YouTube link for mobile viewing

Security researcher Ian Robertson has built an Android application that can be used to bypass security on the popular Cardkey door control systems.  Using his Droid Incredible, he is able to brute-force past any PIN, and issue commands across the Internet to the IP-based systems that will unlock all doors, grant 30 seconds to open them, then relock the doors -- all with a push of a button.  Who says you need to be a registered guest to use that Holiday Inn jacuzzi?

This demonstrates not only the really poor security on these systems, but a level of 1337 that we haven't seen on Android as of yet.  Hat's off to you Ian, and hopefully you can persuade a few people that they need to ramp security up a notch.  [CyberSecurityGuy]