Slashdot Mirror

← Back to Stories (view on slashdot.org)

Hackers Built a 'Master Key' For Millions of Hotel Rooms (zdnet.com)

Posted by msmash on from the of-course-they-did dept.

An anonymous reader writes: Security researchers have built a master key that exploits a design flaw in a popular and widely used hotel electronic lock system, allowing unfettered access to every room in the building. The electronic lock system, known as Vision by VingCard and built by Swedish lock manufacturer Assa Abloy, is used in more than 42,000 properties in 166 countries, amounting to millions of hotel rooms -- as well as garages and storage units. These electronic lock systems are commonplace in hotels, used by staff to provide granular controls over where a person can go in a hotel -- such as their room -- and even restricting the floor that the elevator stops at. And these keys can be wiped and reused when guests check-out.

It turns out these key cards aren't as secure as first thought. F-Secure's Tomi Tuominen and Timo Hirvonen, who carried out the work, said they could create a master key 'basically out of thin air.' Any key card will do. Even old and expired, or discarded keys retain enough residual data to be used in the attack. Using a handheld device running custom software, the researchers can steal data off of a key card -- either using wireless radio-frequency identification (RFID) or the magnetic stripe. That device then manipulates the stolen key data, which identifies the hotel, to produce an access token with the highest level of privileges, effectively serving as a master key to every room in the building.

126 comments

  1. Locks in general, are not very secure. by Kenja · · Score: 4, Insightful

    They are a deterrent against casual attacks, and nothing more.

    --

    "Have you ever thought about just turning off the TV, sitting down with your kids, and hitting them?"
    1. Re:Locks in general, are not very secure. by H3lldr0p · · Score: 4, Insightful

      Yeah, but this has the potential to make casual attacks even easier.

      Does anyone know how hard it would be to update/patch the locks? Can it be patched at all?

    2. Re:Locks in general, are not very secure. by Anonymous Coward · · Score: 0

      well if you feel that way can I have your useless password?

    3. Re:Locks in general, are not very secure. by nanoflower · · Score: 2

      I would hope that there's a way to upgrade the locks so that they can prevent this attack. Though then the question is how difficult would that be (do you have to upgrade each lock one at a time?) and how many hotels would go through the process.

    4. Re:Locks in general, are not very secure. by Dutch+Gun · · Score: 4, Informative

      The linked article answers that question:

      Their discovery also prompted Assa Abloy to release a security patch to fix the flaws. According to their disclosure timeline, Assa Abloy was first told of the vulnerabilities a month later in April 2017, and met again over several months to fix the flaws. The software is patched at the central server, but the firmware on each lock needs to be updated.

      So, it can be patched, but sounds like a bit of a pain. It also sounds like this was responsibly disclosed by the researchers to the manufacturer, so good for them on that point.

      --
      Irony: Agile development has too much intertia to be abandoned now.
    5. Re:Locks in general, are not very secure. by Anonymous Coward · · Score: 0

      According to their disclosure timeline, Assa Abloy was first told of the vulnerabilities a month later in April 2017, and met again over several months to fix the flaws.

      The software is patched at the central server, but the firmware on each lock needs to be updated.

    6. Re:Locks in general, are not very secure. by Anonymous Coward · · Score: 1, Interesting

      This is generally not an issue. Most hotel rooms include a deadbolt as well as a chain operated entry prevention device (EPD) that function as a manual backup system. If you hear your electronic lock go 'CLACK' in the middle of the night and your door quietly open because you forgot to engage the manual locks, you deserve the robbery that's about to happen.

    7. Re:Locks in general, are not very secure. by Anonymous Coward · · Score: 0

      password1

    8. Re:Locks in general, are not very secure. by chispito · · Score: 2

      Yeah, but this has the potential to make casual attacks even easier.

      Does anyone know how hard it would be to update/patch the locks? Can it be patched at all?

      There are so many ways to compromise locks, this changes nothing. Hotel locks are not electronic for security, they are electronic for ease of management.

      --
      The Daddy casts sleep on the Baby. The Baby resists!
    9. Re:Locks in general, are not very secure. by omnichad · · Score: 5, Insightful

      And you can engage neither of these if you're not in the room.

    10. Re:Locks in general, are not very secure. by Anonymous Coward · · Score: 0

      You've only considered times when the room is occupied. When staying more than one night, it's common to leave the room unattended. No deadbolt when outside of the room.

    11. Re:Locks in general, are not very secure. by Anonymous Coward · · Score: 0

      Thieves generally like a nice empty quiet place to do their work. If no one is there then the manual locks won't be in use, will they?

    12. Re:Locks in general, are not very secure. by Lord+Kano · · Score: 1

      From casual to trivial.

      LK

      --
      "Hi. This is my friend, Jack Shit, and you don't know him." - Lord Kano
    13. Re:Locks in general, are not very secure. by Anonymous Coward · · Score: 0

      You are both not wrong, and completely wrong. Allow me to analogize it.

      Bypassing a lock that uses a physical key is like trying to navigate the Linux commandline environment.

      Bypassing a lock that uses a credit-card-like device previously was like trying to code your own custom script to do something in the commandline environment. But someone else already wrote the script for you and gave it to you and a few million of your friends and now it's just a double-click on everyone's GUI desktop.

    14. Re: Locks in general, are not very secure. by Anonymous Coward · · Score: 0

      Why don't you read the article for yourself?

