Slashdot Mirror

← Back to Stories (view on slashdot.org)

Hackers Built a 'Master Key' For Millions of Hotel Rooms (zdnet.com)

Posted by msmash on from the of-course-they-did dept.

An anonymous reader writes: Security researchers have built a master key that exploits a design flaw in a popular and widely used hotel electronic lock system, allowing unfettered access to every room in the building. The electronic lock system, known as Vision by VingCard and built by Swedish lock manufacturer Assa Abloy, is used in more than 42,000 properties in 166 countries, amounting to millions of hotel rooms -- as well as garages and storage units. These electronic lock systems are commonplace in hotels, used by staff to provide granular controls over where a person can go in a hotel -- such as their room -- and even restricting the floor that the elevator stops at. And these keys can be wiped and reused when guests check-out.

It turns out these key cards aren't as secure as first thought. F-Secure's Tomi Tuominen and Timo Hirvonen, who carried out the work, said they could create a master key 'basically out of thin air.' Any key card will do. Even old and expired, or discarded keys retain enough residual data to be used in the attack. Using a handheld device running custom software, the researchers can steal data off of a key card -- either using wireless radio-frequency identification (RFID) or the magnetic stripe. That device then manipulates the stolen key data, which identifies the hotel, to produce an access token with the highest level of privileges, effectively serving as a master key to every room in the building.

26 of 126 comments (clear)

  1. Locks in general, are not very secure. by Kenja · · Score: 4, Insightful

    They are a deterrent against casual attacks, and nothing more.

    --

    "Have you ever thought about just turning off the TV, sitting down with your kids, and hitting them?"
    1. Re:Locks in general, are not very secure. by H3lldr0p · · Score: 4, Insightful

      Yeah, but this has the potential to make casual attacks even easier.

      Does anyone know how hard it would be to update/patch the locks? Can it be patched at all?

    2. Re:Locks in general, are not very secure. by nanoflower · · Score: 2

      I would hope that there's a way to upgrade the locks so that they can prevent this attack. Though then the question is how difficult would that be (do you have to upgrade each lock one at a time?) and how many hotels would go through the process.

    3. Re:Locks in general, are not very secure. by Dutch+Gun · · Score: 4, Informative

      The linked article answers that question:

      Their discovery also prompted Assa Abloy to release a security patch to fix the flaws. According to their disclosure timeline, Assa Abloy was first told of the vulnerabilities a month later in April 2017, and met again over several months to fix the flaws. The software is patched at the central server, but the firmware on each lock needs to be updated.

      So, it can be patched, but sounds like a bit of a pain. It also sounds like this was responsibly disclosed by the researchers to the manufacturer, so good for them on that point.

      --
      Irony: Agile development has too much intertia to be abandoned now.
    4. Re:Locks in general, are not very secure. by chispito · · Score: 2

      Yeah, but this has the potential to make casual attacks even easier.

      Does anyone know how hard it would be to update/patch the locks? Can it be patched at all?

      There are so many ways to compromise locks, this changes nothing. Hotel locks are not electronic for security, they are electronic for ease of management.

      --
      The Daddy casts sleep on the Baby. The Baby resists!
    5. Re:Locks in general, are not very secure. by omnichad · · Score: 5, Insightful

      And you can engage neither of these if you're not in the room.

    6. Re:Locks in general, are not very secure. by Anonymous Coward · · Score: 2, Insightful

      Wow. This sure is a brand new problem that hasn't been existence since forever.

      How will the hotels respond to people having master keys to all their rooms across the entire country?

      It's not as though they pass these out to every person who applies for a low-level cleaning job....

      Oh. Right.

      Never mind.

    7. Re:Locks in general, are not very secure. by morethanapapercert · · Score: 3, Informative
      Well; there were and still are, good reasons to go with a key card system over a traditional key system.

      1) Traditional keys are far more expensive, per unit, than the cards used by these systems. Most use small paper-based cards with a mag strip, which cost mere pennies each. These is offset by the expense of the locks of course, but that's a capital expense rather than an operating expense.

      2) Because of the need for master keys for hotel staff, locks need to have three piece pins rather than the common two piece. Changing these requires a locksmith and changing all the locks invalidates all the keys, master and non. On the other hand, a key card system can not only let staff have master keys, it can let every staff member have their own unique "master key". So if you have to fire Agnes the room cleaner, you can invalidate her key card at the same time, ditto if she just lost her current one.

      3) Similar to the problem with Agnes, guests are constantly losing keys. It is trivial to run off as many extra keys as needed. (which also allows multiple keys when dealing with double occupancy) 4) Many lock systems communicate with the central server over wi-fi, allowing front desk staff to disable a guests access if they want to make sure he comes down to the front desk to talk to them.

