On a warm Phoenix night in 2012, Aaron Cashatt walked down the red-carpeted hall of the second floor of a Marriott hotel, trying to move casually despite the adrenaline and methamphetamine surging through his bloodstream. Six feet tall with blond, close-cropped hair, he wore a black sports coat and baseball cap and kept his head down so the hat’s brim hid his face from surveillance cameras.
When he found a quiet stretch of hallway, Cashatt chose a door and knocked. No answer. He pulled out a sunglasses case from his pocket, flipped it open, and removed a small tangle of wires connected to a circuit board and a nine-volt battery. On one end of that loosely assembled gadget was a cord attached to a plug. He looked at the keycard lock on the door in front of him, a metallic box that offered a vertical slot ready to accept a guest’s keycard like a piece of bread into a toaster.
Cashatt didn’t have a keycard. Instead, he reached underneath the lock on the door until his finger found a small, circular port and inserted the plug of his device. Then he held a frayed wire coming off the board to one end of the battery, completing an electric circuit. Instantly, the lock whirred as its bolt retracted, and a green light flashed above the door handle.
For a moment, Cashatt stared in shock, almost disbelief. “It was like the heavens had opened,” he’d say of the moment years later.
Cashatt pushed open the unlocked door, walked into the room, and closed the door behind him. Even in his meth-addled state, he was so taken aback by his success in hacking his way in that he laid down on the room’s king-size bed for perhaps a full minute, his heart racing.
Then he sat upright and started thinking about what he could steal.
Bolted to the dresser was an expensive-looking TV, but he didn’t have the tools to remove it. So on an impulse, he grabbed a pile of towels and pillows. Tucking them under his arm, he quickly walked out the door, down the stairwell, out a side exit to the red Mitsubishi Galant he’d parked outside, and drove away.
That spontaneous laundry heist was, in fact, the modest beginning of an epic crime spree. Over the next year, Cashatt exploited an obscure software bug in one ultra-common model of hotel keycard lock to break into hotel after hotel in what would become an unprecedented, all-he-could-eat buffet of serial digital thievery. He’d escalate from stealing TVs to targeting guests’ luggage and walking out with all the possessions he could find. His intrusions would stretch from Arizona to Ohio to Tennessee as he worked to stay ahead of law enforcement. And he’d amass, by some estimates, close to half a million dollars’ worth of stolen goods.
Eventually, Cashatt’s lock-hacking spree triggered Operation Hotel Ca$h, a multi-agency police operation aimed at tracking him down. According to one document shared among cops in June 2013, officials estimated that Cashatt was responsible for 78 hotel burglaries. (Cashatt himself would later hint to me that the number was actually well more than a hundred.)
But flash back to the late summer of 2012, when Cashatt’s hotel break-ins were just getting started, and the cops were mystified. Hotels around central Arizona were reporting robberies, one after another. But there were none of the usual signs of forced entry, like broken windows or smashed doorjambs. At first the hotels suspected their own staff. But what kind of maid steals flatscreen televisions from multiple rooms? Or entire suitcases full of guests’ possessions?
“Everything’s gone. No prints. No forced entry,” recalls Tyler Watkins, a detective for the Tempe, Arizona, police department who tracked those first cases. “It was like a ghost had slipped in and slipped out.”
Unlike Arizona’s cops, anyone paying attention to the cybersecurity world that summer would have known the answer to the mystery of the hotel ghost thief. Just weeks earlier, a 24-year-old security researcher named Cody Brocious had discovered and published information about a security vulnerability he’d found in keycard locks sold by the lock firm Onity. Brocious promised that the bug could unlock 10 million hotel rooms around the United States and the world.
The flaw was obscure but simple: Each of the Onity locks had a port on its underside into which hotel staff could insert a device the company called a portable programmer. The device could read which keys had recently opened which doors or set which doors could be opened with which master keys. And since portable programmers also functioned as master keys themselves, they were carefully guarded by hotel owners.
Brocious, a round, long-haired, and patchily bearded hacker prodigy, had been hired by a small startup to reverse engineer the Onity locks and create a competing system. The company never got off the ground. But Brocious found something unexpected. The unique cryptographic key that triggered the “unlock” command on any particular Onity lock was stored not on the hotel’s portable programmer but in the lock itself—the equivalent of millions of keys hidden under millions of welcome mats in hotels around the globe.