      The answer is in there.

    15. Re:Locks in general, are not very secure. by Anonymous Coward · · Score: 0

      The real problem is: their entire concept of "security" counted on no one having a custom device that could read or modify these keycards. If not for that, they'd have incorporated some kind of signing mechanism so that the hotel's door readers can easily verify that a given card actually belonged to that hotel prior to processing any privilege tokens. Not unlike using PGP/GnuPG to sign an e-mail.

      So they made a big mistake and invested in it, heavily. Despite the ready availability of already-existing solutions to this problem. The question then is, does this constitute negligence of the sort that would make them financially liable for any resulting losses at hotels and other facilities? 166 countries sounds like a lot to cover...

    16. Re:Locks in general, are not very secure. by Anonymous Coward · · Score: 2, Insightful

      Wow. This sure is a brand new problem that hasn't been existence since forever.

      How will the hotels respond to people having master keys to all their rooms across the entire country?

      It's not as though they pass these out to every person who applies for a low-level cleaning job....

      Oh. Right.

      Never mind.

    17. Re:Locks in general, are not very secure. by AmiMoJo · · Score: 1

      42,000 properties, each with an unknown number of locks each, and they all need a firmware upgrade.

      What have Assa Abloy done to get this firmware upgraded? Are they going to send technicians to every site to do the update for free? Or will they send out a carefully worded email that makes it sound like it's no big deal but if you are concerned you can pay for an upgrade?

      --
      const int one = 65536; (Silvermoon, Texture.cs)
      SJW, n: "Someone I don't like, and by the way I'm a fuckwit" - AC
    18. Re:Locks in general, are not very secure. by Kenja · · Score: 1

      Passwords are different, by comparison most locks have four pins, most passwords require eight or more characters.

      --

      "Have you ever thought about just turning off the TV, sitting down with your kids, and hitting them?"
    19. Re:Locks in general, are not very secure. by Anonymous Coward · · Score: 0

      Too bad most hotels have floor CCTV's so even if you did have a master key, smile for the cameras!

      The assumption nobody else had a programmer is the same as pay us for OUR programmer boxen.
      Things like this have been done before, once you know the mark/space timings you can use a zener diode for a random attack, or even an extra antenna to sniff and replay the maids semi master key.

      I suspect the fix was assigning a number to special master keys that hashes to the hotel unique serial number, because logically a master master key worked on all hotel locks. End of day, the memory can still be dumped, read amd deconstructed.

      But often shoulder or sole of boot is also a master key.

    20. Re:Locks in general, are not very secure. by Anonymous Coward · · Score: 0

      WRT patching

      Most building infrastructure stuff like this will be connected via a multi-drop network (i.e. RS-485) and there will be a computer sitting under a desk somewhere "running" the key-card system. Id imagine that as soon as the management software pulls down the latest version it'll push out the firmware patch to all the locks reasonably seamlessly.

      The ball-ache will be re-issuing cards to everyone conforming to whatever the new schema is, unless they contrive a way to grandfather them in and still address the issue.

    21. Re:Locks in general, are not very secure. by AntronArgaiv · · Score: 1

      Pretty much every keying system that allows a master key, is vulnerable to that master being duplicated.

      And figuring out the master is not particularly difficult.
      Even less so, when there is no mechanical difference between a unit key and a master.

      "it's just bits"

    22. Re:Locks in general, are not very secure. by Anonymous Coward · · Score: 0

      This is generally not an issue. Most hotel rooms include a deadbolt as well as a chain operated entry prevention device (EPD) that function as a manual backup system. If you hear your electronic lock go 'CLACK' in the middle of the night and your door quietly open because you forgot to engage the manual locks, you deserve the robbery that's about to happen.

      The master lock opens dead bolted doors. A flat flexible metal fork shaped tool pops open the manual flip lock with ease.

    23. Re:Locks in general, are not very secure. by mschwanke97402 · · Score: 1

      I would hope that there's a way to upgrade the locks so that they can prevent this attack. Though then the question is how difficult would that be (do you have to upgrade each lock one at a time?) and how many hotels would go through the process.

      I can think of one possible upgrade. A small, flat metal object with fancy serrations along one edge. You insert it into a slot that has a mechanism that matches...

    24. Re:Locks in general, are not very secure. by Anonymous Coward · · Score: 0

      But often shoulder or sole of boot is also a master key.

      Also, depending on the lock brand, a cordless drill at the right location can be a quick and very quiet way to get to an access slot/lever. In case the board fails and guest needs quick access, I can get into a room in a couple of minutes if needed, with very small noise or disruption to anybody. Actually, we make more of a fuss than we need to, because we want the guest standing in the hallway to think it is difficult. We don't want them to realize how quickly and quietly someone can get through these doors. We use 2 workers, plus loud drill and pound a bit, for show.

    25. Re:Locks in general, are not very secure. by Anonymous Coward · · Score: 0

      WRT patching

      Most building infrastructure stuff like this will be connected via a multi-drop network (i.e. RS-485) a
      bla bla bla
        patch to all the locks reasonably seamlessly.

      You obviously never serviced hotel electric locks. When the monkeys clean, they get fluid inside. When the monkeys replace the batteries, wires get pinched inside. When the room service carts hit the door hard.....etc.