      5) As the summary says, it allows granular control. If you fill a batch of rooms with a commercial client (like a work crew for example), you can give them the discounted commercial bulk rate and disable their access to the pool and so on. For special guests who require a lot of privacy, such as celebrities, politicians and people in hiding from an abusive spouse, you can disable the staff master key access if needed. The logic is the same as using permission based security in the IT world

      6) Finally, traditional tumbler and wafer locks using keys are no more secure than these key cards, even in the vulnerable state the article describes. Lock picking is well known these days and a set of picks can be had or made even cheaper than the hand held mag strip writing device. You can't quite pick a lock using paper clips as easily as the movies suggest (paper clips aren't hard and springy enough) but it can be done with some locks. And a skill in picking locks and a basic set of picks opens far more doors and padlocks around the world than this key card exploit can. Note that master keyed traditional locks are often *easier* to pick than standard keyed locks, because you have two breaks, hence two chances per pin to get that pin unlocked. To open a lock only requires that every barrel have a break in the pins lined up in the cylinder, there is nothing preventing you from picking or creating a key which uses some of the master key bitting and some of the standard key bitting.

      --
      I need a wheelchair van for my son. Help me get the word out. https://www.gofundme.com/wheelchair-van-for-jj
    8. Re:Locks in general, are not very secure. by aaarrrgggh · · Score: 3, Insightful

      Janitorial keys are limited to a floor or cluster of rooms, are individually assigned, and are traceable/auditable. A true master key that does not follow the audit trail is a problem, but the hotel management system can likely be used to flag on a master key use and send security.

    9. Re:Locks in general, are not very secure. by Obfuscant · · Score: 2

      If one were to utilize a working key to disassemble a lock and take readings, a six-pin system would require the creation of 36 keys to determine a masterkey.

      No. It takes one key per pin to determine all the correct keyings for any lock. I'll leave the process to your imagination, if you have any.

    10. Re:Locks in general, are not very secure. by Mattcelt · · Score: 2

      the hotel management system can likely be used to flag on a master key use and send security

      To my knowledge, I have never stayed in a hotel where the electronic door locks were connected to a central system. They operate completely independently, and the auditing system must be manually accessed from each unit. There are no alarms or notifications.

  2. Re:Security Researchers?????? by Fly+Swatter · · Score: 2

    The correct term is cracker, however that battle was lost a long time ago.

  3. If the hackers have the master key... by QuietLagoon · · Score: 4, Insightful

    ... you can be sure that state-level entities also have it. It is one of the reasons why I use a disposable notebook, set up with a minimal configuration, when I travel.

  4. Maybe for you by SuperKendall · · Score: 4, Informative

    It turns out these key cards aren't as secure as first thought.

    *Reads summary*

    No, they are exactly as secure as I first thought - and second and third.

    It's why I try to take anything valuable with me, or hide it, or lock it away somewhere when in any hotel room.

    Luckily for all of us most hotel rooms are empty or don't hold much of worth plus there is the danger of entering one with someone in it, so it would be very tedious and difficult even with a master key to go through enough rooms to find something of real value.

    If you want to target just one person where you can watch to see when they exit a room - then you are set.

    --
    "There is more worth loving than we have strength to love." - Brian Jay Stanley
    1. Re:Maybe for you by LQ · · Score: 2

      Luckily for all of us most hotel rooms are empty or don't hold much of worth

      My partner went to a conference and three people had laptops stolen from their rooms without forced entry while they were in the bar. Hoteliers just shrugged.

    2. Re:Maybe for you by sims+2 · · Score: 4, Informative

      This isn't the first time this has happened
      https://www.wired.com/2017/08/...

      They started out just stealing the fixtures like the TV from unoccupied rooms then started waiting for the occupants to leave and then taking their stuff while they were gone.

      --
      Minimum threshold fixed. Thanks!
  5. Happened before. by Anonymous Coward · · Score: 2, Insightful

    This has happened before about 6 years ago, with a different hotel lock system. Last time it was Onity, now it's Ving/Abloy.

    https://hardware.slashdot.org/story/12/07/25/1326225/open-millions-of-hotel-rooms-with-arduino

    I'm not terribly convinced this was something that was widespread hackable. Also, the fast that it took 10 years and thousands of hours to exploit tells me that the system was fairly secure BEFORE these guys decided to publish the details, which considerably reduces the costs.

    It shouldn't come as a surprise that a hotel room isn't secure. They're vulnerable to social engineering, and just about every staff member can get into your hotel room. You think these keys are all kept securely, and don't leak out?

    Years ago I stayed at a hotel with a slightly paranoid friend of mine. This slight paranoia led him to putting locks on his luggage, which had nothing of value in them anyway. We went out to get something to eat, and while we were away someone broke into the room, broke his cheap-ass luggage locks, and stole... nothing, because he didn't have anything valuable in your luggage. He was pissed because now he had several broken luggage locks, which probably cost $30 total. I didn't have luggage locks (because... why?) and didn't suffer any loss.

