Physical security and cryptography can learn from each other, part 11367:
-
@JeffGrigg @canacar @mattblaze
But how else will I remember what room I am in at midnight after a few drinks?
Everything looks the same.
@print @JeffGrigg @canacar @mattblaze I've seen worse than not remembering which room you were in. On a trip to southern France, I had to get up early on my final day to get to the airport. I took a cab. As I was about to get in some shirtless British guy, obviously up all night, was asking for help - he couldn't remember where his hotel was (and probably not its name either), and was quite rude when the driver couldn't help. I mentioned a map at the train station (if only to get rid of him)
-
@mattblaze I am in a hotel now (in Japan, for context).
I observed that you could access any floor when my backpack pressed several floor buttons on our first ride.
When I later attempted to access the laundry room floor but could not, but could access my floor, thought that perhaps the first observation was an anomaly associated with the fact that the only other elevator was being attended by an elevator repairman at the time of the multiple floor incident.
It turns out that I had my Suica card in my hand, not my hotel card, had selected my floor based on the swipe of another guest in the elevator, but was unable to select the laundry floor after a time out.
I discovered this when I couldn't open my room with the Suica.
The flaw in this hotel is that one swipe enables multiple floors, defeating the security access aspect while providing the anonymity. A guest can swipe, and an intruder can then access a floor that they have previously observed a target accessing, and then, presumably, having determined the room number via other (social engineering) means, door knock with "hotel engineering".
@BernardSheppard @mattblaze In a hotel I stayed in a few years back, someone discovered an interesting hack: while you could only select a floor after swiping your card (IIRC and only your own), after someone had selected a floor you could select any additional floor by pushing the button of the already selected floor and the new floor at the same time, thanks to the physical wiring of the card-reader add-on.
Not sure whether you'd count that wiring as "software bug" or "physical security issue"
-
Physical security and cryptography can learn from each other, part 11367:
Hotels wisely don't put the room number on guest keycards so if someone finds your card, they'd have to exhaustively search the hotel to find the room it opens.
Some hotels now have elevators programmed to only let you call the floor for which your keycard is coded, preventing guests from wandering to other floors.
But it also means the elevator can be used as an efficient oracle to determine the floor of a found key.
@mattblaze
Key self-destructs after 3 failed rooms.
Say there are 30 rooms on your floor, chance of a successful breakin: 10% -
Physical security and cryptography can learn from each other, part 11367:
Hotels wisely don't put the room number on guest keycards so if someone finds your card, they'd have to exhaustively search the hotel to find the room it opens.
Some hotels now have elevators programmed to only let you call the floor for which your keycard is coded, preventing guests from wandering to other floors.
But it also means the elevator can be used as an efficient oracle to determine the floor of a found key.
@mattblaze while a valid concern, it worries me that a "perfect security" in this situation would come to breach the privacy. Theoretically, you could use biometric data, which would solve the problem; however, now the hotel has to maintain a database with extremely sensitive data or hire third party entity to maintain it for them. Either way, it would be a very attractive target for hackers. I think one has to accept that there are always risks with everything, but some risks have much higher stakes (stolen biometric data > stolen possessions).
-
@print @JeffGrigg @canacar @mattblaze I've seen worse than not remembering which room you were in. On a trip to southern France, I had to get up early on my final day to get to the airport. I took a cab. As I was about to get in some shirtless British guy, obviously up all night, was asking for help - he couldn't remember where his hotel was (and probably not its name either), and was quite rude when the driver couldn't help. I mentioned a map at the train station (if only to get rid of him)
Once In winter, we went wine tasting staying in cabins.
Followed by dinner and had a beer tasting paddle. I don't normally drink much.
The boys went for a walk, in the dark found a oval, then the pool. Of course we jumped in.
Cold and Dripping wet, ran back to the cabins. In the door, into the shower to turn it on to warm up. Went to go through the sliding door to the bedroom. It was stuck. Tried to get arm in to get it unstuck. Looked behind me to the kitchen table.
(Cont) -
Physical security and cryptography can learn from each other, part 11367:
Hotels wisely don't put the room number on guest keycards so if someone finds your card, they'd have to exhaustively search the hotel to find the room it opens.
Some hotels now have elevators programmed to only let you call the floor for which your keycard is coded, preventing guests from wandering to other floors.
But it also means the elevator can be used as an efficient oracle to determine the floor of a found key.
