ON A WARM Phoenix night five years ago, Aaron Cashatt walked down the red-carpeted hall of the second floor of a Marriott hotel, trying to move casually despite the adrenaline and methamphetamine surging through his bloodstream. Six feet tall with blond, close-cropped hair, he wore a black sports coat and baseball cap and kept his head down so the hat’s brim hid his face from surveillance cameras.
When he found a quiet stretch of hallway, Cashatt chose a door and knocked. No answer. He pulled out a sunglasses case from his pocket, flipped it open, and removed a small tangle of wires connected to a circuit board and a nine-volt battery. On one end of that loosely assembled gadget was a cord attached to a plug. He looked at the keycard lock on the door in front of him, a metallic box that offered a vertical slot ready to accept a guest’s keycard like a piece of bread into a toaster.
Cashatt didn’t have a keycard. Instead, he reached underneath the lock on the door until his finger found a small, circular port and inserted the plug of his device. Then he held a frayed wire coming off the board to one end of the battery, completing an electric circuit. Instantly, the lock whirred as its bolt retracted, and a green light flashed above the door handle.
For a moment, Cashatt stared in shock, almost disbelief. “It was like the heavens had opened,” he’d say of the moment years later.
Cashatt pushed open the unlocked door, walked into the room, and closed the door behind him. Even in his meth-addled state, he was so taken aback by his success in hacking his way in that he laid down on the room’s king-size bed for perhaps a full minute, his heart racing.
Then he sat upright and started thinking about what he could steal.
Bolted to the dresser was an expensive-looking TV, but he didn’t have the tools to remove it. So on an impulse, he grabbed a pile of towels and pillows. Tucking them under his arm, he quickly walked out the door, down the stairwell, out a side exit to the red Mitsubishi Galant he’d parked outside, and drove away.
That spontaneous laundry heist was, in fact, the modest beginning of an epic crime spree. Over the next year, Cashatt exploited an obscure software bug in one ultra-common model of hotel keycard lock to break into hotel after hotel in what would become an unprecedented, all-he-could-eat buffet of serial digital thievery. He’d escalate from stealing TVs to targeting guests’ luggage and walking out with all the possessions he could find. His intrusions would stretch from Arizona to Ohio to Tennessee as he worked to stay ahead of law enforcement. And he’d amass, by some estimates, close to half a million dollars’ worth of stolen goods.
Eventually, Cashatt’s lock-hacking spree triggered Operation Hotel Ca$h, a multi-agency police operation aimed at tracking him down. According to one document shared among cops in June 2013, officials estimated that Cashatt was responsible for 78 hotel burglaries. (Cashatt himself would later hint to me that the number was actually well more than a hundred.)
But flash back to the late summer of 2012, when Cashatt’s hotel break-ins were just getting started, and the cops were mystified. Hotels around central Arizona were reporting robberies, one after another. But there were none of the usual signs of forced entry, like broken windows or smashed doorjambs. At first the hotels suspected their own staff. But what kind of maid steals flatscreen televisions from multiple rooms? Or entire suitcases full of guests’ possessions?
“Everything’s gone. No prints. No forced entry,” recalls Tyler Watkins, a detective for the Tempe, Arizona, police department who tracked those first cases. “It was like a ghost had slipped in and slipped out.”
UNLIKE ARIZONA’S COPS, anyone paying attention to the cybersecurity world that summer would have known the answer to the mystery of the hotel ghost thief. Just weeks earlier, a 24-year-old security researcher named Cody Brocious had discovered and published information about a security vulnerability he’d found in keycard locks sold by the lock firm Onity. Brocious promised that the bug could unlock 10 million hotel rooms around the United States and the world.
The flaw was obscure but simple: Each of the Onity locks had a port on its underside into which hotel staff could insert a device the company called a portable programmer. The device could read which keys had recently opened which doors or set which doors could be opened with which master keys. And since portable programmers also functioned as master keys themselves, they were carefully guarded by hotel owners.
Brocious, a round, long-haired, and patchily bearded hacker prodigy, had been hired by a small startup to reverse engineer the Onity locks and create a competing system. The company never got off the ground. But Brocious found something unexpected. The unique cryptographic key that triggered the “unlock” command on any particular Onity lock was stored not on the hotel’s portable programmer but in the lock itself—the equivalent of millions of keys hidden under millions of welcome mats in hotels around the globe.
With just $50 in hardware, including an Arduino board, some resistors, a battery, and a DC power plug, Brocious could build his own portable programmer, insert it into the port of an Onity lock, automatically retrieve the digital key from its internal memory, and trigger the door to unlock, all in a fraction of a second. “I plug it in, power it up, and the lock opens,” Brocious told me with wide-eyed enthusiasm when we first spoke that summer. To prove his claims, Brocious came to the Forbes magazine office, where I worked at the time, and showed me an Onity lock he’d bought from eBay. He inserted the plug of his homemade device, its wires squeezed inside a black plastic box, into the port on the bottom of his test lock. It whirred and a green light flashed as the lock’s bolt obediently retracted.
A couple of weeks later, Brocious and I spent a day touring New York City to test his findings in the wild. We tried his Onity-cracking gadget in three hotels, ranging from midtown’s glamorous Waldorf Astoria to the less glamorous Holiday Inn in Gowanus, Brooklyn. (To avoid any actual felonies, Forbes paid for the rooms.) The technique worked on only one of the three targets, opening a door high in the atrium of the Marriott Marquis in Times Square. Brocious’ technique still needed some fine-tuning. But one out of three was enough: I published a story, revealing his discovery for the first time and warning of a potentially serious security flaw in one of the world’s most common locks.
Brocious wasn’t done yet, though. A week later, he presented his findings at the Black Hat hacker conference in Las Vegas, speaking to a packed room at Caesar’s Palace. And he went one step further, publishing the code for his Arduino unlocking device on his website so that anyone could build a hotel hacking machine.
The hacker community has a long tradition of presentations like Brocious’ at hacker conferences like Black Hat and Defcon. Despite the dangers of publicly revealing security flaws that could potentially lead to criminal hacking, espionage, or other consequences, the logic goes that informing the public is paramount: better for noble hackers to shine the light of publicity on dangerous security problems and force corporations to fix their critical software bugs than allow truly malicious hackers to exploit them in the darkness.