Basically, the affected hotel locks (from Onity, a UTC company) have a port on the exterior side that allows access to the lock controller. Connecting to this port and running some special code allows access to lock functions, as well as master key information. According to the hackers who demonstrated this weakness, this attack does not need to break any encryption – so it is fast and trivial to execute.
Here is the device in action:
There are, reportedly, four million of these locks installed in hotels, and the time to open them once the device is connected? About 200 milliseconds – or, less time than it takes to swipe a working card in the lock…
Here are slides from the hackers presentation that describe the problem and his engineering efforts.
It is difficult to understand how a data port on the secure-side of a lock was not better scrutinized (and protected) by the engineers. Onity has apparently designed a port cover that blocks physical access, but no software solution is known as of this writing…
This article describes burglaries in Houston, Texas using the exploit described above.