A Finnish security firm has found that the doors on major hotel chains can be hacked and the electronic lock system exploited to make a master key to access every door in a hotel. Researchers at F-Secure were able to simulate a hack on the keycard system taking the information from an old discarded key and creating a master version that could open any door.
“You can imagine what a malicious person could do with the power to enter any hotel room, with a master key created basically out of thin air,” Tomi Tuominen, practice leader at F-Secure, said.
The potential security flaw has been outlined on the company’s website, but the research goes back to 2003. Tuominen was attending a conference in Berlin when a friend’s laptop was stolen from his hotel room.
The hotel was unable to find any signs of forced entry and the log of the keycard lock showed no entries into the room aside from the hotel staff. Tuominen became concerned that the locks contained a security vulnerability that could be exploited by thieves, and he has spent parts of the last 15 years working to prove it.
“We wanted to find out if it’s possible to bypass the electronic lock without leaving a trace,” Timo Hirvonen, senior security consultant at F-Secure, said in a statement. “Building a secure access control system is very difficult because there are so many things you need to get right. Only after we thoroughly understood how it was designed were we able to identify seemingly innocuous shortcomings. We creatively combined these shortcomings to come up with a method for creating master keys.”
The design flaws exist in the Vision by VingCard software that is used with the lock system. This software is deployed for millions of hotel rooms worldwide, and the research has led to the world’s largest lock manufacturer, Assa Abloy, to issue software updates to mitigate the issue. Major hotel chains like Sheraton, Radisson, and Hyatt use Assa Abloy locking systems.
It’s a common sight in the movies to see someone hacking into a hotel room door using a clunky piece of hardware and a few red lights gradually turning to green, but the flaw found by F-Secure was potentially much more dangerous. Hackers would be able to use a card that had long expired or been discarded to get the necessary information to program the master key, and using that key would leave absolutely no trace or record behind.