doors (magnetic, I think?). The studio head said that they were designed to 'fail open' (i.e. unlocked) in the case of a power outage. Then the power went out a couple weeks later, and the doors were locked.
Oops.
Our emergency exits were old-fashioned analog doors and still worked, at least.
Electromagnet locks --- which have an electromagnet in them to keep the door closed and are surprisingly strong for their size --- are truly fail-open since loss of power means loss of force keeping the door locked, but those doors might've also had an additional fail-closed type of electric lock that requires a brief pulse of power to open.
I once worked somewhere with magnetic locks and a decent shove easily opened the door. We did this for smoke breaks as our magstripe cards noted every time we left the control room.
Prisons should have backup power supplies, not electronic locks which fail closed. If there's a fire or flood, better that prisoners are released than trapped in their cells to burn or drown; they were sentenced to imprisonment, not to death.
> Any lock that can't be opened from the inside should be illegal as a fire hazard.
I'm just pointing out the flaw in that statement taken literally.
In theory, in the event of a failure, the guards should still be able to open the cells to release people. I wasn't advocating for fail-impossible-to-open-doors.
Strangely, just two days after I wrote this, my house mate went out and locked me in the house. I had to climb out the window and unlock the door from the outside.
I have a key, but I did not know the one deadlock has a different key for the inside and outside.
Where I come from, not being able to exit your hotel room is a very serious safety breach and this hotel would be looking at very significant fines, and probably ordered closed immediately until they fix this "feature".
While this may be fine for high-security bank vaults, it is completely unacceptable for hotel room doors to operate in a fail-secure mode without a backup non-electrical unlocking mechanism as is the case here.
I am highly skeptical people were "locked" in their rooms. I'm guessing it was mostly hyperventilating tourists breathlessly telling the reporter how they were "locked in" their rooms since they couldn't leave and get back in. More like "Bob and I were locked in our room overnight! We couldn't even go downstairs for a nightcap!" vs. "Bob and I were pounding on the door trying to get out for hours!".
Locked in on their own volition, essentially. I've traveled a little bit, and I've yet to stay in a hotel that you needed anything electronic to exit.
It seems to me that the hotel should take at least part of the blame here.
According to the article this was not the first attempt to breach their security, yet they didn't put sane security practices in place, such as separating door lock controls from their internet connected network or not having door locks that can lock guests in in the first place, which, as pointed out in other comments, is likely not compliant with regulations.
> The manager said it was cheaper and faster for the hotel to just pay the Bitcoin.
Cheaper for him, but the cost will be beared by society as he has now encouraged the practice.
I understand that my comment can be seen as victim-blaming, but it seems to me that part of the service sold by an hotel is the security they procure to their guests.
Hackers would need to start branding themselves in some authenticateable way so that you can know that the people who are extorting you are thieves of honour!
We'll start seeing this becoming more common, until the best-practices suggest that IoT/embedded frameworks have to be on a network completely separate from the common/public internet.
(This will not just mean a network to VPN into, but physically separate, with no device-intermingling.)
Electronic locks have been around for a long time, and the earlier systems were not Internet connected because it would've been additional cost at essentially no advantage. Now it seems like hardware/software has become so cheap (and unfortunately more complex, thus more likely to contain non-obvious bugs and misfeatures) that in some ways it's easier to develop products based on Internet standards than isolated proprietary protocols, putting the "does this really need to be connected to the Internet?" question mostly out of mind.
I don't think it's about "best practices" or any sort of dogma, but more of a common-sense evaluation: do you really need your lock systems accessible from anywhere on the planet, which connecting to the Internet enables?
That will never become best practices, simply because there is too much benefit in being able to control IoT/embedded devices through the web. The only realistic solution is to develop technology (and associated practices) that are more secure against hacking- And yes, there will be lots and lots of pain on the way to reaching that goal.
I believe the strategy is usually to demand an amount that is enough to be annoying but not so much that it is prohibitive. Ideally, the target is willing to quickly pay the money to unlock their systems.
> The manager said it was cheaper and faster for the hotel to just pay the Bitcoin.
Yep, you want something the manager of the local enterprise can authorize out of his petty cash - not something he has to call the CEO in on for a decision.
Even better if the guy tries to hide it out of fear of being fired for incompetence - which is the general way these things go.
Seemed low as as well, but making it too high would have meant the hotel might have just called a locksmith to break the locks and then decided to replace the system.
Any good parasite knows not to disturb the host system too much.
It's a useful way to, say, speculating wildly, provide an honest signal to someone not convinced of your hacking capabilities that you've actually got the technical skills claimed.
Now ... if only I could think of, say, some geopolitically significant hospitality enterprise, possibly with widespread or global operations, against which such a proven attack might be of interest.
> They only wanted 1,500 EUR? That seems like an awfully low number for something this serious.