Police photographs of hotel hacking devices confiscated from Cashatt, including one hidden inside a sunglasses case. (Scottsdale Police Department)
With just $50 in hardware, including an Arduino board, some resistors, a battery, and a DC power plug, Brocious could build his own portable programmer, insert it into the port of an Onity lock, automatically retrieve the digital key from its internal memory, and trigger the door to unlock, all in a fraction of a second. “I plug it in, power it up, and the lock opens,” Brocious told me with wide-eyed enthusiasm when we first spoke that summer. To prove his claims, Brocious came to the Forbes magazine office, where I worked at the time, and showed me an Onity lock he’d bought from eBay. He inserted the plug of his homemade device, its wires squeezed inside a black plastic box, into the port on the bottom of his test lock. It whirred and a green light flashed as the lock’s bolt obediently retracted.
A couple of weeks later, Brocious and I spent a day touring New York City to test his findings in the wild. We tried his Onity-cracking gadget in three hotels, ranging from midtown’s glamorous Waldorf Astoria to the less glamorous Holiday Inn in Gowanus, Brooklyn. (To avoid any actual felonies, Forbes paid for the rooms.) The technique worked on only one of the three targets, opening a door high in the atrium of the Marriott Marquis in Times Square. Brocious’ technique still needed some fine-tuning. But one out of three was enough: I published a story, revealing his discovery for the first time and warning of a potentially serious security flaw in one of the world’s most common locks.
Brocious wasn’t done yet, though. A week later, he presented his findings at the Black Hat hacker conference in Las Vegas, speaking to a packed room at Caesar’s Palace. And he went one step further, publishing the code for his Arduino unlocking device on his website so that anyone could build a hotel hacking machine.
The hacker community has a long tradition of presentations like Brocious’ at hacker conferences like Black Hat and Defcon. Despite the dangers of publicly revealing security flaws that could potentially lead to criminal hacking, espionage, or other consequences, the logic goes that informing the public is paramount: better for noble hackers to shine the light of publicity on dangerous security problems and force corporations to fix their critical software bugs than allow truly malicious hackers to exploit them in the darkness.
In my years as a reporter covering these kinds of vulnerability discoveries, I’ve written stories about hackers who pressured Apple to fix a bug that would have allowed a text-message-based worm to spread virally through every iPhone, about a security researcher who forced an ATM vendor to fix a flaw that would have let thieves trigger cash machines to spew money, and about others who motivated Chrysler to recall 1.4 million vehicles that were vulnerable to remote hijacking over the internet. White hat hackers reveal a vulnerability; companies fix it.
This is not one of those stories.
Even after my article on Brocious’ lock hacking and his high-profile Las Vegas reveal, Onity didn’t patch the security flaw in its millions of vulnerable locks. In fact, no software patch could fix it. Like so many other hardware companies that increasingly fill every corner of modern society with tiny computers, Onity was selling a digital product without much of a plan to secure its future from hackers. It had no update mechanism for its locks. Every one of the electronic boards inside of them would need to be replaced. And long after Brocious’ revelation, Onity announced that it wouldn’t pay for those replacements, putting the onus on its hotel customers instead. Many of those customers refused to shell out for the fix—$25 or more per lock depending on the cost of labor—or seemed to remain blissfully unaware of the problem.
And so instead of Brocious’ research protecting millions of hotel rooms from larceny-minded hackers, it served up a rare, wide-open opportunity to criminals. Soon other hacker hobbyists were posting YouTube videos of themselves demonstrating the vulnerability on real hotel doors, refining Brocious’ gadget to work far more reliably. One security researcher in Chicago managed to miniaturize the components of the lock-hacking device until it fit inside the body of a dry-erase marker, with its plug hidden under the marker’s cap. The attack became so notorious that it even made a brief cameo in the first season of USA Network’s show Mr. Robot.
But out of everyone who learned about the Onity keycard hack, only one person, perhaps, had the right mix of desperation, tech savvy, and moral flexibility to use it to its full criminal potential: Aaron Cashatt.