      Very often the network cards have issues. Very often multiple locks or combinations of boards with parts/ chips from other boards frankensteined together. Very often the engineers, security guards and IT workers are using a system they do not fully understand. They are under high time stresses for their full shift and any change to the system puts risk of guest issues higher. So they just keep doing what works and only fix what is needed when it is needed. This may never "need" to be resolved.

      The rooms already have a few potential security breaches. This bug doesn't add much more danger of breach.

    26. Re: Locks in general, are not very secure. by Anonymous Coward · · Score: 0

      The question is if they had any losses attributable to this hack at all. Probably not thus far, so the only losses might be in managing the issue.

    27. Re:Locks in general, are not very secure. by Obfuscant · · Score: 1

      A small, flat metal object with fancy serrations along one edge. You insert it into a slot that has a mechanism that matches...

      This! Because making a master one of these would be impossible.

      Hint: it takes one valid key and a handful of blanks to figure out the master key.

    28. Re:Locks in general, are not very secure. by Solandri · · Score: 1

      So, it can be patched, but sounds like a bit of a pain

      It's less of a pain than re-keying locks which use physical keys.

      The overall security issue here is being overblown because people are incorrectly comparing to a non-existent base state - that if hotel locks were somehow impervious to hacking. You need to compare to the next best alternative. In this case, electronic key cards replaced physical keys. Hotels with physical lock keys also had master keys (that's how maids got into every room to clean them), which were just as vulnerable to theft and copying. Replacing them with electronic key cards, even with their flaws and vulnerabilities, was still an improvement in security. It's only a decrease in security if you incorrectly assumed the system was somehow perfect.

    29. Re:Locks in general, are not very secure. by JackieBrown · · Score: 1

      I think they must be. How else would they change the keys everyday?

      I've had them change the key same day when I lost my card

    30. Re:Locks in general, are not very secure. by morethanapapercert · · Score: 3, Informative
      Well; there were and still are, good reasons to go with a key card system over a traditional key system.

      1) Traditional keys are far more expensive, per unit, than the cards used by these systems. Most use small paper-based cards with a mag strip, which cost mere pennies each. These is offset by the expense of the locks of course, but that's a capital expense rather than an operating expense.

      2) Because of the need for master keys for hotel staff, locks need to have three piece pins rather than the common two piece. Changing these requires a locksmith and changing all the locks invalidates all the keys, master and non. On the other hand, a key card system can not only let staff have master keys, it can let every staff member have their own unique "master key". So if you have to fire Agnes the room cleaner, you can invalidate her key card at the same time, ditto if she just lost her current one.

      3) Similar to the problem with Agnes, guests are constantly losing keys. It is trivial to run off as many extra keys as needed. (which also allows multiple keys when dealing with double occupancy) 4) Many lock systems communicate with the central server over wi-fi, allowing front desk staff to disable a guests access if they want to make sure he comes down to the front desk to talk to them.

      5) As the summary says, it allows granular control. If you fill a batch of rooms with a commercial client (like a work crew for example), you can give them the discounted commercial bulk rate and disable their access to the pool and so on. For special guests who require a lot of privacy, such as celebrities, politicians and people in hiding from an abusive spouse, you can disable the staff master key access if needed. The logic is the same as using permission based security in the IT world

      6) Finally, traditional tumbler and wafer locks using keys are no more secure than these key cards, even in the vulnerable state the article describes. Lock picking is well known these days and a set of picks can be had or made even cheaper than the hand held mag strip writing device. You can't quite pick a lock using paper clips as easily as the movies suggest (paper clips aren't hard and springy enough) but it can be done with some locks. And a skill in picking locks and a basic set of picks opens far more doors and padlocks around the world than this key card exploit can. Note that master keyed traditional locks are often *easier* to pick than standard keyed locks, because you have two breaks, hence two chances per pin to get that pin unlocked. To open a lock only requires that every barrel have a break in the pins lined up in the cylinder, there is nothing preventing you from picking or creating a key which uses some of the master key bitting and some of the standard key bitting.

      --
      I need a wheelchair van for my son. Help me get the word out. https://www.gofundme.com/wheelchair-van-for-jj
    31. Re:Locks in general, are not very secure. by aaarrrgggh · · Score: 3, Insightful

      Janitorial keys are limited to a floor or cluster of rooms, are individually assigned, and are traceable/auditable. A true master key that does not follow the audit trail is a problem, but the hotel management system can likely be used to flag on a master key use and send security.

    32. Re:Locks in general, are not very secure. by Anonymous Coward · · Score: 0

      >You obviously never serviced hotel electric locks

      No, but I've installed several hundred, along with alarm linked panic bolts, maglocks and a whole host of other ancillary building management hardware, generally attached to, or around doors.

      Maybe if you stop employing monkeys, the monkeys will stop breaking your shit, otherwise these things are generally pretty bullet proof.

    33. Re:Locks in general, are not very secure. by Dutch+Gun · · Score: 1

      Yep, that's why I said "a bit of a pain" rather than "a nightmare to fix." I'm not trying to overblow the issue, certainly, and I definitely think electronic keys are more secure than physical keys for the most part.

      It does need to be fixed, but I wouldn't really call this a significant threat to security, given the fairly high technical hurdle to creating a forged master key.

      --
      Irony: Agile development has too much intertia to be abandoned now.
    34. Re:Locks in general, are not very secure. by Anonymous Coward · · Score: 1

      Wrong. Knowing the bitting on a operating key typically doesn't even reduce the possible keyspace. An operating key and a master key do not need to share any depths, could share some depths, or could share most.

