Two cybersecurity researchers find a glaring flaw in hotel key card security.
Millions of hotel rooms across the globe were left vulnerable to hackers, according to researchers from international cybersecurity firm F-Secure.
Tomi Tuominen and Timo Hirvonen found a flaw in the software of the electronic hotel room keys of VingCard Elsafe (a brand under Assa Abloy), which supplies hotel locking systems around the world. The software in question is called Vision and could be used in as many as 40,000 premises across six countries.
Copying hotel room keys is a cinch
Spoofing hotel room keys and swipe cards is nothing new of course, but this particular vulnerability allowed the researchers to produce a master key for an entire building in just a few minutes – even an expired hotel room key can be used.
The interest in spoofing hotel key cards began for Tuominen in 2003, when his friend’s laptop was stolen from his hotel room at the Alexanderplatz Radisson. Strangely, no sign of forced entry was found and a digital record of the room’s lock showed only the entries of staff members working at the luxe hotel.
While nothing was ever proven at the time, both Tuominen and his colleague Hirvonen spent the next number of years examining the possibility that the lock system itself was deeply flawed.
The attacker just needs access to an electronic key (RFID or magnetic stripe) to the facility they are targeting. The attacker then reads the key and employs a small hardware device to spoof more keys to the facility. These can be tested against any lock in the same building, and a master key to the building can be built in minutes. The device can then be used instead of a key to the facility or to overwrite a pre-existing key.
The hardware needed to pull this off costs just a couple of hundred euro online, but the custom software created by the F-Secure researchers is what makes the major attack possible.
Hirvonen explained: “Building a secure access control system is very difficult because there are so many things you need to get right.
“Only after we thoroughly understood how the whole system was designed were we able to identify seemingly innocuous shortcomings. We creatively combined these shortcomings to come up with a method for creating master keys.”
Other attack vectors possible
The software could also be exploited within the same network to allow attackers access to sensitive customer information such as guest data, as well as providing the option to modify guest entries.
The findings were shown to Assa Abloy, which has since worked with its research team to provide a software update. Tuominen said: “Because of Assa Abloy’s diligence and willingness to address the problems identified by our research, the hospitality world is now a safer place.
“We urge any establishment using this software to apply the update as soon as possible.”
The researchers also recommended using the hotel safe and door chains when available, and not to leave valuables in the room if possible.