Cashatt’s mother, Lorri Han, says her son’s technical curiosity must have come from his maternal grandfather, an aerospace engineer for Lockheed Martin who worked for years on contract for NASA. She remembers her son seeming to have that same engineering knack from a young age, taking apart the phone to find out what made it ring and drawing architectural blueprints of his living room forts.
A twenty-something Cashatt with his mother, Lorri Han. (Courtesy Lorri Han)
But Cashatt’s father was a pastor, and a different sort of influence. As Cashatt’s mother would later describe to me and in court, he had a mean streak that tore their family apart and instilled in Aaron, the oldest of the family’s five children, a fierce opposition to authority. “He’d preach God on Sunday and beat the hell out of me the rest of the week,” Han says of her former husband. “Aaron was my protector.” (In a phone call with WIRED, Cashatt’s father denied that history of physical abuse, but Cashatt and other members of the family confirm his mother’s account.)
When Cashatt’s parents eventually separated, however, his relationship with his mother turned cold. As a 14-year-old, Cashatt moved in with his father and then moved out at the age of 17 to live with an older friend who sold drugs and used them liberally. Cashatt quickly developed a crystal methamphetamine addiction that has dogged him ever since. Two years later, he found his friend lying in a hotel room, dead from a gunshot wound to the head. After that, Cashatt’s mother said, he “spun out of control,” doubling down on drug use and venturing into petty crime. “It twisted him sideways,” she says.
At 22, Cashatt went to prison for the first time, convicted of a crime that would presage his future as a tech-savvy criminal: He was caught making fake checks and IDs with a laser printer. During the prison stint that followed, he took a computer course, where he learned to build a PC from parts. When he got out two years later, he further honed those skills, tinkering with and taking apart more computers, learning to solder, and building long-range Wi-Fi antennas out of Direct TV satellites. Later he’d get a job as an automotive technician for AAA.
Cashatt went to prison a second time for drug possession and a misdemeanor charge of drunk driving. When he was released again on parole a few years later, the DMV required him to install a breathalyzer in his car, so that it could only be started if he blew into the device to prove his sobriety. Not one to be defeated by a technical challenge, Cashatt dug up tips from the internet on how to open the device’s case and rewire his car’s ignition with alligator clips while bypassing the machine’s sensors. He’d disable the breathalyzer every weekend, drive as drunk as he pleased, and then reconnect it on Monday. When the DMV checked the device every month, its digital record seemed to show that he had responsibly avoided driving all weekend.
Inevitably, a cop pulled Cashatt over one night when his blood alcohol was well above the legal limit, and he was charged with a fresh DUI misdemeanor. He went back to prison for five months for violating his parole. But when a court unexpectedly dismissed that charge after his release—what he saw as an inexplicable act of mercy—he felt he’d been given a second chance to live a normal life. Over the next 10 months, he worked to turn his life around, weening himself off meth, avoiding crime, and even getting a job as a waiter at a high-end Mexican restaurant.
Then, a year after that DUI stop, in the summer of 2012, Cashatt got a letter from the court. It informed him that he was being charged not merely with that DUI misdemeanor but with a felony, the result of his latest charge plus all of his prior offenses. The minimum sentence: six and a half years in prison.
Cashatt was devastated. He says he’s never understood why that period of false hope lasted 10 months, or why it ended. (He speculates, without much evidence, that the state of Arizona was seeking to boost its statistics in an election year by dredging up dismissed charges.) Regardless, he saw the legal reversal as a betrayal and confirmation that, even if he obeyed authority and worked a legitimate job, law enforcement would never let him live freely.
As his court date for the felony approached, he veered off his law-abiding path and back into heavy meth use and crime. He started forging checks again, used the lockout tools from his automotive job to break into parked cars, and even exploited the Linux hacking toolkit Backtrack to break into Wi-Fi networks and steal tax documents for fraud. “Screw it,” he thought. “If they’re going to send me to prison again, I’m going to deserve it.”
It was that same month, just as Cashatt had determined he had nothing left to lose, that he saw a TV segment on ABC News about Cody Brocious’ Onity hotel keycard hack.
Within days of hearing that news broadcast, Cashatt had found the code on Brocious’ website along with a full tutorial on how to build his own lock-hacking tool. “I’ve always been of the opinion that if you look around on the internet you can figure out how to do anything,” he says. “So that’s what I did with the Onity hack.”