      If one were to utilize a working key to disassemble a lock and take readings, a six-pin system would require the creation of 36 keys to determine a masterkey.

      So no, not in any way a person could make "a handful" of keys and determine a master key..unless you are accustomed to dealing with master keyed luggage locks.

    35. Re:Locks in general, are not very secure. by Anonymous Coward · · Score: 0

      166 countries with different laws.

      And there is always "Prove that they used a fake master key, and not simply a key stolen/loaned from the cleaners."

    36. Re:Locks in general, are not very secure. by Anonymous Coward · · Score: 0

      Too bad most hotels have floor CCTV's so even if you did have a master key, smile for the cameras!

      A wig, some makeup that gives you darker skin color, sunglasses, hoodie/cap. CCTV then doesn't have enough resolution to figure out what you really look like.

    37. Re:Locks in general, are not very secure. by Obfuscant · · Score: 2

      If one were to utilize a working key to disassemble a lock and take readings, a six-pin system would require the creation of 36 keys to determine a masterkey.

      No. It takes one key per pin to determine all the correct keyings for any lock. I'll leave the process to your imagination, if you have any.

    38. Re:Locks in general, are not very secure. by mschwanke97402 · · Score: 1

      I was make a quite "tongue-in-cheek" response. Never meant to be taken seriously. Although, it seems as soon as you take any everyday device or process and digitize it, it won't be long until someone hacks it, creating yet another security issue that us regular morons have to worry about or get vicitimized by.

    39. Re: Locks in general, are not very secure. by nehumanuscrede · · Score: 1

      E-Locks with a built in backdoor ( intentional or otherwise ) are even less secure.

      I wish the DOJ would learn such things.

    40. Re: Locks in general, are not very secure. by Anonymous Coward · · Score: 1

      http://www.crypto.com/masterkey.html

    41. Re: Locks in general, are not very secure. by Brockmire · · Score: 1

      You must be new here.

    42. Re:Locks in general, are not very secure. by brantondaveperson · · Score: 1

      If not for that, they'd have incorporated some kind of signing mechanism so that the hotel's door readers can easily verify that a given card actually belonged to that hotel prior to processing any privilege tokens

      Of course, but this vastly increases the cost of the locks themselves, which will have been made as cheap as they can possibly be. In real life, the security of the hotel's room locks isn't that important to the hotel.

    43. Re:Locks in general, are not very secure. by brantondaveperson · · Score: 1

      Sounds like you work in a place that values security. A hotel is not such a place.

    44. Re:Locks in general, are not very secure. by Mattcelt · · Score: 2

      the hotel management system can likely be used to flag on a master key use and send security

      To my knowledge, I have never stayed in a hotel where the electronic door locks were connected to a central system. They operate completely independently, and the auditing system must be manually accessed from each unit. There are no alarms or notifications.

    45. Re:Locks in general, are not very secure. by aaarrrgggh · · Score: 1

      I know Penninsula hotels has been doing it for decades, although it took them a while to have it fully integrated in real time. Not sure if I am mixing up projects, but I think it was via Dallas Semi's one-wire link to the locks. Originally a door contacted prompted the room controller to get the lock details. Always got a kick out of how seriously they took it; they actually brought (4) DSL lines to each room with two for automation, one for entertainment, and one for guest internet.

      I have seen similar systems elsewhere, although you are correct that the vast majority of locks are fully decentralized.

    46. Re: Locks in general, are not very secure. by lsatenstein · · Score: 1

      Install cameras at each hallway in the hotels where these locks are used.
      You are thus recording perpetrators and cleaning staff.

      Don't keep all your valuables in your hotel room, as a precaution from theft.

      --
      Leslie Satenstein Montreal Quebec Canada
  2. My Third Second? by Anonymous Coward · · Score: 0

    Hot Town! Summer in the shitter!

  3. Well i guess.. by Anonymous Coward · · Score: 0

    Thats why they have a safe in all rooms im sure will be the answer to this.

    1. Re:Well i guess.. by Waffle+Iron · · Score: 1

      Thats why they have a safe in all rooms im sure will be the answer to this.

      You mean those hotel safes that were found to all share the same master combination of 00000?

    2. Re:Well i guess.. by Anonymous Coward · · Score: 0

      Thats why they have a safe in all rooms im sure will be the answer to this.

      I nibble the bait....

      You mean the hotel safes where the security has a master key so they can get in in seconds if a guest forgets their passcode?

    3. Re:Well i guess.. by JackieBrown · · Score: 1

      Almost every room I stay in nowadays (and for a while) has electronic keycards. I have never had a room with a safe, though

  4. Old news... by Anonymous Coward · · Score: 0

    Hollywood has been doing this in the movies for years.

  5. Security Researchers?????? by Anonymous Coward · · Score: 0

    Are they "Security Researchers" or are they "Hackers"?
    Or are you saying that "Security Researchers" are "Hackers"?
    Are "Hackers" just "Security Researchers"?
    It is so confusing!
    Next they will be telling us that drug addiction is a disease.

    1. Re:Security Researchers?????? by Fly+Swatter · · Score: 2

      The correct term is cracker, however that battle was lost a long time ago.

  6. Huh, all those goofy spy movies and tv shows by Anonymous Coward · · Score: 0

    are right.

