Researchers at F-Secure, a Finnish cybersecurity company, discovered that a hotel lock system known as Vision by Vingcard can be hacked by combining a card reader that can be purchased online with custom software.
Security consultants Tomi Tuominen and Timo Hirvonen said they used old cards from hotels and generated a master key that gave them access to all the rooms using the lock.
“We found out that by using any key card to a hotel ... you can create a master key that can enter any room in the hotel. It doesn’t even have to be a valid card, it can be an expired one,” Hirvonen told Reuters.
Untraceable master keys
The researchers said they’ve been trying to get to the bottom of key card problems for more than a decade, ever since a colleague’s laptop was mysteriously stolen from a locked hotel room.
“Intriguingly, there were no signs of forced entry,” the researchers wrote. Hotel staff ultimately dismissed their complaint because there wasn’t a single indication of unauthorized room access.
The researchers then decided to investigate whether it’s possible to enter a locked hotel room without the key, and years later, they figured out how to do exactly that with the Vision by Vingcard hotel lock system.
A $300 card reader can extract data from a discarded room key and crack the code to unlock all doors at a particular hotel, Wired reported.
"Basically it blinks red a few times, and then it blinks green," Tuominen told Wired. "Then we have a master key for the whole facility."
“You can imagine what a malicious person could do with the power to enter any hotel room, with a master key created basically out of thin air,” Tuominen wrote.
Once the security flaws were discovered, the researchers alerted Assa Abloy, the lock’s manufacturer, and set out to develop a software fix.
That fix was issued earlier this year. However, hotel chains need to apply the fix to their systems. Several hundred thousand hotel rooms worldwide still haven’t updated their hotel key card system, Assa Abloy noted.
“I highly encourage the hotels to install those software fixes,” Hirvonen said. “But I think there is no immediate threat, since being able to develop this attack is going to take some time.”
The risk of a security breach remains relatively low since the tools and methods by which the researchers made their discovery will not be published.
In a statement, F-Secure thanked Assa Abloy for helping them fix the flaw.
“Because of Assa Abloy’s diligence and willingness to address the problems identified by our research, the hospitality world is now a safer place,” Tuominen said.