He bought an Arduino, a circuit board, some resistors, and wiring from RadioShack for around $50, and assembled a prototype of the device in a matter of hours. But after his shocking success in using it to open that first door at a nearby Marriott, Cashatt became obsessed with perfecting his lock-hacking gadget.
By day, he continued to work as a waiter. By night, he smoked meth, skipped sleep, and built version after version of his digital skeleton key, trying to make it sleeker and less conspicuous. In its final form, he still hid the device inside a sunglasses case—an Oakley brand box hanging from his neck. But it now had a plug that emerged and retracted from a zipper on one end and a power button hidden in the O in Oakley—no more fumbling with a frayed wire and a battery. He found that the device instantly opened about 98 percent of doors that had an Onity lock, vastly better than the initial prototype Brocious had built.
As he upgraded his tool, Cashatt also upgraded his burglaries. A week after stealing an armful of linens from the Marriott, he returned with the exact screwdriver necessary to unbolt its TVs, and walked out with a 37-inch flatscreen. In the days that followed, he pulled off a few more TV thefts from unoccupied rooms at different hotels. Then he began to consider the additional prize of robbing hotels’ guests too.
Now working with a partner drawn from a rotating group of friends, the burglars would arrive at a hotel during daylight hours to find booked rooms whose occupants had left for the day. At first Cashatt and his accomplices would take only laptops, iPads, and other valuable items. But one day, on a whim, Cashatt says he looked inside a hotel guest’s toiletry bag and found a sock wrapped around an immaculate Breitling Bentley watch worth thousands of dollars. From that point on, they simply took everything, throwing guests possessions—from computers to cameras to jewelry and even clothes—into the luggage they found and nonchalantly wheeling those suitcases out of a back exit.
To disguise himself and hide his face from cameras, Cashatt started putting a short white wig over his blond hair and covering it with a white fedora. He studiously wore gloves inside every room to avoid fingerprints. To make sure his car wasn’t tracked, he’d steal license plates and switch them periodically. When he realized that hotel employees would generally assume he was a guest and treat him deferentially, the anxiety he felt during the first few jobs subsided and his break-ins became almost routine.
Did the sheer volume of highly personal items he and his friends were stealing ever cause him remorse? At the time, the meth took care of that, he says. After all, he was smoking enough to stay up for days, long enough that dark wisps and what he describes as “shadow people” would begin to curl into the corners of his vision. At that point, he says, “your conscience kind of goes away.”
Cashatt’s hotel hacking spree stretched from California to Ohio to Tennessee, but he was most prolific in his home state of Arizona. This map shows some of the dozens of burglaries police believed he pulled off just in the cities surrounding Phoenix. (Ben Bours)
The court date for Cashatt’s DUI was approaching, and he knew he had to skip town. He embarked on a long road trip to stay with a friend in Ohio, using his Onity-hacking tool to break into roadside motels and stay in their rooms along the way. When he arrived in the Midwest, he robbed a few more hotels before deciding to lay low. But he was soon arrested again anyway. He and his friend were exploding M80 fireworks one evening in his friend’s neighbor’s yard, using a high-powered laser Cashatt had built from parts he ordered from foreign suppliers. The cops arrived, found meth at the scene, arrested Cashatt for possession, and extradited him back to Arizona, handcuffed in the back row of an American Airlines flight.
At that point, however, the police still hadn’t linked Cashatt to the hotel robberies. He was jailed for his DUI but soon released on bond again. Emboldened that he hadn’t been identified as the hotel burglar, Cashatt doubled down on his break-ins. He hired a lawyer to fight the DUI charges, but eventually would stop appearing at his court dates and skip bail again.
Now with no job to hold him back, Cashatt, his friends, and an on-and-off girlfriend spent the next four months hitting hotels at a frenzied pace, sometimes as many as four in a day—Holiday Inn, Days Inn, Hilton, Hampton, Marriott, Extended Stay, La Quinta, Sheraton and on and on, working his way methodically across central Arizona.