    The point being that he the best defense against theft is to simply not bring much value with you. Keep your cell phone with you, bring a cheap laptop, and don't lock your bags. Also lock the damn door with the deadbolt that doesn't have a key when you sleep.

  6. The problem with de facto standards for security by Aristos+Mazer · · Score: 2

    When you have one vendor that everyone turns to for the canonical "good security solution", it works fine until a hole is found because then everyone is at risk. The more diversity there is in security, the more likely there is to be a bug in any given implementation (bad), but at least when a hole is found, the entire system isn't at risk. Shuffle your attack surfaces. Have different key systems at different hotels. Or, better, on different floors, so that if a breach is found in one system, you can close that floor while you replace/repair the locks. Would that be more expensive? Yes. Security isn't cheap, but the bigger you make the target, the more tempting the target.

  7. Re:Probably not by BronsCon · · Score: 2

    Do you really think these systems don't alert the front desk when an unoccupied room is unlocked? They don't have to check, it alerts the front desk immediately. Housekeeping keycards are tagged with unique IDs (to identify the employee the card was assigned to), so they don't trigger the alerts, but you'd have to know one of those valid IDs in advance; simply setting the access token to whatever is used by housekeeping isn't enough.

    Of course, these systems can be configured not to alert when an empty room is unlocked, and I'm sure $40/night shitholes go that route because it's not worth it to deal with a squatter over $40 anyway, but you can be sure the alerts are enabled at any of the places your typical egocentric hacker would target.

    --
    APK quotes people (including myself) without context and should not be trusted. Just thought you should know.
  8. Improve your odds by SuperKendall · · Score: 3, Informative

    If I have a laptop in the room, I always leave out the do not disturb sign (who needs maid service anyway), a thief is probably not going to enter a room with that on the door. I would say leave the TV on too, but that would be a real asshole move for the rooms around you.

    Also I usually hide valuable things like laptops. Either I put it in a suitcase that I lock (though someone could still take the suitcase if they are hitting a bunch of rooms they probably will not bother to take a bulky suitcase) or hide it somewhere. Under a pillow on a made up bed is a good location, under the bed is not great as thieves will check there. On top of tall shelves in the back is decent.

    Theft prevention is all a numbers game, you do what you can but sometimes the dice come up with missing laptop no matter what you do. But even simple precautions beyond "leave out on desk" can greatly improve your odds of success.

    --
    "There is more worth loving than we have strength to love." - Brian Jay Stanley
  9. Re:Probably not by SuperKendall · · Score: 2

    Do you really think these systems don't alert the front desk when an unoccupied room is unlocked?

    Do you honestly think they DO? You have an overactive imagination as to how much hotels care about room security.

    And even if they did, what are the one or two guys at the front going to do about that anyway? Leave the front desk unmanned so they can get physically assaulted? Hardly.

    I'm sure $40/night shitholes go that route because it's not worth it to deal with a squatter over $40 anyway,

    Hint: The $200 shitholes also do not really care. Of course there are alerts but I am saying if you go in late and leave early the late shift people are just going to say "screw it".

    --
    "There is more worth loving than we have strength to love." - Brian Jay Stanley
  10. Now that I think of it.... by Cajun+Hell · · Score: 2

    It turns out these key cards aren't as secure as first thought

    I don't remember anyone ever explaining to me why I should think they're secure at all. They just .. exist. I can't even say they've been misrepresented to me.

    --
    "Believe me!" -- Donald Trump
    1. Re:Now that I think of it.... by JackieBrown · · Score: 2

      It's a social thing. There is a lock so you feel secure.

      Most hotels I have stayed at actually have signs saying don't leave valuables out.

      It's like the parking lots that advertise "Guarded and video surveillance". Then right next to the sign is another sign saying they aren't responsible for anything in the parking lot.

  11. Re:Wonderful! by PPH · · Score: 2

    You can still secure the door from the inside for privacy. It's just that all bets are off when you leave in the morning for some sightseeing with all your valuables inside.

    --
    Have gnu, will travel.
  12. I remember being lectured this was impossible by Catbeller · · Score: 2

    I remember, years back on Slashdot and other sites, being lectured about my naivete and ignorance when I argued we were opening our veins by making everything operable by computers and RFID and cards.
    I am arguing the same now with automating driving, making car controls computer-based rather than mechanical, and linking cars together wirelessly. A half-dead termite can see what's coming. We can't give up profits and convenience even in the face of certain hacking and disaster. (It's a disaster when it happens to YOU).

  13. Wot? by nospam007 · · Score: 4, Funny

    They let every criminal in, every room and the passwords for their room-safes are found on the internet but _we_ clients get a frown when we order a hooker?