INFRA
INFRA
INFRA
Hotel electronic locks vulnerable to simple security token manipulation hack
Hackers could create a master key that can be used to access electronic locks used by tens of thousands of hotels, putting the security of hotel rooms at risk.
Detailed today by Tomi Tuominen and Timo Hirvonen, both researchers at the cybersecurity firm F-Secure, the hack is described as taking just one minute. It involves the creation of a master key that can access swipe card readers manufactured by Swedish lock manufacturer Assa Abloy called Vision by VingCar.
Neither the manufacturer nor the product has much public name recognition outside the hotel industry, but the chances are that if you’ve ever visited a hotel, you would have used the product, since it’s used in 166 different countries across 40,000 hotels and millions of doors.
The story behind the hack is nearly as interesting as the hack itself. Tuominen explained that while attending a hacking conference in Berlin in 2003, “we came back to our room and found that our friend’s laptop had been stolen. But the locks didn’t show any signs of being broken into. The hotel didn’t take us seriously because, I think, they thought we were hippies in black t-shirts.”
That mystery started a 15-year quest by Tuominen and Hirvonen to discover how the break-in occurred, resulting in a breakthrough last year.
Using any key from a given hotel, even an expired key, the researchers could extract identification data from the key. Then they could then manipulate it to produce an access token with the highest possible level of privileges, allowing them to create a master key that can access every room in a hotel.
“You can imagine what a malicious person could do with the power to enter any hotel room, with a master key created basically out of thin air,” Tuominen said. “We don’t know of anyone else performing this particular attack in the wild right now.”
Although the researchers both informed and worked with Assa Abloy since last year to implement a patch prior to disclosing the hack, the good news ends there: The patch can’t be installed centrally and has to be installed on every single affected lock.
Not surprisingly, hotel owners are urged to patch their locks if they have not already done so.
Photo: Wolfgangus Mozart/Wikimedia Commons
A message from John Furrier, co-founder of SiliconANGLE:
Support our open free content by sharing and engaging with our content and community.
Join theCUBE Alumni Trust Network
Where Technology Leaders Connect, Share Intelligence & Create Opportunities
11.4k+
CUBE Alumni Network
C-level and Technical
Domain Experts
15M+
theCUBE
Viewers
Connect with 11,413+ industry leaders from our network of tech and business leaders forming a unique trusted network effect.
SiliconANGLE Media is a recognized leader in digital media innovation serving innovative audiences and brands, bringing together cutting-edge technology, influential content, strategic insights and real-time audience engagement. As the parent company of SiliconANGLE, theCUBE Network, theCUBE Research, CUBE365, theCUBE AI and theCUBE SuperStudios — such as those established in Silicon Valley and the New York Stock Exchange (NYSE) — SiliconANGLE Media operates at the intersection of media, technology, and AI. .
Founded by tech visionaries John Furrier and Dave Vellante, SiliconANGLE Media has built a powerful ecosystem of industry-leading digital media brands, with a reach of 15+ million elite tech professionals. The company’s new, proprietary theCUBE AI Video cloud is breaking ground in audience interaction, leveraging theCUBEai.com neural network to help technology companies make data-driven decisions and stay at the forefront of industry conversations.