  7. Re:Where's the Russians? by Anonymous Coward · · Score: 0

    But where are the Russians?

    It might be you.

  8. Who is to blame? by Anonymous Coward · · Score: 0

    Is the error in VingCard's design, or in Assa Abloy's manufacturing process? Who is to blame?

  9. If the hackers have the master key... by QuietLagoon · · Score: 4, Insightful

    ... you can be sure that state-level entities also have it. It is one of the reasons why I use a disposable notebook, set up with a minimal configuration, when I travel.

    1. Re:If the hackers have the master key... by Anonymous Coward · · Score: 0

      So are you worried about the Russians or the Democrats finding your stash of midget porn?

      Shit like this is of concern to people in high end hotels/casinos with valuable jewelry in the room.

      I mean, this is hard for me to say - because people don't value privacy enough, so I feel I should be applauding your clinical paranoia. So good on you? But no state-level actor gives a fuck about you.

    2. Re:If the hackers have the master key... by Anonymous Coward · · Score: 0

      ... you can be sure that state-level entities also have it.

      Or when the state-level entities show up to raid your room they could just ask the desk manager for the key. Or they could knock the door down. WTF?

    3. Re:If the hackers have the master key... by Anonymous Coward · · Score: 0

      You sound like quite the loon.

    4. Re:If the hackers have the master key... by Anonymous Coward · · Score: 0

      Yeah, I know a number of companies that issue minimalist 'travel laptops' to employees who have to go to China for business.

      It's pretty well known that there is a significant amount of industrial espionage taking place there, and the lines between business interests and the state are blurry in many areas.

      I also know of many companies here in Silicon Valley that have had break-ins where laptops were stolen, confidential trash bins carried off, and even regular trash carried off. It is not clear to me which businesses or entities are performing this espionage, though.

    5. Re:If the hackers have the master key... by neo-mkrey · · Score: 1

      Only if you have something to hide...

    6. Re:If the hackers have the master key... by Zaiff+Urgulbunger · · Score: 1

      I read that the reason F-Secure looked into this in the first place was because one of their people had a laptop stolen from a hotel room with no sign of forced entry and no logs. So I'd guess _someone_ already has access.

      And then you have to wonder if it was just a random laptop theft or if they knew who's laptop it was...

    7. Re:If the hackers have the master key... by Anonymous Coward · · Score: 1

      what sort of international man of mystery are you, that (1) state level entities would be interested in what you do, and yet (2) not post as an anonymous coward, quiet lagoon 813062?

    8. Re:If the hackers have the master key... by Anonymous Coward · · Score: 0

      I would imagine staff have access.

    9. Re:If the hackers have the master key... by Anonymous Coward · · Score: 0

      Laptops are easily portable and easy to sell. Trash can be a treasure trove of identity and financial information. You don't need to invoke espionage, as much as someone wanting to order stuff on the credit card of the company they are turning over.

    10. Re:If the hackers have the master key... by Anonymous Coward · · Score: 0

      That would be the Pre-constitutional mentality. Are you per chance from that Great Parasite Britain?

    11. Re:If the hackers have the master key... by Anonymous Coward · · Score: 0

      That's not only for China, (and Russia, of course). For European companies the USA is also on the same list. I wish I was trolling, but this is true.

    12. Re:If the hackers have the master key... by Anonymous Coward · · Score: 0

      "State-level entities" would just go to the manager and get the janitorial key. Why overcomplicate things?

    13. Re:If the hackers have the master key... by Actually,+I+do+RTFA · · Score: 1

      when the state-level entities show up to raid your room they could just ask the desk manager for the key.

      At any given time, the state-level entities of 1 state can do that. There are like 200 other states that cannot (I doubt the Chinese police can get a key to a US hotel room just by asking.)

      --
      Your ad here. Ask me how!
    14. Re:If the hackers have the master key... by ayesnymous · · Score: 1

      Oracle hired people to dig through competitors' trash.

    15. Re:If the hackers have the master key... by Zaiff+Urgulbunger · · Score: 1

      I would imagine staff have access.

      yeah, but... no logs?!

    16. Re:If the hackers have the master key... by Riceballsan · · Score: 1

      Country of origion is irrelevant. Fake badge and uniform, and if need be fake warrant are easily obtainable by the Chinese government. The question then comes how much does the entity care about the risk of you learning they were in your room. The I'm with the police schtick works pretty well, but yes obviously you have a fairly high risk of them learning you were in the room. IMO it's all pretty moot, because 99% of hotels locks can be defeated by a long coat hanger (or a fairly inexpensive tool designed for that). I've never seen a hotel without the pull down style of handle on the inside, and a nice huge inch or so of clearance between the bottom of the door and the floor. All you need to do is slide under that, pull the handle down, and you are in.

  10. Re: Where's the Russians? by Anonymous Coward · · Score: 0

    When people speak in memes, they're usually retarded.

  11. Re:This Is Why I Travel Very Light! by QuietLagoon · · Score: 1

    I like the way you turned your comment into an advertisement. Good work!

  12. Maybe for you by SuperKendall · · Score: 4, Informative

    It turns out these key cards aren't as secure as first thought.

    *Reads summary*

    No, they are exactly as secure as I first thought - and second and third.

    It's why I try to take anything valuable with me, or hide it, or lock it away somewhere when in any hotel room.

