This summer, at the Black Hat security conference, a security researcher presented details of a troubling security flaw: An electronic lock system, used in more than 4 million hotel rooms around the world, is vulnerable. The researcher, Cody Brocious, revealed that with less than $50 in electronic parts, a device can be built that will open one of the vulnerable locks in seconds. Just a few months after Brocious revealed the flaw, hotels in Texas reported a string of thefts by burglars from rooms, all protected by vulnerable locks.
Brocious, the security researcher, apparently discovered the vulnerability while working for a now-defunct startup that he co-founded. That startup licensed the vulnerability to an organization called the Lockmasters Security Institute (LSI) for $20,000 at some point in 2011. In July, long after Brocious’ startup had gone under, he gave a presentation describing the vulnerability in depth at the Black Hat security conference, and published code online to open locks using the flaw.
Shortly after he presented at Black Hat, Brocious acknowledged that he didn’t know what LSI was doing with the information about the hotel lock vulnerability. However, in a recent post to his blog, he stated that the vulnerability was sold to LSI for “law enforcement purposes.”