Besides the argument of picking a sum that makes it relatively easy for a business to cough up, this is 1500 EUR tax-free. https://en.wikipedia.org/wiki/List_of_European_countries_by_... lists average net monthly income in Austria as 2000 EUR; pull something like this off twice a month and you're doing fine.
It's not "tax free", it's illegal income to which tax is a pretty orthogonal concern. You have to consider a fairly high discount on any non-trivial illegal income, as there are many things you can't do with it without laundering them first (which is very expensive to do at scale).
If you ask for too much you'll have serious law enforcement coming after you. Ask for only a little bit and the focus is more on the fact that the hotel was idiotic for letting this happen then it is on the hackers.
Especially with the standard policy of "we do not negotiate". That policy is really hard to justify when the amount is so small compared to the damage of delaying payment.
They were very smart to make it that low. At that cost, it becomes a simple no-brainer for the hotel, because it's cheaper than even just one booking refund. It also means it's very low priority for law enforcement.
Won't save you if self-driving cars are vulnerable. You'll just get a call that informs you that you need to pay or other self-driving cars on the road will crash into you.
Not quite the same situation, but in my travels abroad, I've encountered a pretty significant number of places that require a key to leave the room/apartment/house. Lose that key, and you are effectively locked inside. I think it is mainly done to prevent break-ins (e.g. you can't just break the window next to it and reach in to unlock the door), but it's always concerned me from a fire safety standpoint.
Anyway, at least in some countries, this is pretty common. Not that's it good. But, common? Yes.
This is like building a hotel in a gangster infested area and expecting to be safe. The internet is not a safe space and if your systems are connected to the internet expect chaos or take the responsibility to secure your systems.
The problem here is this is the kind of constant battle that may not be economically viable for most.
IOT is a deadend without better architecture, these devices cannot be in the open internet and vulnerable to hijacking. Those working on these systems may think otherwise but once businessess are disrupted and have to pay a price they will not use the technology. How many businesses can justify spending more and more resources on security, consultants and fighting off extortionists.
I feel sorry for those who were caught up in this through their stay, but I feel no sympathy for any company that ties their door locks to a vulnerable, non-isolated network.
I have to wonder if they considered breaking down the doors with a fire axe... if they were booked, would replacing the doors outweigh the cost of the ransom?
You realize it would have been a contractor who installed the systems? This is a single, family-run hotel. I suspect the incompetent contractor was unable to properly fix the systems after the first request, and the hotel didn't have the experience to confirm the fix.
A normal person would have some empathy for people locked in/out their rooms and held ransom. It could be especially dangerous if any of them have medical conditions. I doubt it was a laughing matter for them at the time. The only thing laughable is that hotel's security and setup,
It would take them a while to get to every guest, and it would require them to break the doors. Not exactly a small inconvenience and likely to ruin many vacations.
> Brandstaetter said: "We are planning at the next room refurbishment for old-fashioned door locks with real keys. Just like 111 years ago at the time of our great-grandfathers."
So we go from a poorly secured internet connected security system to physical keys, any chance they could consider the common sense air gaped medium instead as the permanent solution?
> Using Bitcoin for cybercriminal activities is becoming increasingly commonplace, as tracing payments is much harder due to the way the cryptocurrency works
"Cryptocurrency" is a large set of currencies, each of which work differently. Also, Bitcoin is a public log. It's much easier to trace bitcoin than to trace cash.
> "Cryptocurrency" is a large set of currencies, each of which work differently.
That's true, which is why the sentence you quoted said "the way THE cryptocurrency works", not "the way cryptocurrency works". The "the" is a back-reference to the particular cryptocurrency that is being discussed here (Bitcoin). This differentiates it from a general statement about all cryptocurrencies.
"One of Europe's top hotels has admitted they had to pay thousands in Bitcoin ransom to cybercriminals who managed to hack their electronic key system"
"Hotel management said that they have now been hit three times by cybercriminals"
"we had no other choice. Neither police nor insurance help you in this case."
Do they not see the problem here? Perhaps they should have paid the thousands of euros to a security expert to fix their crappy system, rather than paying the hacker to do the same thing again.
At a few thousand Euro each instance, vs., say, EUR50k to EUR500k for a full re-specification and implementation of all hotel security systems, that's a bargain price.
(Of course, they're also a piggy bank every time the hackers need cash.)
(This assumes the hackers aren't, say, hotel management or employees skimming the operation themselves via hack threats, say, for money laundering purposes.)
No they dont need to rebuild it. Just get the original developer to fix it if its a problem with the system. Or secure their network. Neither will cost anywhere near 50k.
For me it's :
A - It's the hacker that contacted RT with the story
B - It's part of a fearmongering campaign to ransom hotels
C - It's fake news written by an intern
[0] https://www.google.at/search?hl=de&gl=at&tbm=nws&authuser=0&...