He developed a refined system to maximize his thefts. First he’d case new hotels by looking for Onity locks on their outside doors. Then he’d walk in the front wearing his trademark white fedora, the Oakley case hanging from his neck in plain sight. Once he was on a guest floor, he’d look for a housekeeper’s cart and grab the room list from it to see which rooms had guests staying over and which were empty. Then he or his partner would knock on one of the booked rooms. If someone answered, they moved on. If not, they’d hack their way in. Before leaving with all the guests’ possessions, Cashatt or his accomplice would call from room to room, checking the other booked rooms on the list to find ones that were empty, and hit those next.
The system wasn’t perfect. On one occasion, a guest came back to a room while Cashatt was still inside, and he had to jump out of a second-story window to escape. Another time, they slipped into a room in the middle of the day only to find a large man asleep and snoring loudly. Cashatt was spooked and backed out, but his accomplice on that job convinced him the man was sleeping so deeply they could work around him, and they took his luggage before he woke up. In the closest call he experienced, a man came out of the bathroom while Cashatt and his partner were in the room putting stolen goods in bags. In a moment of inspiration, Cashatt’s partner, who’d already helped him rob dozens of rooms, warmly greeted the man and bear-hugged him. Confused, the man assumed the thieves were acquaintances invited by a friend. They played along, briefly chitchatted, and then fled. Cashatt, hardly believing their luck, was so overwhelmed with adrenaline that he found himself dry-heaving in the car as they left.
A month or so into the most productive stretch of that burglary spree, Cashatt hit a roadblock. He was flummoxed to find that when he inserted his hacking device into locks’ data ports, he’d repeatedly hit an obstruction. Onity, finally taking the threat of Brocious’ revelation seriously, had started distributing a free fix to its hotel customers, and claimed in a blog post that it was contacting them one by one to alert them to the security vulnerability. But even then, the fix the company offered those customers wasn’t a full recall or a replacement for its flawed locks. It was a Band-Aid: cheap plastic plugs to cover the portable programmer ports.
At first, Cashatt sank into a depression as the number of targets for his once-in-a-lifetime golden key dramatically shrank. “My hustle had suddenly gotten very, very narrow,” he says.
But after investing so much in his burglary scheme, Cashatt was determined not to let the lock maker outsmart him. He tried stealthily drilling out the plugs with a Dremel and melting them with a soldering iron, without success. Finally, one morning he had a friend act as lookout, parking his car in front of a motel door with dividers on both sides that obscured it from view. He pulled out his tool bag, sat down in front of the door cross-legged, and got to work. By early afternoon, he’d identified the T10 Torx screwdriver that could release the metal panel that formed the bottom half of the lock’s front cover, letting him reach in and remove the plug, access the port again, and then replace the plug and panel. With some practice, he honed his technique until he could pull off the process in about 20 seconds. That same day, he returned to business as usual.
It was a productive period of Cashatt’s criminal career. Among the diverse rewards from his hotel adventures were an assortment of guns in a collector’s case, a US marshal’s handgun and badge, a pair of custom guitars signed by a band he doesn’t remember, an airplane pilot’s uniform and pilot’s license, motorcycle helmets, cameras, golf clubs, watches, wallets, entire hotel safes, passports, jewelry, and countless televisions, laptops, phones, iPads, and suitcases—especially suitcases, so many that they filled the house where he was staying and spilled over into a separate storage unit too.
He’d fence most of the loot through friends—many who themselves sold drugs and were happy to have a side business in stolen goods—or through one Phoenix jewelry store owner he trusted. Despite his haul, he says he never managed to save much, blowing the cash on drug benders, clubs, and casinos.
But from the beginning, Cashatt knew there was a time limit on his burglary spree—after all, he was a wanted man and had already jumped bail twice, albeit for lesser crimes. And by early 2013, major cracks were forming in his hotel-hacking cloak of invisibility.
On a short trip to Lake Havasu, a city of 54,000 on Arizona’s border with California, Cashatt had tried to steal a middle-aged woman’s license plate to prep for a round of burglaries. He was crouching in a parking lot, still unscrewing it, when she came back to her car. He threw the license plate in his trunk, but the woman called the cops as he sped away and they caught up with him 10 minutes later in the parking lot of the hotel where he was staying. He sprinted away from the police and escaped by climbing a fence and jumping into a ravine. But his partner on that outing was arrested and brought the cops back to their hotel room. Cashatt was long gone, but the room was registered in his name—a sloppy mistake. Inside was one of his backup hotel hacking tools, which the police confiscated.
