I am sure all of you have been eagerly following Onity’s Door Lock scandal, and even more eagerly waiting for a coherent, unified response from the maker of electronic access security systems. For those just joining us, in July, a grey hat hacker figured out how to pop open the electronic guest room door locks with an easy to make circuit board, which eventually was whittled down to this simple EXPO wipeboard pen, pictured below. Yes, that pen opens guest’s doors. My post originated from the Ars Technica article, about Onity being slow to fix this, which got me thinking about our relationship with Onity, and our future with them in light of how they have handled this PR debacle. A special thanks to Andy Greenberg with Forbes for following this so excellently.

Onity seems to think their security problem isn’t so much “theirs” as it is “ours”.

There’s a saying in the hotel business: “We’re not pioneers, because pioneers were shot in the back with arrows”. We’re not a money business, nor a tech business, which means we are always about 10 years behind on tech trends. We got destroyed during the SEO boom, and we bungled our wireless installs, etc…. and the pace of tech moves so fast, it’s such that we can’t keep up with them, nor afford the infrastructural changes and associated costs. Walk into most hotels open for 20 years, and you will see bona-fide PBX switchboards, *SOME STILL IN OPERATION*. I promise you this isn’t nostalgia. It’s why we “allowed” hospitals and dormitories to pioneer those spendy capital projects, so *they* could fail, learn, and fix it prior to our adoption of their efforts. We simply took those lessons they learned (with tremendous associated capital costs), and copied them. The savings of *not* pioneering untested infrastructure is astronomical for our business.

 

Riding on those coattails isn’t always practical anymore, and it means we put ourselves in a precarious place for our guests – like not cultivating the guest experience with up to date and expected amenities (such as bandwidth), while trying not to drive our capital and operating budgets into the ground. It’s difficult, in the current moment, to try and keep up with flash in the pan tech trends vs those eventual necessary infrastructural needs for our future. Is an ipad a gimmick as an in-room amenity? How about wiring for wireless TV’s? What we thought the future of 20 years ago would be, is very different from the future of today. Hotels are not tech people, but that is changing, and we’re getting smarter.

 

Smarter such that we are all very curious about the presumption Onity has that we should be paying for *ANY* of this hack fixing retrofit. I had wondered why there was no class action suit against Onity, especially in light of their unclear, slapdash, and hesitant approach in resolving this issue, significant to their clients (if not themselves). If the flags and brands push back a bit more, Onity won’t have a choice but to pony up for the problem that is 100% of their making, or face legal drama.

 

Fire *&* Security? I wonder if they tell the people that catch on fire to put themselves out?

 

Not being tech people, we choose to partner with vendors that are smart enough to hold our hand, and protect us from our own ignorance – a real partner helps us answer the questions we don’t know to ask. The idea that we should know about a potential security flaw prior to purchasing their product, or that we would have to be accountable to that same flaw, is absurd. That’s like GM saying someone can break into your car really easily, but you have to fix it. That’s not how it works…. it’s called a “RECALL”, and in the consumer world of corporate accountability, it happens almost daily, from autos to kids products. How is Onity exempt from this?

 

Hotels shouldn’t be paying a cent for this fix, and whether it hobbles Onity as a business is irrelevant to me – the free market is such that a business should be accountable, learn lessons, and take ownership, from their “in-the-trenches” operational experience.  It’s almost if they hoped to ignore this, as if some random hacker didn’t warrant immediately addressing the press, or hotels’, concerns. The hack is disappointing, but it is in fact Onity’s back end response that has jeopardized the future of their sales, and business relationships.

Onity has really bungled this, and their whole approach is sort of absurd. You *cannot* (or should not) push the costs of a faulty product to the buyer. It’s absurd. The plastic plug is a silly fix… as if “hacking an electronic door” is a crime of opportunity? I do think it’s an overblown concern – The greyhat hacker simply exposes flaws for the glory within his community, giving companies a chance to fix the issue. He isn’t malicious. I am not sure how many black hat hackers would waste their time making this device, finding a hotel that actually has Onity locks, and then perusing hotel corridors aimlessly, with no plan, for no real reason. Black hatters are far too busy doing real cracking and real theft of big sums to waste their time on inefficient, low yield treasure hunts. So who actually would do this? And whoever would do it- why? There are better ways to rob people, without the risk of getting caught. Using this pen door lock hack is fairly risky…. so I think it’s a lot of “noise” for what will end up being a very few break ins (if any?) down the road. What’s more – these patches and fixes will get distributed, eventually, and this pen trick will be obsolete; on to the next hack.

 

“It’s fun to use learning for evil” – Greyhat humor, while hoteliers vibrate with nervousness….

So it isn’t so much about the actual existence of a hack – these are complex, and surreal, modern times. The things we are seeing in our lifetime seem to constantly keep us on our toes, so a hacked door lock shouldn’t be surprising so much as expected. The issue is how the company that you entrusted guest security reacts, and whether that company is accountable to the fact they are “security experts” – had they planned for this?, do they realize the commentary it makes on their skill as security experts (it’s more than a PR flap, guys). Hotels are *not* experts at security options for door locking mechanisms, so we establish relationships with those that are, who can be accountable to that security on our behalf, as part of our ongoing business relationship. If the company that you trust with your guest security aren’t capable of being transparent and accountable to their mistakes, can’t communicate to their clients properly, or if they choose not to learn their lessons, and pass on serious associated costs to their clients – the free market allows me to establish stronger, more self aware relationships, with security firms like Vingcard or Saflok.

 

I have purchased countless Onity locks for properties, and recommended them, where they were eventually installed (I helped get them installed even more times than I have installed them).  My recommendation to use these locks, professionally, stakes my name to them- and if I am going to stake my professionalism on a company, I need to trust how they handle inevitable problems. If I can’t trust them to act nobly and professional in account of their issue, there’s no way I will be able to continue to use or recommend Onity / Tesa locks. It’s too bad, as there are always more doors; doors I need to be sure my guests are safe behind.

 

I would hate to think that Onity’s botched public relations in response to this lock hack issue is the real issue that would actually endanger our business relationship. Their obviously panicked, and confused, response could destabilize our long time relationship to the point of ending it.  But it’s simply whether they are more interested in their current business and bottom line, or the bottom line that they may or may not have in the future. It’s about relationships, guys – don’t forget it, and you’re not handling your relationships very well. Why is every single aspect of this handled via the press? Why hasn’t there been any direct communication? Fix this with your hotels – YOUR CLIENTS AND PARTNERS – or the impact of this somewhat tiny battle will forever be pointed to as when you started to lose the war.

Hotel locks to be replaced after hack leads to thefts

UPDATE: Since this was written, Venturebeat and Forbes have alerted us to actual thefts, and it seems, although completely unclear, that Onity is replacing locks purchased post-2005 – but the amount varies, it’s opaque, confusing, and isn’t instilling any confidence in hotels that I have spoken to. I am sure there will be more to come, but the post stands….. Onity needs to fix this much better than they think they have.

About Michael

No Comments

Be the first to start a conversation

Leave a Reply

You must be logged in to post a comment.