    Luckily for all of us most hotel rooms are empty or don't hold much of worth plus there is the danger of entering one with someone in it, so it would be very tedious and difficult even with a master key to go through enough rooms to find something of real value.

    If you want to target just one person where you can watch to see when they exit a room - then you are set.

    --
    "There is more worth loving than we have strength to love." - Brian Jay Stanley
    1. Re:Maybe for you by Anonymous Coward · · Score: 1

      Or if you do have a master key and not targeting to pilfer rooms. you can always find an empty room for the night to stay free of charge.

      Nathan

    2. Re:Maybe for you by BronsCon · · Score: 1

      You might send up some red flags when you unlock an unoccupied room while housekeeping is not making their rounds; and if you unlock the room during their rounds they're likely to visit the room while you're in it, or see you entering the room they just finished cleaning and know is supposed to be empty. Expect a visit from hotel management shortly after you settle in if you try this.

      --
      APK quotes people (including myself) without context and should not be trusted. Just thought you should know.
    3. Re:Maybe for you by LQ · · Score: 2

      Luckily for all of us most hotel rooms are empty or don't hold much of worth

      My partner went to a conference and three people had laptops stolen from their rooms without forced entry while they were in the bar. Hoteliers just shrugged.

    4. Re:Maybe for you by sims+2 · · Score: 4, Informative

      This isn't the first time this has happened
      https://www.wired.com/2017/08/...

      They started out just stealing the fixtures like the TV from unoccupied rooms then started waiting for the occupants to leave and then taking their stuff while they were gone.

      --
      Minimum threshold fixed. Thanks!
    5. Re:Maybe for you by Riceballsan · · Score: 1

      The plot twist... while you are out there with your super important stuff back at home... your home is getting pwned by a brick through the window.

  13. nobody fucking cares about you by Anonymous Coward · · Score: 0

    Folks:

    my god, what a loser, pontificating to their imaginary subjects

    i'd tell you to get a life but clearly it's far too late

  14. Re:This Is Why I Travel Very Light! by Pascoea · · Score: 1

    You should really update your website. It looks like one I made in High School, 15 years ago.

  15. Re:This Is Why I Travel Very Light! by Anonymous Coward · · Score: 0

    I would downboat this if I had an account.

  16. Happened before. by Anonymous Coward · · Score: 2, Insightful

    This has happened before about 6 years ago, with a different hotel lock system. Last time it was Onity, now it's Ving/Abloy.

    https://hardware.slashdot.org/story/12/07/25/1326225/open-millions-of-hotel-rooms-with-arduino

    I'm not terribly convinced this was something that was widespread hackable. Also, the fast that it took 10 years and thousands of hours to exploit tells me that the system was fairly secure BEFORE these guys decided to publish the details, which considerably reduces the costs.

    It shouldn't come as a surprise that a hotel room isn't secure. They're vulnerable to social engineering, and just about every staff member can get into your hotel room. You think these keys are all kept securely, and don't leak out?

    Years ago I stayed at a hotel with a slightly paranoid friend of mine. This slight paranoia led him to putting locks on his luggage, which had nothing of value in them anyway. We went out to get something to eat, and while we were away someone broke into the room, broke his cheap-ass luggage locks, and stole... nothing, because he didn't have anything valuable in your luggage. He was pissed because now he had several broken luggage locks, which probably cost $30 total. I didn't have luggage locks (because... why?) and didn't suffer any loss.

    The point being that he the best defense against theft is to simply not bring much value with you. Keep your cell phone with you, bring a cheap laptop, and don't lock your bags. Also lock the damn door with the deadbolt that doesn't have a key when you sleep.

    1. Re:Happened before. by Anonymous Coward · · Score: 0

      And a lot of hotels did not swap out those old Onity locks and are STILL using them. Eighteen years behind the desk. I have seen everything.

  17. The problem with de facto standards for security by Aristos+Mazer · · Score: 2

    When you have one vendor that everyone turns to for the canonical "good security solution", it works fine until a hole is found because then everyone is at risk. The more diversity there is in security, the more likely there is to be a bug in any given implementation (bad), but at least when a hole is found, the entire system isn't at risk. Shuffle your attack surfaces. Have different key systems at different hotels. Or, better, on different floors, so that if a breach is found in one system, you can close that floor while you replace/repair the locks. Would that be more expensive? Yes. Security isn't cheap, but the bigger you make the target, the more tempting the target.

  18. Probably not by SuperKendall · · Score: 1

    You might send up some red flags when you unlock an unoccupied room while housekeeping is not making their rounds

    If you went into an unoccupied room at 11:00pm do you really think anyone is going to check before the morning?

    Yes you will set up "red flags" which is nice because then they can clean the room when they check long after you are gone in the morning.

    --
    "There is more worth loving than we have strength to love." - Brian Jay Stanley
    1. Re:Probably not by BronsCon · · Score: 2

      Do you really think these systems don't alert the front desk when an unoccupied room is unlocked? They don't have to check, it alerts the front desk immediately. Housekeeping keycards are tagged with unique IDs (to identify the employee the card was assigned to), so they don't trigger the alerts, but you'd have to know one of those valid IDs in advance; simply setting the access token to whatever is used by housekeeping isn't enough.

      Of course, these systems can be configured not to alert when an empty room is unlocked, and I'm sure $40/night shitholes go that route because it's not worth it to deal with a squatter over $40 anyway, but you can be sure the alerts are enabled at any of the places your typical egocentric hacker would target.