As the cops closed in, they obtained a warrant and demanded Cashatt’s entire communication history from Facebook. It was a mother lode of incriminating evidence. In one conversation, he explained to a friend why he was on the run with a collection of news articles about the hotel burglaries. “Yeah u get addicted to it!!!” he wrote. “It’s a sick adrenaline rush!!!, and u have all kinds of cool ass shit when ur done!!” In another, he sent a friend a photo of himself behind a bed covered in laptops, phones, and iPads. And in photos with his girlfriend, he was wearing his trademark white fedora, the one that linked him to every surveillance video where he’d hidden his face for months. “That’s when we got him,” says Watkins, the Tempe police chief who by then had assembled the Hotel Ca$h task force of investigators to work the case.
Sensing that the cops were tightening the noose and spooked by a round of news reports about his burglaries, Cashatt fled on another drug-fueled cross-country road trip, this time driving all the way to Tennessee. He hit more hotels in Appalachia, and then made it back to a farm where his mother was living in Farmington, California.
For weeks, far away from the temptations of hackable hotels or meth, he tried to go straight: no drugs, no crime. But he had the notion that perhaps he could buy himself more time by crossing the border and staying with a friend in Canada. He didn’t have a passport and feared he couldn’t apply for one without being arrested. So one of his younger brothers offered to apply for one and give it to him—the brothers looked similar enough that Cashatt hoped it would work—and so he drove to his brother’s house in Stockton, California.
Late one morning during his short stay there, the US marshals moved in—Cashatt believes they were tipped off by his brother’s application for a passport. He remembers at least 10 agents’ cars out front as they stormed into the house. They found Cashatt’s brother first, and slammed the wrong Cashatt on the hallway floor. Cashatt himself, meanwhile, was jumping out a bathroom window at the back of the house. He scrambled across the lawn and was ready to climb a fence when a marshal appeared, pistol drawn, on the other side of it. The agents let loose a police dog that lunged at Cashatt and bit his arm. According to the marshals, Cashatt punched at the German Shepherd to defend himself—which he denies—and the cops responded by tasing him.
“I didn’t know I had to take a shit at the time,” Cashatt recalls. When the taser’s full-body electric shock switched off his muscle control, however, “I found out real fast that I did.” As Cashatt tells it, the cops handcuffed, arrested, and booked him without even allowing him to change clothes, leaving him to sit in his own excrement for the next four hours.
Almost exactly five years after seeing the first demonstration of Cody Brocious’ Onity hacking tool, I meet Aaron Cashatt face to face in the fluorescent-lit, cafeteria-style visiting room of the Cibola Unit of the Yuma State Prison Complex. Under his orange jumpsuit he’s bulked up from prison-yard weightlifting and seems clear-eyed and sharp. Despite the prevalence of drugs inside the Arizona corrections system, he says he’s gone clean since he started his third prison term, and even quit smoking.
A mugshot of Cashatt distributed by police before his arrest in Stockton, California. (Scottsdale Police Department)
Cashatt pleaded guilty to three hotel burglaries, the few for which prosecutors had the most airtight evidence. He’s serving a nine-year sentence, but hopes to be out in seven and a half. When he’s released, he swears that he’s done with hotel intrusions. He feels, he says, a complicated mix of regret for his thievery, shame for the trauma he caused his victims, and pride for the epic cleverness of his heists. (“No one took the Onity thing as far as I did,” he muses at one point in our visit.) He hopes someday to find a job in the security industry, or perhaps even market his own invention, which he hopes to patent for preventing check fraud. “Maybe I can work for Kevin Mitnick or Frank Abagnale,” he suggests, naming the world’s most famous reformed hacker and con artist.
But Cashatt also says he wants to warn the world that the Onity vulnerability Cody Brocious found and that he exploited is still out there. “I guarantee you that if you tried this at some hotel in the Midwest, it would still work 19 out of 20 times,” he says. For that, he blames Onity’s negligence. “They just don’t get it.”
