Hackers can turn hotel room cards into untraceable master keys
Terence Cullen | New York Daily News | April 26, 2018 3:41pm
April 25--Hotel room cards -- even defunct ones -- were turned into master keys that gave hackers access to anywhere in a facility, often without leaving a trace, researchers announced Wednesday.
Finnish researchers with F-Secure brought the issue to security giant Assa Abloy last year, warning them about a major glitch in the company's Vision by Vingcard system.
The 20-year-old system is reportedly used in thousands of hotels around the world, but both the Sweden-based Assa and the researchers tried to mitigate the danger.
"These old locks represent only a small fraction (of those in use) and are being rapidly replaced with new technology," an Assa spokeswoman told the BBC.
Hackers essentially were able to take an old card and get access to any hotel room, the researchers said.
"We found out that by using any key card to a hotel ... you can create a master key that can enter any room in the hotel," Timo Hirvonen, 32, told Reuters. "It doesn't even have to be a valid card, it can be an expired one."
Hirvonen and longtime colleague Tomi Tuominen have been looking into key card problems on a part time basis since a colleague's laptop was mysteriously stolen from a Berlin hotel in 2003 -- even though there were no signs of a break in.
Part of the problem is people throw away the key cards or forget to leave them at the front desk when checking out, Hirvonen said.
"These issues alone are not a problem, but once you combine those two things, it becomes exploitable," he told Reuters.
While the pair noted there's no link between the glitch and any criminal acts, they displayed how simple it can be to create a master key.
The pair of researchers reportedly won't delve too deep on how they fixed the glitch for security reasons, however, when they present their findings at a conference this week.
A $300 card reader can pull data from a discarded room key and work out what the code is to unlock all doors at a particular hotel, Wired reported.
"Basically it blinks red a few times, and then it blinks green," Tuominen told the technology magazine. "Then we have a master key for the whole facility."
The glitch would've impacted up to 140,000 lodging facilities around the world, Wired reported, although Assa suggested the number is lower.
It only impacts older systems, researchers told multiple outlets, and Assa worked with F-Secure to unroll a repair in February.
Assa also noted many hotels have replaced the software, imploring others to do the same.
The company added to Reuters that its newer locks use different methods to safeguard it from breaches.