      --
      APK quotes people (including myself) without context and should not be trusted. Just thought you should know.
    2. Re:Probably not by SuperKendall · · Score: 2

      Do you really think these systems don't alert the front desk when an unoccupied room is unlocked?

      Do you honestly think they DO? You have an overactive imagination as to how much hotels care about room security.

      And even if they did, what are the one or two guys at the front going to do about that anyway? Leave the front desk unmanned so they can get physically assaulted? Hardly.

      I'm sure $40/night shitholes go that route because it's not worth it to deal with a squatter over $40 anyway,

      Hint: The $200 shitholes also do not really care. Of course there are alerts but I am saying if you go in late and leave early the late shift people are just going to say "screw it".

      --
      "There is more worth loving than we have strength to love." - Brian Jay Stanley
    3. Re:Probably not by Anonymous Coward · · Score: 1

      So the solution really is to open several unoccupied rooms over the course of a couple hours, but not disturb them. Eventually the employees believe that something in the system is malfunctioning and stop checking the alerts.

    4. Re:Probably not by BronsCon · · Score: 1

      Do you honestly think they DO? You have an overactive imagination as to how much hotels care about room security.

      No, I know hotels DGAF about room security. They do, however, care a lot about getting paid for their rooms.

      And even if they did, what are the one or two guys at the front going to do about that anyway? Leave the front desk unmanned so they can get physically assaulted?

      A $150+/night hotel is going to have security on site, who will accompany police to the room in question once they arrive on scene.

      No imagination needed when you know people who work at a higher level in the industry.

      --
      APK quotes people (including myself) without context and should not be trusted. Just thought you should know.
    5. Re:Probably not by myth24601 · · Score: 1

      Of course, these systems can be configured not to alert when an empty room is unlocked, and I'm sure $40/night shitholes go that route because it's not worth it to deal with a squatter over $40 anyway, but you can be sure the alerts are enabled at any of the places your typical egocentric hacker would target.

      Likely, they do care because a squatter still has to be cleaned up after and as well as any damage they cause has to be repaired.

      --
      No matter where you go, there you are.
    6. Re:Probably not by BronsCon · · Score: 1

      There is that, as well, but I was trying not to be too argumentative; you see, the person I was replying to has a history of getting a bit, shall we say, aggressive when his arguments are destroyed too effectively.

      --
      APK quotes people (including myself) without context and should not be trusted. Just thought you should know.
    7. Re: Probably not by nwf · · Score: 1

      Nearly every keycard lock made (perhaps until recently) has absolutely no communication with anything. They are programmed by they keys. When a new guest inserts a new card, all old ones are deactivated. No communication needed. They are made to be cheap. Many have a secret port to reprogram them, however.

      How do I know? I used to evaluate these systems. Newer locks use RFID which may be better.

      --
      I don't know, but it works for me.
    8. Re: Probably not by BronsCon · · Score: 1

      So, then, how does the lock know the new card is valid? And how can the lock be opened by two or more cards if inserting a new one invalidates the old ones?

      --
      APK quotes people (including myself) without context and should not be trusted. Just thought you should know.
    9. Re: Probably not by nwf · · Score: 1

      Timestamp as I recall/guess. Not very secure, but then that's the point of this article. Maybe it encodes that using some algorithm, but there's no networking.

      --
      I don't know, but it works for me.
  19. Re:Haven by irrational_design · · Score: 1

    And then what? Oh look, there is motion in our hotel room, but we are 50 miles away at the moment. I suppose you could call the hotel, but that might be too late.

  20. Wonderful! by Anonymous Coward · · Score: 1

    I will now sleep soundly in my overseas hotel room, in a country whose main language I do not speak, a currency I'm not familiar with, and customs and cultures that are different from my own. However I used to be able to at least lock the hotel room and get a good night's sleep. A proverbial port in the storm.

    Wonderful! /s

    1. Re:Wonderful! by PPH · · Score: 2

      You can still secure the door from the inside for privacy. It's just that all bets are off when you leave in the morning for some sightseeing with all your valuables inside.

      --
      Have gnu, will travel.
  21. At least they can't be updated over the network by MDMurphy · · Score: 1

    I'm a little surprised that the locks aren't networked, making mass-updates possible. I'm also impressed that they aren't all networked in a manner that allows f/w updates as that would just be another attack vector. An easily accessible USB port on the bottom of the lock would be just as bad. (as some hacked locks have had, on the *outside*!)

    The hack makes millions of locks vulnerable, but it didn't open them all. The annoyance of updating all the locks individually is a consequence of not having them all connected in a way that would have made them more vulnerable.

    1. Re:At least they can't be updated over the network by Anonymous Coward · · Score: 0

      Please define the word "Vulnerable" as you understand it.

      1) A lock is DESIGNED TO BE UNLOCKED
      2) Any lock in a hotel is designed to be unlocked WITH A MASTER KEY
      3) All this system does is duplicate the master key

      If this is vulnerable, then these hotel locks have ALWAYS been vulnerable.

  22. Improve your odds by SuperKendall · · Score: 3, Informative

    If I have a laptop in the room, I always leave out the do not disturb sign (who needs maid service anyway), a thief is probably not going to enter a room with that on the door. I would say leave the TV on too, but that would be a real asshole move for the rooms around you.