@mattblaze
I always had a room number on my room keys in hotels. To these days, when the keys are contactless cards, the room number is often written on the card paper envelope. -
@mattblaze I enjoy the idea, but are you sure they don't print the room number for security reasons? I was under the impression it was because they reprogrammed them when they gave them to you
@mfdeakin @mattblaze
they do program them before they hand them to you, but the reason for that is security. They could just program a specific key for every room and put the room numbers on them, but that is considered bad practice. -
@mattblaze I suspect there is a square-root law here, where optimum balance between the "wandering guest" threat and the "found keycard" threat is achieved by allowing elevator access to the square root of the total number of floors (your own, plus some randomly selected floors)
@mvaneerde @mattblaze
The maximal security approach is for the key card to only given access to a random floor (excluding the floor the room is on). -
In other words, restricting the elevator in this way is a bad tradeoff. It makes it harder for guests to visit their friends on other floors, but it reduces the complexity for an outsider burglar from O(|rooms|) to O(|floors|) + O(|rooms-per-floor), a much more feasible search space.
@mattblaze I've also seen some hotel elevators where you swipe your keycard and it selects the correct floor for you, removing the O(floors) component.
-
@mattblaze I've also seen some hotel elevators where you swipe your keycard and it selects the correct floor for you, removing the O(floors) component.
@th @mattblaze yeah i encountered that recently in germany and was just like ????????????? why
-
Physical security and cryptography can learn from each other, part 11367:
Hotels wisely don't put the room number on guest keycards so if someone finds your card, they'd have to exhaustively search the hotel to find the room it opens.
Some hotels now have elevators programmed to only let you call the floor for which your keycard is coded, preventing guests from wandering to other floors.
But it also means the elevator can be used as an efficient oracle to determine the floor of a found key.
@mattblaze OK but: I forget my room number sometimes, they do not always ask to see the ID before they give me my room number. They mostly ask for my first name only.
I once left the key card in my room, mixed up the digits and got a replacement card for the wrong room
-
@mattblaze I suspect there is a square-root law here, where optimum balance between the "wandering guest" threat and the "found keycard" threat is achieved by allowing elevator access to the square root of the total number of floors (your own, plus some randomly selected floors)
@mvaneerde @mattblaze not counting the reception floor, the wellness floor, the restaurant floor, and the garage floor, of course
-
@th @mattblaze yeah i encountered that recently in germany and was just like ????????????? why
@ariadne @th @mattblaze What if you wanted to have a drink at the rooftop bar before going to your room?
-
@ariadne @th @mattblaze What if you wanted to have a drink at the rooftop bar before going to your room?
@rhelune @th @mattblaze exactly
-
Practical advice: Put your hotel room key in a different pocket than the holder. (The paper holder has your room number on it.)
@JeffGrigg @print @canacar @mattblaze Take a photo of the paper sleeve, leave it in the room. I always know which room is mine by the "do not disturb" hanger, additionally, the thief is less likely to try such a room.
-
@ariadne @th @mattblaze What if you wanted to have a drink at the rooftop bar before going to your room?
@rhelune
Oh, no hotel will restrict access to a bar. They're always free floors.
@ariadne @th @mattblaze -
@rhelune
Oh, no hotel will restrict access to a bar. They're always free floors.
@ariadne @th @mattblaze@hypostase @ariadne @th @mattblaze Yes but you do not want to be taken to the wrong floor just because you swiped your keycard. If the lift acted that way, I would suspect a prank (or worse): https://youtu.be/1Un_oHaf798
-
@hypostase @ariadne @th @mattblaze Yes but you do not want to be taken to the wrong floor just because you swiped your keycard. If the lift acted that way, I would suspect a prank (or worse): https://youtu.be/1Un_oHaf798
@rhelune
I was almost expecting the Scotsmen.
@ariadne @th @mattblaze -
Physical security and cryptography can learn from each other, part 11367:
Hotels wisely don't put the room number on guest keycards so if someone finds your card, they'd have to exhaustively search the hotel to find the room it opens.
Some hotels now have elevators programmed to only let you call the floor for which your keycard is coded, preventing guests from wandering to other floors.
But it also means the elevator can be used as an efficient oracle to determine the floor of a found key.
@mattblaze what if typing a wrong floor bring the elevator to the security reception that thank you for bringing a lot keycard ?
-
Physical security and cryptography can learn from each other, part 11367:
Hotels wisely don't put the room number on guest keycards so if someone finds your card, they'd have to exhaustively search the hotel to find the room it opens.
Some hotels now have elevators programmed to only let you call the floor for which your keycard is coded, preventing guests from wandering to other floors.
But it also means the elevator can be used as an efficient oracle to determine the floor of a found key.
@mattblaze a moot point as anytime I have misplaced a room key I have gotten a new card at the front desk with very little effort.
