Flaw found in hotel room keys could have given hackers access to ANY room anywhere in the world
The electronic lock systems found in thousands of hotels around the world could have left holidaymakers and business travellers at risk of attack, according to new research from F-Secure.
The company’s security researchers have found a flaw in the lock system’s software, known as Vision by VingCard, which could have been exploited by hackers to gain access to any room in a hotel, anywhere in the world.
In particular, the flaw meant researchers could use any ordinary electronic key, even those that have expired, discarded, to get access to the system. Using information on the key, the researchers were able to create a master key with privileges to open any room in the building. What’s more, the attack can be performed without being noticed.
The flaw is so significant, it has since prompted the world’s largest lock manufacturer, Assa Abloy, to issue software updates with security fixes to shut down the problem.
“You can imagine what a malicious person could do with the power to enter any hotel room, with a master key created basically out of thin air,” said Tomi Tuominen, practice leader at F-Secure Cyber Security Services. “We don’t know of anyone else performing this particular attack in the wild right now.”
The researchers’ interest in hacking hotel locks was sparked a decade ago when a colleague’s laptop was stolen from a hotel room during a security conference. When the researchers reported the theft, hotel staff dismissed their complaint, given that there was not a single sign of forced entry and no evidence of unauthorised access in the room entry logs.
The researchers decided to investigate the issue further by targeting a brand of lock known for quality and security. The flaw wasn’t obvious, and took what the team called “a thorough understanding of the whole system’s design to identify small flaws that, when combined, produced the attack”.
“We wanted to find out if it’s possible to bypass the electronic lock without leaving a trace,” added Timo Hirvonen, senior security consultant at F-Secure. “Building a secure access control system is very difficult because there are so many things you need to get right. Only after we thoroughly understood how it was designed were we able to identify seemingly innocuous shortcomings. We creatively combined these shortcomings to come up with a method for creating master keys.”
F-Secure notified Assa Abloy of the findings and has collaborated with the lock maker over the past year to implement software fixes. Updates have also been made available to affected properties.