    Also I usually hide valuable things like laptops. Either I put it in a suitcase that I lock (though someone could still take the suitcase if they are hitting a bunch of rooms they probably will not bother to take a bulky suitcase) or hide it somewhere. Under a pillow on a made up bed is a good location, under the bed is not great as thieves will check there. On top of tall shelves in the back is decent.

    Theft prevention is all a numbers game, you do what you can but sometimes the dice come up with missing laptop no matter what you do. But even simple precautions beyond "leave out on desk" can greatly improve your odds of success.

    --
    "There is more worth loving than we have strength to love." - Brian Jay Stanley
  23. Now that I think of it.... by Cajun+Hell · · Score: 2

    It turns out these key cards aren't as secure as first thought

    I don't remember anyone ever explaining to me why I should think they're secure at all. They just .. exist. I can't even say they've been misrepresented to me.

    --
    "Believe me!" -- Donald Trump
    1. Re:Now that I think of it.... by JackieBrown · · Score: 2

      It's a social thing. There is a lock so you feel secure.

      Most hotels I have stayed at actually have signs saying don't leave valuables out.

      It's like the parking lots that advertise "Guarded and video surveillance". Then right next to the sign is another sign saying they aren't responsible for anything in the parking lot.

    2. Re:Now that I think of it.... by Anonymous Coward · · Score: 0

      I'm more worried about them how they know what I first thought. Let my hotel possessions alone, when will they start stealing my thoughts? /s

      Clickbate headlines always hide sensational headlines. If it was truly sensational, they wouldn't need the clickbate.

      The assumption that one thinks the doors are very secure is a laughable assumption for any relatively cheap lock, and certainly any lock where you don't control all the keys.

  24. FB by Anonymous Coward · · Score: 0

    Bob has just checked in at room 2101 at Caesar's Palace. #FuckZuck

  25. too much drugs by Anonymous Coward · · Score: 0

    sometimes the dice come up with missing laptop no matter what you do

    only a drug-addled idiot thinks that laptops just mysteriously vanish

    maybe you baked it into a brownie and ate it

  26. Re: Where's the Russians? by Anonymous Coward · · Score: 0

    Maxine Waters is offended. Apologize now!

  27. common fireman key let you go to any floor in the by Joe_Dragon · · Score: 0

    common fireman key let you go to any floor in the elevator

  28. Re:This Is Why I Travel Very Light! by JackieBrown · · Score: 1

    Why do you have a cell phone if you don't keep it on you when you are mobile?

  29. I remember being lectured this was impossible by Catbeller · · Score: 2

    I remember, years back on Slashdot and other sites, being lectured about my naivete and ignorance when I argued we were opening our veins by making everything operable by computers and RFID and cards.
    I am arguing the same now with automating driving, making car controls computer-based rather than mechanical, and linking cars together wirelessly. A half-dead termite can see what's coming. We can't give up profits and convenience even in the face of certain hacking and disaster. (It's a disaster when it happens to YOU).

    1. Re:I remember being lectured this was impossible by Anonymous Coward · · Score: 0

      Shut up old fucker. You won't have to put up with it much longer. You'll be dead any day now.

      And FUCK your lawn!

    2. Re:I remember being lectured this was impossible by Anonymous Coward · · Score: 0

      Just remember young grasshopper. The world you're making today is the one you're going to have to live in tomorrow.

      Now get the fuck off MY LAWN!

    3. Re:I remember being lectured this was impossible by Anonymous Coward · · Score: 0

      We can't give up profits and convenience ...

      The point of technology is convenience and cost-cutting. Which is great for businesses; they depend on both. It's just that computers being ubiquitous, we don't notice that they make formerly easy things (such as access control), more difficult.

      ... keys retain enough residual data to be used in the attack.

      I'm guessing every door used the same password, individual keys had different access control lists.

  30. I am disappointed by the /. nerds today by Anonymous Coward · · Score: 1

    Not a single joke about Sauron or "one key to rule them all" yet..

  31. Wot? by nospam007 · · Score: 4, Funny

    They let every criminal in, every room and the passwords for their room-safes are found on the internet but _we_ clients get a frown when we order a hooker?

  32. Re:The problem with de facto standards for securit by Anonymous Coward · · Score: 0

    Different keys on every floor so things are more complex and expensive.

  33. Bring your own portable cameras by Anonymous Coward · · Score: 0

    With things like WyzeCam being so cheap ($24-26 shipped depending on quantity and source) and small, just set up one or two of these in the room and enable alerts to push to your smartphone. I never allow housekeeping in leaving the "do no disturb" sign on the entire time, so this means I should have zero alerts.

    If I get an alert, and I see someone in my room, I'd call the hotel security and notify them.

    All the places I stay now have free or free-to-reward-program-members wifi. The only trick is you must auth once per 24 hours per device. So to auth a WyzeCam, you spoof its MAC address on your laptop, auth for it, stop spoofing, and turn on the WyzeCam.

  34. Re:This Is Why I Travel Very Light! by Anonymous Coward · · Score: 0

    Custom, handmade clothing.

    This is you, isn't it? Epic Pants.

  35. Re:This Is Why I Travel Very Light! by Anonymous Coward · · Score: 0

    You should take the clothing with you.
    Anyone finding that in your room is likely to think they are about to get raped or indoctronated into a cult and GTF out of there.