Hackers Built a 'Master Key' For Millions of Hotel Rooms (zdnet.com)

← Back to Stories (view on slashdot.org)

Hackers Built a 'Master Key' For Millions of Hotel Rooms (zdnet.com)

Posted by msmash on Wednesday April 25, 2018 @02:52AM from the of-course-they-did dept.

An anonymous reader writes: Security researchers have built a master key that exploits a design flaw in a popular and widely used hotel electronic lock system, allowing unfettered access to every room in the building. The electronic lock system, known as Vision by VingCard and built by Swedish lock manufacturer Assa Abloy, is used in more than 42,000 properties in 166 countries, amounting to millions of hotel rooms -- as well as garages and storage units. These electronic lock systems are commonplace in hotels, used by staff to provide granular controls over where a person can go in a hotel -- such as their room -- and even restricting the floor that the elevator stops at. And these keys can be wiped and reused when guests check-out.

It turns out these key cards aren't as secure as first thought. F-Secure's Tomi Tuominen and Timo Hirvonen, who carried out the work, said they could create a master key 'basically out of thin air.' Any key card will do. Even old and expired, or discarded keys retain enough residual data to be used in the attack. Using a handheld device running custom software, the researchers can steal data off of a key card -- either using wireless radio-frequency identification (RFID) or the magnetic stripe. That device then manipulates the stolen key data, which identifies the hotel, to produce an access token with the highest level of privileges, effectively serving as a master key to every room in the building.

7 of 126 comments (clear)

Min score:

Reason:

Sort:

Locks in general, are not very secure. by Kenja · 2018-04-25 02:57 · Score: 4, Insightful

They are a deterrent against casual attacks, and nothing more.

--

"Have you ever thought about just turning off the TV, sitting down with your kids, and hitting them?"
1. Re:Locks in general, are not very secure. by H3lldr0p · 2018-04-25 03:02 · Score: 4, Insightful
  
  Yeah, but this has the potential to make casual attacks even easier.
  Does anyone know how hard it would be to update/patch the locks? Can it be patched at all?
2. Re:Locks in general, are not very secure. by omnichad · 2018-04-25 03:22 · Score: 5, Insightful
  
  And you can engage neither of these if you're not in the room.
3. Re:Locks in general, are not very secure. by Anonymous Coward · 2018-04-25 03:58 · Score: 2, Insightful
  
  Wow. This sure is a brand new problem that hasn't been existence since forever.
  How will the hotels respond to people having master keys to all their rooms across the entire country?
  It's not as though they pass these out to every person who applies for a low-level cleaning job....
  Oh. Right.
  Never mind.
4. Re:Locks in general, are not very secure. by aaarrrgggh · 2018-04-25 06:38 · Score: 3, Insightful
  
  Janitorial keys are limited to a floor or cluster of rooms, are individually assigned, and are traceable/auditable. A true master key that does not follow the audit trail is a problem, but the hotel management system can likely be used to flag on a master key use and send security.
If the hackers have the master key... by QuietLagoon · 2018-04-25 03:29 · Score: 4, Insightful

... you can be sure that state-level entities also have it. It is one of the reasons why I use a disposable notebook, set up with a minimal configuration, when I travel.
Happened before. by Anonymous Coward · 2018-04-25 03:56 · Score: 2, Insightful

This has happened before about 6 years ago, with a different hotel lock system. Last time it was Onity, now it's Ving/Abloy.
https://hardware.slashdot.org/story/12/07/25/1326225/open-millions-of-hotel-rooms-with-arduino
I'm not terribly convinced this was something that was widespread hackable. Also, the fast that it took 10 years and thousands of hours to exploit tells me that the system was fairly secure BEFORE these guys decided to publish the details, which considerably reduces the costs.
It shouldn't come as a surprise that a hotel room isn't secure. They're vulnerable to social engineering, and just about every staff member can get into your hotel room. You think these keys are all kept securely, and don't leak out?
Years ago I stayed at a hotel with a slightly paranoid friend of mine. This slight paranoia led him to putting locks on his luggage, which had nothing of value in them anyway. We went out to get something to eat, and while we were away someone broke into the room, broke his cheap-ass luggage locks, and stole... nothing, because he didn't have anything valuable in your luggage. He was pissed because now he had several broken luggage locks, which probably cost $30 total. I didn't have luggage locks (because... why?) and didn't suffer any loss.
The point being that he the best defense against theft is to simply not bring much value with you. Keep your cell phone with you, bring a cheap laptop, and don't lock your bags. Also lock the damn door with the deadbolt that doesn't have a key when you sleep.