Onity Wins: Hotels That Bought Their Easily-Hacked Door Lock Can't Sue According To Court
https://www.techdirt.com/articles/20140903/14134528408/onity-wins-hotels-that-bought-their-easily-hacked-door-lock-cant-sue-according-to-court.shtml
Onity Wins: Hotels That Bought Their Easily-Hacked Door Lock Can't Sue According To Court
from the locked-in dept
(Mis)Uses of Technology
by Timothy Geigner
Fri, Sep 12th 2014 3:51pm
A couple years back, I wrote about the curious case of Onity, a company that makes door locks for hotel rooms. Thing is, their locks fail to do the one thing they're supposed to do, as shown when one man at a Black Hat security conference used a cheap device to access the lock's dataport and cause it to unlock. The idea was that a lock that is defeated by equipment that costs pocket change isn't so much a lock as it is a decoration. Onity, in the company's infinite wisdom, claimed the long term fix, a new system board, was available to its customers...for a price.
A class action's worth of hotels weren't satisfied with paying twice for the same product just to make it work, so they filed a lawsuit. That filing was recently rejected by a judge using some awfully strange logic.
The courts decision turns on three key facts. First, the plaintiffs didnt allege any actual security breaches; the courts says they are suing only for the costs of preventing future unauthorized access. Second, each lock still works in the sense that it still performs the functions of locking the door upon closing it and unlocking it upon insertion of a properly-coded key card
.the locks do not begin to fail on their own upon installation, nor are they all doomed to fail eventually. Third, the court says any future security breaches could occur only if third parties engaged in criminal conduct to enter Plaintiffs hotel rooms.
Let's deal with these in order. Onity's lock has a gaping security hole that's laughably easy to exploit. For anyone with fifty dollars in their pockets, the lock might as well not be there at all. The very nature of the condition of the product is a breach and, in any case, at least is easily understandable as a product that doesn't perform its basic functions, which is what makes the second claim by the judge so galling. Deciding the lock "works" by the most childish evaluation possible is insane. The lock either performs to industry standards or it doesn't, and this one doesn't. As for the argument that a cheap lockpick can also defeat a hardware lock, there is an important difference here, I think. A hardware lock is limited in terms of a fix by its very nature, whereas Onity is proclaiming that an electronic fix does exist for its electronic lock, it only wants hotels to pay for the pleasure of having their product work properly.