Security researchers at Finnish security vendor F-Secure have discovered that they can make hotel master keys out of thin air. This is an attack that is not believed to have been enacted worldwide. F-Secure has notified the maker of the lock and they, in turn, have been updating affected customers and properties.
There is an increasing move towards the use of digital keys. For frequent travellers, the phone is now their key to everything. It holds credit cards and payment apps, boarding cards, rental car agreements and digital hotel keys. The hotel key app can be used at a self-service check-in to get room keys made. The goal is to make the entire travel processes as frictionless as possible. But throw a hack into the loop and this suddenly becomes far from frictionless.
What did F-Secure do?
Basically, they broke the Vision by VingCard key system which secures millions of hotel rooms worldwide. The researchers discovered that any electronic key can be used, even an old expired or discarded one. Business travellers often find old hotel keys in their bags and throw them away. These can be used to extract enough information to create a new master key that will open any room in the hotel.
In fact, criminals could even check into a hotel for a night and generate a master key that they could then sell on. With the footfall around busy conferences, this would give criminals a significant windfall. And that, in effect, is what sparked this whole investigation.
It turns out that a F-Secure employee had a laptop stolen from a hotel room during a security conference. The hotel staff said there was no forced entry and no evidence of unauthorised access. This led the team to investigate how this could happen. What is particularly interesting is the “no unauthorised access” statement. Even hotel master keys, such as those used by room service and housekeeping are supposed to be recorded by the logging system.
Timo Hirvonen, Senior Security Consultant at F-Secure said: “We wanted to find out if it’s possible to bypass the electronic lock without leaving a trace. Building a secure access control system is very difficult because there are so many things you need to get right. Only after we thoroughly understood how it was designed were we able to identify seemingly innocuous shortcomings. We creatively combined these shortcomings to come up with a method for creating master keys.”
What does this mean?
Assa Abloy who own Vison by VingCard has developed and deployed a patch for customer systems. It has taken a year for the software patch to be developed and implemented.
Tomi Tuominen, Practice Leader at F-Secure Cyber Security Services said: “I would like to personally thank the Assa Abloy R&D team for their excellent cooperation in rectifying these issues. Because of their diligence and willingness to address the problems identified by our research, the hospitality world is now a safer place. We urge any establishment using this software to apply the update as soon as possible.”
Are all hotels now secure? That last sentence will still worry business travelers as it suggests that some hotels are yet to update their systems.