By Mark Frauenfelder at 10:23 am Tue, Sep 6, 2011
[Video Link] The fellow in this video shows how he opened a safe by entering a default password of 000000. (Via Cynical-C)
that’s ther factory default. hotel isn’t supposed to leave it at that.
Of course they aren’t. And now we know how to check that they haven’t (with this model of safe, anyway).
The security safe in General Groves office at Los Alamos went through WW II using the default combination. See “Surely You’re Joking Mr. Feynman”.
Hotels cutting corners at the cost of their customers…. color me surprised
I wonder how many guests have come back from a long day and discovered something missing from the safe, and only left with the idea they must have forgotten to put the missing item in the safe.
Security by illusion.
I have tried searching for default passwords on a couple different hotel vaults. Just the usual 0000, 1234, 0123, and maybe a couple more if I was REALLY bored, nothing I tried opened it besides the password I chose.
I guess the safe thing to do is to be aware that this can happen, and maybe even try a couple combinations.. this is of course no guarantee that you just didn’t try the right password. Heck, it could be an obscure number to you and I, but well-known to thieves.
This is a good point. If the safe manufacturers started to ship the safes with a default password of “56789”, it probably wouldn’t be guessed in a few tries by you or me, but would be easy to guess by anyone in the industry.
Instead, all safes ought to come with a light or other flag that only appears once the master password has been set to something new. Kind of like the pop-up cap on a bottle, the safes should have printed on the front:
“If the Master Password Set light is not on, this safe has not been initialized correctly. Please contact the manager.”
Of course, hotels wouldn’t want this, because how many people would feel less safe once they became aware that the hotel staff had access to a master password?
THE HOTEL IS NOT RESPONSIBLE FOR LOST OR STOLEN ITEMS.
I wonder if they are responsible when they provide what is advertised as a secure, safe location for your items that is not safe or secure.
When anyone who has ever worked there is privy to the master codes that can override the safes.
An important point. Just because the master passcode has been changed from the default doesn’t mean the hotel has done a good job of keeping the new master passcode secret.
I’ll bet you in nine hotels out of ten it’s written on a post-it stuck to the wall in the office.
Since there was an article here on the game Deus Ex recently…
There’s a quest in that game where you have to subdue a terrorist. You find the bomb he has set up, and it is password protected.
There is nowhere in the game that you can find that password… but if you try “0000” you can defuse it yourself and get an achievement titled “Lucky Guess.”
Oh, but don’t worry, if you don’t make the guess you can just tell the police and they’ll send a professional bomb squad down!
Not like 123456 is a terribly secure password. That’s the kind of thing an idiot has on his luggage.
Ummmm….. that wasn’t the point of the video. He wasn’t going to use the actual password he would normally pick.
SPACEBALLS, reference anyone?
Guess what even if they change the default password pretty much the entire Hotel staff will end up knowing the default password.
You are using a safe that is owned by someone else, it’s never going to be secure.
The safe should provide mounting points for you to add your own hardened padlock. If a thief wants in, they should have to work at it.
Oh and the real security comes in the fact that the safe and the door both log who entered them and at what times. Hmm the safe was opened using the default code 3 seconds after the house keeping B card was used on the door.
Except housekeepers tend to prop the door open, key cards can be cloned, there is probably a master key that leaves no traces in the system, and someone with enough access to have keys/cards, the override code, can most likely gain access to the door log system or cut that employee in on the action.
Creating the illusion of security does not give security.
A lockbox with a hasp to accept a guest provided lock would be much better.
Someone could still pick it, or smash it but the hotel would never be in a situation of trying to cover its own ass because Helga in housekeeping knew the master open command to the safe was 12334.
Besides obvious ones, try using the hotel’s street address number for the password. Many hotels use that, or the year the hotel was built, or their front desk phone number, for many things like the WiFi password. I have never used a room safe but I’d try those things given the WiFi passwords I’ve seen.
Just for information, the same concept applies to your own mobile phone (cellphone) messages. Your phone, all phones, have a default setting. YOU are expected to change it, like your PIN for the ATM. Simple and effective hacking begins with the user.
I once stayed in a hotel which had a room safe which wasn’t bolted down. Even if the thief didn’t know the code he could have just taken the safe with him and opened it at his convenience.
We also had our hostel dorm burgled once. The lockers were pried open and everything in them was stolen. The guy who left his stuff under the pillows on his bed instead didn’t lose anything.
With or without the default password, someone
at the hotel has to know how to override the passwords set by guests
when they forget them. It basically comes down to how much you trust the
hotel staff.When we visited Las Vegas for Black Hat and Defcon, I overheard an employee at the front desk informing a caller that it was the hotel’s policy that someone had to be in the room for them to open the safe. Considering how carefully they complied with their other policies (they were required to check ID for all credit card transactions, but didn’t seem to care that the name on my card didn’t match the name on my ID), I doubt they were very careful about who they opened the safes for either.
Yes, but overriding the password doesn’t necessarily have to be done with another password. A physical high-security lock & key could be used. It’s easier to secure a physical item, rather than a piece of knowledge that can be easily passed around.
I always thought that the default password was also known as the master key; which on this safe would be inserted into the keyhole hidden behind the gold plate.
Submit a tip
The rules you agree to by using this website.
Who will be eaten first?
Jason Weisberger, Publisher
Ken Snider, Sysadmin