When WIRED asked Onity about whether its lock vulnerability persists, the company responded in a statement that “mechanical solutions have been shipped to all known affected customers, enabling them to implement the security upgrade.” But it didn’t specify how many of those “mechanical solutions” consisted of the actual replacement boards that fix the security issue or the cheap plastic plugs that Cashatt easily defeated.
In December of 2012, four months after its security flaw was first revealed, Onity did make deals with some major hotel chains, including Marriott, Hyatt, and InterContinental Hotel Group, to cover all or part of the cost of fully replacing their vulnerable locks, according to leaked memos I obtained at the time. And aside from a handful of robberies in Texas, no other intrusions that exploited the Onity attack have been publicly reported.
Todd Seiders, director of risk management at hotel insurance firm Petra Risk Management, says that after the first year of the Onity debacle he didn’t hear about any other incidents. Contrary to Cashatt’s claims, Seiders says he thinks the problem is more or less fixed—after all, Cashatt has been in prison for years and wouldn’t really know, Seiders points out. “We really kept the pressure on them, and they finally relented,” Seiders says of Onity’s decision to pay for its customers’ lock replacements. “Since then, it’s gone off the radar.” But Seiders concedes that some number of small, family-run hotel franchises may still not have learned about the Onity vulnerability and could be using older, flawed locks even today.
The $50 lock-hacking setup the author built and tested in a series of New York hotels to determine if the Onity lock vulnerability still persists. (Andy Greenberg)
So I decided to test the present-day security of Onity’s locks myself. With a shopping bag full of RadioShack parts and the same publicly available code and instructions that Cashatt found on Cody Brocious’ website, I built my own Onity hacking tool. Brocious’ instructions were clear enough even for a technical poseur like me, and the device took just a few hours to assemble and troubleshoot with the help of some engineer friends. My lock-hacking gadget had none of the slick design features of Cashatt’s, just a tangle of boards, wires, and an external phone battery I switched on to power it. But when I plugged it into the used Onity lock I bought on eBay, the lock immediately whirred and its green light flashed, just as it had at Cashatt’s first Marriott.
I began retracing my steps from years earlier. First I visited the Waldorf Astoria, paying for a room to try my lock hacking tool in the wild. No luck: The locks there must have been replaced since the Onity scandal, it seems. I went across the East River to the Gowanus Holiday Inn. Again, I booked a room, inserted my device into its lock, and was met with anticlimactic silence. Finally, I crossed the city in the other direction to return to the Marriott Marquis in Times Square, the only hotel where Cody Brocious’ original, unrefined device had worked in 2012. The third lock I tried again remained entirely, crushingly unresponsive. In my first day as a hotel hacker, I’d struck out.
Having already invested close to $800 of WIRED’s money in booking and then failing to hack into hotel rooms, my editor agreed to throw good money after bad and let me try one more. I chose a franchise of a low-end but common chain that I’ll leave unnamed, deep in an industrial stretch of an outer borough neighborhood. When I checked in, the front desk gave me a key to a room on the basement floor, at the end of a twisting, sunless hallway.
As I arrived at that final door, I took a breath, then inserted the plug of my janky Onity hacking tool into the port underneath the silver lock, bracing for another failure. Instead, it emitted a whir and flashed a miraculous green light.
Early on a baking Arizona morning, Aaron Cashatt’s mother, Lorri Han, walked out of her room at a cheap hotel in central Yuma, got in her car, and headed toward the Yuma penitentiary to visit her son. She drove for half an hour toward the Mexican border, through the cotton and date fields and onto a road that seemed to end suddenly in a sea of dust, nothing in sight but sand, scrub, and the highway rolling past behind her as she faced a sprawling, single-story prison complex.
She passed through a barbed-wire fence, parked her car, took a bus through the concrete complex, walked through two more layers of fences, through a metal detector, past the guards, and into the visiting room, where she met her son for the first time in months.
The first question Cashatt asked, after that long separation, was what hotel his mother was staying in during her visit. She named it. He immediately asked whether the locks were the kind where the keycard went in horizontally, like this, or vertically, like this, miming the motion. She answered that it was the latter, like putting bread into a toaster.
“Whatever you do,” Cashatt told his mother gravely, “don’t leave anything in that room.”