[abathur]

Take w/ requisite salt, but per Daily Mail [1]:

> Thousands of guests at MGM Resorts in the Las Vegas strip have been locked out of their hotel rooms after the company was hit with a cyber attack, according to reports.

> MGM Resorts International has about 48,000 rooms on The Strip. The company's properties include Mandalay Bay, the Bellagio, Luxor and MGM Grand, among others.

> The outage, first detected on Sunday night, has affected company emails, reservations, booking, room keys and casino slot machines.

[1]: https://www.dailymail.co.uk/news/article-12505921/MGM-Resort...

[lainga]

How do those hotel door locks work? When I had an apartment with a tap keyfob, it was battery-operated and the fob seemed to be programmed for that specific lock, so I thought they could work offline.

[napoleongl]

These days the locks are online so that you can block a lost keycard from the front desk. Previously you had to open the lock with a never keycard than the lost one to make the lost one inoperable. That works kinda fine in a small hotel but not when you 48000 rooms with millionaires in them.

[foota]

Fwiw you could probably build this in a way that it continues to operate without internet. This creates a new attack vector (disable the internet and you can't revoke access) but that's probably acceptable given the physical attacks possible.

[amenghra]

Each key gets a revision number. When the first set of keys are created, they get revision number 0. The lock records a high water mark of the revision numbers it has seen. Only keys matching the water mark get to unlock the door.

When you want to revoke a key, you re-issue a new set with a higher revision number. When the guest checks out, you issue the next revision number to the next guest, effectively disabling the previous set.

You do all this as a fallback when the network fails. This way, you can still disable keys in real-time when people checkout of their room.

[nijave]

Does this use something like asymmetric keys so door can verify a key came from the issuing system or is there still some online/network portion?

Assuming it does use asymmetric keys to prevent someone from creating counterfeit access cards, there would still be a window (if the network is unavailable) where the old key would continue to work until a new key is scanned the first time on the door lock?

[themerone]

I think this is similar to how most hotel locks work.

[ryukoposting]

Currently at a reasonably-priced hotel in the boonies. Extended my stay the other day and they had to re-issue the keys. The keys must be aware of the reservation period, and the locks must be aware of the current wall-clock time. Finding a way to tamper with the RTC in the lock could blow up the whole system. Or, you know, a crowbar.

[darkclouds]

Same tech they use for staff in mental health hospitals and wards, but strangely noone hacks the mental health hospitals.

[caol]

MGM hotel rooms can be unlocked with smartphone NFC tap. You don't even need to visit the front desk to check in, just log in to the app. But if you can't open the app you can't get in your room. I'm guessing the front desk can issue keys to a guest in the event they lost their phone or something, but if the network is down for the front desk too then they might not be able to issue keys.

[bee_rider]

We often make fun of IOT and unnecessary app stuff, but these features 1000% make sense.

[mason55]

The problem is it works badly. You have to open the app which has to load and then you can get access to your key. But if you’re on an elevator then you might not have service and the app won’t load and then you can’t get to your key to use the elevator. Or worse if you don’t have great service in the corridor.

It needs to work in a way where the key is saved to your phone so it can be accessed quickly and offline.

[nijave]

Afaik the HID Global app saves a key in the OS key store (at least on Android) and uses the locally stored key with NFC so you just need network access to enroll a key. Not sure what vendor/app these things use (maybe it's all in house)

[lotsofpulp]

I would have thought apple/google wallet already have an API for this.

[mcpherrinm]

Some hotel chains like Hyatt support nfc keys in Apple Wallet. Because whatever microcontroller runs that is low-power, it can continue working after your phone battery is (nearly) dead too.

I know other locks use Bluetooth from an app which isn’t supported by Apple Wallet.

[alwaysrunning]

I did a project several years ago for mgm that involved BT, player cards, key systems, wifi, etc and I can confirm they hotel locks are controlled centrally for various reasons.

[willcipriano]

I would've thought it would get sent messages like:

<Grant access to KEY_ID>

<Revoke access from KEY_ID>

And it would keep track internally so that if the central system went down it could still function with already issued keys until it is fixed.

[TylerE]

Such a system seems like it would be incredibly fragile to local attack - and this is one case where you can't just assume "physical access means you've already lost".

[willcipriano]

> physical access means you've already lost

I agree, thats why I figured if you can get away with fooling around with a lock, some wires and a laptop in the hallway, you can probably pick the backup key more discreetly.

[wolverine876]

I was wondering the same. It would be an extreme fire hazard if a power or computer outage made the doors unopenable - especially because a fire could and likely would cause an outage.

[StevenXC]

I once was stuck in my hotel room due to a malfunction in the inside door handle, which was an annoying way to discover that the latch wasn't even mechanical on that side.

[squeaky-clean]

I work in "access control" and that could probably get that hotel in a loooot of trouble with the fire marshal.

[callalex]

What country was that in?

[gymbeaux]

You can get from your room to the parking lot without a key at the MGM Grand. I’m sure it’s the same for all others per I assume the fire code.

[vel0city]

The doors can always open out they just lock to not allow in. In a fire nobody needs a key to leave, but they might need a key to get back in.

[wolverine876]

What if the fire is in the hallway, or your kids are in the room?

[vel0city]

I know in my office building and legal jurisdiction an official fire alarm signal must override the electronic door locks so they fail to unlocked.

[MathMonkeyMan]

presumably you can still open them from the inside

[wombat-man]

Yours is probably meant to work indefinitely. I guess hotels look at the card id and see if you have access at that moment.

[_joel]

Apartment? I assume your home? The upkeep of locks in a hotel is a bit more involved, as customers lose keys and they need to be reset for the next room guest (for larger hotels, at least)

[glitchc]

In a modern hotel with tap cards, all the locks are wired to a central system.

[gymbeaux]

Over the years, MGM has bought up hotel-casinos on the Strip, and now they own most of ‘em. If you’re staying on the Strip, odds are it’s an MGM hotel.

[squeaky-clean]

If it's not MGM it's Caesar's. And both MGM and Caesar's are owned by VICI Properties.

[andy800]

The companies themselves are not owned by VICI, the land and properties are, and Caesars and MGM (and other casino operators) pay VICI rent.

[lotsofpulp]

The margins are amazing:

https://www.macrotrends.net/stocks/charts/VICI/vici-properti...

https://www.macrotrends.net/stocks/charts/VICI/vici-properti...

https://www.macrotrends.net/stocks/charts/VICI/vici-properti...

Wonder if VICI assets are protected from having underfunded pensions of casino employee unions.

[reducesuffering]

https://en.wikipedia.org/wiki/Vici_Properties#Properties

Insane. Who is competing with them on the Las Vegas Strip? Just Blackstone with Bellagio, Cosmo, and Aria? Those investors have the power to have practically all properties on the strip not compete with each other.

[andy800]

MGM operates all 3 of those

[sjm-lbm]

Wynn is still independent (I think). That's the only one I can think of, though.

[borski]

Or Caesar's.

[swozey]

Good god, 48 THOUSAND rooms??

[HlessClaudesman]

So it would be the perfect time to assemble a team of misfits and attempt madcap heist?

[spdustin]

That story literally copied/pasted from 8NewsNow [0]

[0]: https://www.8newsnow.com/news/local-news/mgm-resorts-release...

[AlotOfReading]

They almost certainly got the story from the same wire service rather than copying from each other.