Comment by lxgr
2 years ago
Hotel keycards usually work by having dynamic data written to them at the front desk (as the locks are often not network connected, at least in older systems, so they write things to the card like "works for room 123 until March 30th noon and the gym" or "works for room 456; sequence number 2, invalidate all prior keys").
There are two types of magnetic stripe cards available: High-coercivity (HiCo) and low-coercivity (LoCo). The field-rewritable kind used in hotels is usually LoCo, to make the writers smaller and cheaper. But that also makes the cards much more prone to accidental corruption by magnets you might have on you, like earbuds, magnetic wallets etc.
Bank cards are usually only ever programmed once (these days), i.e. when they're issued, so they're usually HiCo, making them much more robust against that. In addition to that, magnetic stripe usage has been phased out for payment cards in most countries and is getting rare even in the US, so for all you know, and depending on where you live/shop, your magnetic stripes might have already been demagnetized without any adverse effects!
Bonus trivia question: Guess which kind NYC MTA Metrocards are :)
Edit: Oh, I just saw that you asked about contactless keycards! For these I actually have no idea, and I haven't had one fail on me yet.
I just know that they often use a similar scheme ("works for rooms x, y, z, until timestamp n"), sometimes with a bit of cryptography on top (often with a single shared key across all instances of the same lock and even across hotels...) but using non-networked locks, so there can definitely be synchronization/propagation issues too.
I used to work as maintenance on a big chain hotel and we had magstripe card locks, I don’t think strong security is their primary goal as in a hotel the staff can enter any room at any time, the cards me and my team had were “god mode” we could open any door at any time even when locked from inside. If the lock didn’t work “firmware problems, dead batteries, stuck mechanism” we had another device that worked by removing a cover and connecting with a wire, this was also used for testing and FW updates.
When I worked mainteince on a big chain hotel in a major college town, we had a mark 2.0 crowbar if the key card didn't work. The real fun one was the flippy locks that you could kinda pop by slapping the non-working key card in, and slamming the door. The card would flex and spring the lock back. Then you could use the crowbar again. It wasn't too slow, but it was very loud.
They told me couldn't whistle and spin the crowbar nonchalantly before casually popping open doors that had a dead battery in front of the guest waiting to stay in that same hotel.
That reminds me of the old “bump key” vuln in physical locks with tumblers
> we had a mark 2.0 crowbar
What were the improvements over "crowbar classic"?
> the cards me and my team had were “god mode” we could open any door at any time even when locked from inside.
That is just bad management. The whole point of the interior deadbolt lock in a hotel room door is so no one can accidentally walk in on you thinking it is an empty room.
An emergency keycard that can open a hotel room locked from the inside is only supposed to be kept at the front desk for use during an emergency, mostly by police or firefighters so they do not break down the door and cause tens of thousands of dollars of damage. And its presence and use should be constantly accounted for.
Many U.S. hotels changed that after the Mandalay Bay hotel incident in October 2017. A guest can no longer assume that their deadbolted hotel room door will only be opened in an emergency. Routinely, hotel staff (not accompanied by police) may knock and then immediately open a guest's door for what they consider a "welfare check" (e.g., guest has had a Do Not Disturb sign for 2 days). And, yes, guests may be strongly opposed to this for a variety of reasons (in the room but undressed, etc.) but it often is part of a hotel's normal operating practices. One of many references: https://www.reddit.com/r/askhotels/comments/vaxae2/comment/i...
4 replies →
This is surely overstated. I am sure firefighters are trained to do the least amount of damage when forcing a hotel door open. I guess a handheld electric saw could do the trick in less than one minute.
4 replies →
Shouldn't that be other way around? Keycard only holding the simple numeric id, which is burned into silicone chip on it and impossible to modify, and the reader at the door, connected to hotel central system checks what privileges that particular keycard grants?
> the reader at the door, connected to hotel central system
That’s very often not the case, though, especially in retrofitted installations.
Locks are sometimes offline and even battery powered (and I suspect they can even report a dying battery to the front desk by setting the appropriate flag on keycards as they’re being read).
In the days before cheap, low-power radio networks a "central system" would have meant dedicated wiring to each door lock. So it would have been much more expensive to install than a standalone battery powered unit mounted directly on the door.
That doesn't stop someone else from flashing a reprogrammable keycard with the id.
You could force or deny service on a lock that just checked a simple ID.
Wouldn't that only be for poor implementations?
If the reader had a decently secure channel to the central auth piece, then it shouldn't (in theory) matter how simple or complex the id would be. (?)
> Guess which kind NYC MTA Metrocards are :)
None anymore! They're being phased out as we speak. They were supposed to be end of life last year, though they pushed back end of life EoY 2024, because the MTA is never on time, all the time.
And I’ll be swiping until the day they remove the readers if they don’t introduce monthly capping via OMNY!
The Metrocard is actually a quite elegant and resilient/decentralized system, given the technology that was available when it was introduced. OMNY depends on a network connection being (almost) always available.
OMNY has had automatic fare cap for 2 years?
1 reply →
At least with old fashioned keys you can't easily give out a duplicate. I was once in bed, late at night, lights out, when someone let themselves into my room - a rather drunk guy demanding to know what I was doing in his room. The desk clerk had got his room number wrong and given him another card to mine. It all worked out OK, but under other circumstances I could imagine that it might not.