According to a variety of outlets including Boing Boing and Forbes, as many as 4 million hotel room electronic locks can be opened without a key. According to Forbes, security researcher and Mozilla developer Cody Brocious was able to open many, but not all, of the doors tested using a simple, highly portable piece of technology called an Arduino.
From Forbes:
Brocious’s exploit works by spoofing a portable programming device that hotel staff use to control a facility’s locks and set which master keys open which doors. The portable programmer, which plugs into the DC port under the locks, can also open any door, even providing power through that port to trigger the mechanism of a door lock in which the battery has run out.
The system’s vulnerability arises, Brocious says, from the fact that every lock’s memory is entirely exposed to whatever device attempts to read it through that port. Though each lock has a cryptographic key that’s required to trigger its “open” mechanism, that string of data is also stored in the lock’s memory, like a spare key hidden under the welcome mat. So it can be immediately accessed by Brocious’s own spoofed portable device and used to open the door a fraction of a second later.
Of course now that you can get into your hotel room using your handy dandy Arduino, so can everyone else but … nothing wrong with a little company on your road trip right?