Another hotel room safe with a default manufacturer reset code

Another hotel room safe with a default manufacturer reset code

Why is this sort of thing still happening?

Finding a hotel room safe with a default code is not a particularly new security issue, which begs the question as to why it is still happening today if the issue is incredibly easy to fix. I encountered this issue recently when I had checked into a hotel.

After flicking through the TV I got bored and turned my attention to the hotel room safe. It was just staring at me and inviting me to take a closer look. Within about 5 minutes I had tracked down an installation manual for the given make and model and thought I would give it a go. So …. cue the obligatory video of me stashing the tv remote in the safe and ‘stealing’ it with a default reset code.

Reporting the issue to the hotel

When I informed the hotel receptionist at checkout the next morning, they initially thought that I had locked myself out of the safe and need their assistance. Well … it was true that I had locked myself out of the safe (deliberately), but when I informed the receptionist that I was able to fix the issue myself, they were somewhat concerned as to how I could do it. “Simple”, I said, before going on to explain that the default manufacturer reset for the given make and model of safe was 000000.

Given the positive response from the hotel in question, I’d be of the opinion that at the time of writing, the issue is probably fixed. Of course, I’ll take a look the next time when I check in though. :-)

Reprogramming devices and logging capabilities

As an aside, the room safe vendor supplies portable devices that can plug into the safes for the purposes of re-programming them and helping an unfortunate guest retrieve their pin code. That last bit is particularly interesting - the same device can pull the log of the last 120 pin codes entered into the safe.

I wonder how many of those codes are dates of birth or ATM pin codes? Just out of curiosity, I would have been able to purchases such a device myself quite cheaply from the manufacturer.

Trust … but verify

So … if you do decide to use your room safe, take 5 minutes to check that default codes such as 000000 are not in use. Keep in mind though that some safes will lockout for a short period of time if you get the code wrong after a small number of incorrect guesses. Obviously you’ll need to do a bit of looking around with your preferred search engine if such an easy one doesn’t work. Make sure to tell the hotel reception too if you find the default code works.

Appearance + Convenient != secure

The bottom line is that hotel room safes are really a convenience and nothing more. I wouldn’t judge them as being ‘secure’ - think about it, by design, they have a ‘backdoor’ already built in (the reset code). So …. the fact that it is made of some metal that ‘appears’ to be be ‘secure’, and is bolted to the floor of wooden closet/cupboard or a wall, doesn’t make any difference whatsoever. But let’s be sensible … your really need to consider your personal threat model to make the best decision for yourself. In my case:

  • I wasn’t in a location that necessitated the bringing a passport - i.e. the type of item you might be inclined to leave in a safe.
  • neither me nor my wife would leave expensive small items (e.g. jewellery) in a hotel room anyhow. I carry my laptops/gadgets with me when out of the hotel room.
  • Ample CCTV cameras that would pickup anybody entering guest rooms
  • An eagle-eyed receptionist and their co-workers who know the pulse of everything in the hotel (yes, very subjective I know)

So, yes, my perceived level of risk was low, but it could be different for other people. Besides, it’s an easy issue to fix, so there really is no excuse for hotel operators avoiding it. It’s really simple though …. just don’t use a hotel room safe if at all possible and keep your gadgets/passports/documents with you at all times