UPDATED 22:25 EST / APRIL 25 2018

INFRA

Hotel electronic locks vulnerable to simple security token manipulation hack

Hackers could create a master key that can be used to access electronic locks used by tens of thousands of hotels, putting the security of hotel rooms at risk.

Detailed today by Tomi Tuominen and Timo Hirvonen, both researchers at the cybersecurity firm F-Secure, the hack is described as taking just one minute. It involves the creation of a master key that can access swipe card readers manufactured by Swedish lock manufacturer Assa Abloy called Vision by VingCar.

Neither the manufacturer nor the product has much public name recognition outside the hotel industry, but the chances are that if you’ve ever visited a hotel, you would have used the product, since it’s used in 166 different countries across 40,000 hotels and millions of doors.

The story behind the hack is nearly as interesting as the hack itself. Tuominen explained that while attending a hacking conference in Berlin in 2003, “we came back to our room and found that our friend’s laptop had been stolen. But the locks didn’t show any signs of being broken into. The hotel didn’t take us seriously because, I think, they thought we were hippies in black t-shirts.”

That mystery started a 15-year quest by Tuominen and Hirvonen to discover how the break-in occurred, resulting in a breakthrough last year.

Using any key from a given hotel, even an expired key, the researchers could extract identification data from the key. Then they could then manipulate it to produce an access token with the highest possible level of privileges, allowing them to create a master key that can access every room in a hotel.

“You can imagine what a malicious person could do with the power to enter any hotel room, with a master key created basically out of thin air,” Tuominen said. “We don’t know of anyone else performing this particular attack in the wild right now.”

Although the researchers both informed and worked with Assa Abloy since last year to implement a patch prior to disclosing the hack, the good news ends there: The patch can’t be installed centrally and has to be installed on every single affected lock.

Not surprisingly, hotel owners are urged to patch their locks if they have not already done so.

Photo: Wolfgangus Mozart/Wikimedia Commons

A message from John Furrier, co-founder of SiliconANGLE:

Your vote of support is important to us and it helps us keep the content FREE.

One click below supports our mission to provide free, deep, and relevant content.  

Join our community on YouTube

Join the community that includes more than 15,000 #CubeAlumni experts, including Amazon.com CEO Andy Jassy, Dell Technologies founder and CEO Michael Dell, Intel CEO Pat Gelsinger, and many more luminaries and experts.

“TheCUBE is an important partner to the industry. You guys really are a part of our events and we really appreciate you coming and I know people appreciate the content you create as well” – Andy Jassy

THANK YOU