Security

Hackers' hotel 'master key' could be big risk for business travelers

Cybersecurity researchers have worked on cracking the code to hotel room keys since 2003.

Building a slide deck, pitch, or presentation? Here are the big takeaways:
  • Security researchers notified Swedish lock manufacturer Assa Abloy of critical vulnerabilities in their system, forcing them to release an update earlier this year.
  • According to the researchers, the company admitted that the flaw they found could affect at least 500,000 hotels.

Two intrepid cybersecurity researchers have figured out a way to crack the security systems of hotel rooms around the world, exploiting lapses in the electronic lock systems made by Swedish lock manufacturer Assa Abloy, according to a Wednesday press release.

Assay Abloy, which created VingCard's "Vision" system, has deployed it at 42,000 properties in 166 countries, including everything from hotel rooms to garages and secure spaces, as noted by our sister site ZDNet.

Tomi Tuominen and Timo Hirvonen, researchers from F-Secure, discovered a way to breach the system after nearly a decade of research following a strange occurrence at a Berlin security conference in 2003. A friend of theirs had a laptop stolen from his hotel room with no signs of forced entry, leading the two men on a decade-long journey to prove their theory that someone had figured out how to manipulate the RFID card reader.

SEE: Cybersecurity strategy research: Common tactics, issues with implementation, and effectiveness (Tech Pro Research)

The specific RFID card reader they were looking into was a typical kind sold by VingCard and created by Assay Abloy for mass use at hotels across the world, as noted by Wired. What Tuominen and Hirvonen have discovered, and will exhibit at a conference in Miami this week, is a program that can not only create cards for certain rooms but a master key for every room, giving potential thieves access to any part of any hotel they choose, the release said.

The main instruments needed are a $300 Proxmark RFID card reading and writing tool and any card, either old or new, from a hotel, according to Wired. From there, Tuominen and Hirvonen only need one minute to steal data from the used card and create a master card that can open any door on the same system.

Both men have tried to downplay any fears hotels and customers may have about the loophole and have actively worked with Assay Abloy to fix their system. Although it took them more than a decade, they said if someone worked full time, they could create a similar system in far less time.

"We don't know of anyone else performing this particular attack in the wild right now," they told ZDNet in an email.

They later added: "Developing [the] attack took considerable amount of time and effort. We built a RFID demo environment in 2015 and were able to create our first master key for a real hotel in March 2017. If somebody was to do this full time, it would probably take considerably less time."

Assay Abloy has since created a new line of locks and released a patch update earlier this year to address the issue, the release said. But the patch has to be installed manually by each hotel in each lock, leading both men to wonder whether the updates had actually been implemented.

There was also a discrepancy in the number of hotel rooms that are vulnerable. According to Wired, Assay Abloy told Tuominen and Hirvonen privately that "the problem affects millions of locks in total," while publicly they have said the problem would only affect close to 500,000 rooms locks.

A spokeswoman for Assay Abloy told the BBC that any electronic device is vulnerable to hacking and that a breach of this kind would require large teams and copious amounts of time.

"Vision Software is a 20-year-old product, which has been compromised after 12 years and thousands of hours of intensive work by two employees at F-Secure," the spokeswoman told the BBC. "These old locks represent only a small fraction [of the those in use] and are being rapidly replaced with new technology."

Tuominen and Hirvonen have said they will not release information on how their device works and will only give a broad overview of their method at the conference in Miami this week, the release noted.

SEE: A winning strategy for cybersecurity (ZDNet special report) | Download the report as a PDF (TechRepublic)

A similar situation six years ago led to a US-wide robbery spree of hotel rooms following the release of a list of possible lock system vulnerabilities by a security researcher. Wired noted in their article that a number of government intelligence agencies, including those in the US and Israel, claim to already have ways to hack into hotel room key systems.

The ACLU noted as far back as 2012 that some security companies were even marketing themselves by advertising their ability to teach people how to crack VingCard locks.

Many major international hotels, including the Intercontinental, Hyatt, Radisson and Sheraton, use VingCard's system and are in the process of updating the locks now that the system's vulnerabilities have been made public.

Being that a stolen laptop was the impetus for this research, it goes without saying that business travelers should use extra caution when traveling and staying at a hotel. Check with management to see if the locks have been updated and, if worried, be sure to bring your valuables with you when you leave the room.

Also see

hotelkey.jpg
Image: iStockphoto/TeerawatWinyarat

About Jonathan Greig

Jonathan Greig is a freelance journalist based in New York City. He recently returned to the United States after reporting from South Africa, Jordan, and Cambodia since 2013.

Editor's Picks

Free Newsletters, In your Inbox