This article is more than 1 year old
Hotel, motel, Holiday Inn? Doesn't matter – they may need to update their room key software
Eggheads craft skeleton cards to unlock doors in global chains
Infosec outfit F-Secure has uncovered security vulnerabilities in hotel keycard systems that can be exploited by miscreants to break into rooms across the globe.
Exploitable flaws were discovered in lock system software Vision by VingCard, which F-Secure said is used to secure millions of hotel rooms worldwide.
Their findings prompted the world's largest lock manufacturer, Assa Abloy, to issue software updates with security fixes to mitigate the issue.
Any ordinary wireless electronic keycard can be turned into a skeleton key – even ones long expired, discarded, or used to access spaces such as a garage or closet. The team was able to create a master key with privileges to open any room in a building without arousing any suspicion.
Hotel keycard firm issues fixes after Black Hat hacker breaks locksREAD MORE
"You can imagine what a malicious person could do with the power to enter any hotel room, with a master key created basically out of thin air," said Tomi Tuominen, practice leader at F-Secure. "We don't know of anyone else performing this particular attack in the wild right now."
Tuominen said the hack took years to complete – meaning it is unlikely that crims would go to those lengths rather than, say, kicking in the door.
Christophe Sut, executive veep at Assa, described the findings as "remarkable."
He said: "What they achieved involved quite an effort. It was valuable and helped us move things to the next level of security. When we got the findings, we worked closely with them to upgrade our security."
He reckoned only a small proportion of all rooms globally could be targeted via the flaw, adding: "We are working with hotel chains to let them know about the findings so they can implement security updates."
The biz said it was not aware of any rooms being broken into using the flaws uncovered by F-Secure.
Experts keep schtum
The details of the methods and the tools will not be made public by F-Secure. Assa added that the vulnerability only applies to its Vision software, a platform it no longer develops.
The researchers' interest in hacking hotel locks was sparked a decade ago when a colleague's laptop was stolen from a hotel room during a security conference.
When the theft was reported, hotel staff dismissed their complaint given that there was not a single sign of forced entry, and no evidence of unauthorized access in the room entry logs.
They then decided to investigate the issue further, and chose to target a brand of lock known for quality and security. Their probing of the technology took several thousand hours on an on-and-off basis, and involved considerable trial and error.
"We wanted to find out if it's possible to bypass the electronic lock without leaving a trace," said Hirvonen, senior security consultant at F-Secure.
"Building a secure access control system is very difficult because there are so many things you need to get right. Only after we thoroughly understood how it was designed were we able to identify seemingly innocuous shortcomings. We creatively combined these shortcomings to come up with a method for creating master keys."
F-Secure has worked with Assa over the past year to implement software fixes, and updates have been made available to affected properties. It has not charged the company for its services. ®
Didn't get the headline? It's courtesy of Mr Worldwide himself, Pitbull. Dale!