- The Washington Times - Wednesday, April 25, 2018

Finnish researchers have alerted the world’s largest lock manufacturer about a security vulnerability that allowed them to create “master keys” capable of unlocking millions of hotel rooms around the world, they said Wednesday.

Using only a few hundreds dollars worth of hardware and a custom-built computer program, F-Secure researchers Tomi Tuominen and Timo Hirvonen said they were about to take expired, radio-frequency ID cards from well-known international hotel chains and reactivate them in a way that gave them total access over targeted facilities.

“You can imagine what a malicious person could do with the power to enter any hotel room, with a master key created basically out of thin air,” said Mr. Tuominen, 45, a security consultant at F-Secure who discovered the vulnerability with Mr. Hirvonen, 32.

The researchers reached out last year to the company that makes the locks, Assa Abloy, and subsequently worked with the manufacturer to develop a software update that fixes the bug, they wrote on the F-Secure  website.

Specifically the vulnerability affects key card software used on Assa Abloy locks —Vision by VingCard — installed in tens of thousands of hotels around the world, according to F-Secure.

“First an attacker needs to get access to an electronic key (RFID or magstripe) to the target facility. Literally any key will suffice, be it a room key or a key to a storage closet or garage. What’s more, the key need not be currently active: even an expired key from a stay five years ago will work,” the researchers wrote.

“An attacker will read the key and use a small hardware device to derive more keys to the facility. These derived keys can be tested against any lock in the same building. Within minutes the device is able to generate a master key to the facility. The device can then be used instead of a key to bypass any lock in the facility, or alternatively, to overwrite an existing key with the newly created master key.”

Affected hotels were provided with the software update in February, but it may take weeks before the issue is fully resolved, Assa Abloy  told Reuters.

“These old locks represent only a small fraction [of the those in use] and are being rapidly replaced with new technology,” an Assa Abloy spokeswoman told BBC.

F-Secure said it won’t be publicly disclosing precise details about the hacking method used to breach the hotel locks, and that its researchers are unaware of any instances in which the vulnerability was exploited by others.

Sign up for Daily Newsletters

Copyright © 2019 The Washington Times, LLC. Click here for reprint permission.

The Washington Times Comment Policy

The Washington Times welcomes your comments on Spot.im, our third-party provider. Please read our Comment Policy before commenting.


Click to Read More and View Comments

Click to Hide