Hackers find a serious security vulnerability in hotel key system
Researchers from the Finnish cyber security firm, F-Secure have discovered a critical flaw that allows hackers to use a used or even a discarded hotel key card to create a master key for the entire building within minutes without leaving a trace.
According to Tomi Tuominen and Timo Hirvonen, security consultants for Finnish data security company F-Secure said that they discovered a vulnerability in the software of the electronic hotel room keys of VingCard Elsafe (a brand under Assa Abloy), a global provider of hotel locking systems. The vulnerable software in question is called ‘Vision’ and it could affect millions of rooms as they are available in 166 countries and in over 40,000 buildings, F-Secure researchers estimate. Some of the hotel chains who have used Abloy’s lock systems over the years are Intercontinental, Hyatt, Radisson, and Sheraton.
“You can imagine what a malicious person could do with the power to enter any hotel room, with a master key created basically out of thin air,” Tuominen said.
“I wouldn’t be surprised if other electronic lock systems have similar vulnerabilities,” Hirvonen added. “You cannot really know how secure the system is unless someone has really tried to break it.”
Tuominen and Hirvonen from F-Secure started studying the vulnerability 15 years ago after a laptop belonging to one of their colleagues was stolen from the hotel room.
The duo wanted to figure out if it’s possible to open an electronically locked room without leaving a trace, and developed their own software to hack into the keycards.
“We wanted to find out if it’s possible to bypass the electronic lock without leaving a trace,” explained Hirvonen. “Building a secure access control system is very difficult because there are so many things you need to get right. Only after we thoroughly understood how it was designed were we able to identify seemingly innocuous shortcomings. We creatively combined these shortcomings to come up with a method for creating master keys.”
The researchers found that an attacker just needs access to an electronic key (RFID or magnetic stripe) to the hotel or facility they are targeting. They found that information from a single keycard, even an expired and discarded one, can be scanned and copied using a small device to spoof more keys to the hotel or facility. It takes only a minute to decipher the card using the custom software, and produce a master key, which can bypass any lock, allowing unrestricted access to any hotel or facility.
“The hack consists of three steps,” Tuominen explains to The Independent. “Firstly, get access to a key card, it doesn’t matter which. Secondly, use a relatively-cheap piece of hardware, combined with our custom software, to read the card and search for the master key code. Thirdly, write the master key onto the key card, or any other key card, to gain access to any room in the facility.”
The two consultants have since worked with lock manufacturer Assa Abloy to fix the software flaw with an update, where some of the locks has been patched at the central server. However, it is expected to take a long time to roll out the fix across all hotels affected.
“We appreciate F-Secure’s ethical approach in bringing these issues to our attention,” a spokesperson for Assa Abloy said.
“We strive for the utmost security and quality in our products, so we are glad to have the opportunity to ensure our products pass the most rigorous evaluations. With these updates, we have elevated hospitality security to the next level.”
The researchers are set to present their findings at the Infiltrate conference later this week.