Slashdot Mirror

← Back to Stories (view on slashdot.org)

Hackers Built a 'Master Key' For Millions of Hotel Rooms (zdnet.com)

Posted by msmash on from the of-course-they-did dept.

An anonymous reader writes: Security researchers have built a master key that exploits a design flaw in a popular and widely used hotel electronic lock system, allowing unfettered access to every room in the building. The electronic lock system, known as Vision by VingCard and built by Swedish lock manufacturer Assa Abloy, is used in more than 42,000 properties in 166 countries, amounting to millions of hotel rooms -- as well as garages and storage units. These electronic lock systems are commonplace in hotels, used by staff to provide granular controls over where a person can go in a hotel -- such as their room -- and even restricting the floor that the elevator stops at. And these keys can be wiped and reused when guests check-out.

It turns out these key cards aren't as secure as first thought. F-Secure's Tomi Tuominen and Timo Hirvonen, who carried out the work, said they could create a master key 'basically out of thin air.' Any key card will do. Even old and expired, or discarded keys retain enough residual data to be used in the attack. Using a handheld device running custom software, the researchers can steal data off of a key card -- either using wireless radio-frequency identification (RFID) or the magnetic stripe. That device then manipulates the stolen key data, which identifies the hotel, to produce an access token with the highest level of privileges, effectively serving as a master key to every room in the building.

8 of 126 comments (clear)

  1. Locks in general, are not very secure. by Kenja · · Score: 4, Insightful

    They are a deterrent against casual attacks, and nothing more.

    --

    "Have you ever thought about just turning off the TV, sitting down with your kids, and hitting them?"
    1. Re:Locks in general, are not very secure. by H3lldr0p · · Score: 4, Insightful

      Yeah, but this has the potential to make casual attacks even easier.

      Does anyone know how hard it would be to update/patch the locks? Can it be patched at all?

    2. Re:Locks in general, are not very secure. by Dutch+Gun · · Score: 4, Informative

      The linked article answers that question:

      Their discovery also prompted Assa Abloy to release a security patch to fix the flaws. According to their disclosure timeline, Assa Abloy was first told of the vulnerabilities a month later in April 2017, and met again over several months to fix the flaws. The software is patched at the central server, but the firmware on each lock needs to be updated.

      So, it can be patched, but sounds like a bit of a pain. It also sounds like this was responsibly disclosed by the researchers to the manufacturer, so good for them on that point.

      --
      Irony: Agile development has too much intertia to be abandoned now.
    3. Re:Locks in general, are not very secure. by omnichad · · Score: 5, Insightful

      And you can engage neither of these if you're not in the room.

  2. If the hackers have the master key... by QuietLagoon · · Score: 4, Insightful

    ... you can be sure that state-level entities also have it. It is one of the reasons why I use a disposable notebook, set up with a minimal configuration, when I travel.

  3. Maybe for you by SuperKendall · · Score: 4, Informative

    It turns out these key cards aren't as secure as first thought.

    *Reads summary*

    No, they are exactly as secure as I first thought - and second and third.

    It's why I try to take anything valuable with me, or hide it, or lock it away somewhere when in any hotel room.

    Luckily for all of us most hotel rooms are empty or don't hold much of worth plus there is the danger of entering one with someone in it, so it would be very tedious and difficult even with a master key to go through enough rooms to find something of real value.

    If you want to target just one person where you can watch to see when they exit a room - then you are set.

    --
    "There is more worth loving than we have strength to love." - Brian Jay Stanley
    1. Re:Maybe for you by sims+2 · · Score: 4, Informative

      This isn't the first time this has happened
      https://www.wired.com/2017/08/...

      They started out just stealing the fixtures like the TV from unoccupied rooms then started waiting for the occupants to leave and then taking their stuff while they were gone.

      --
      Minimum threshold fixed. Thanks!
  4. Wot? by nospam007 · · Score: 4, Funny

    They let every criminal in, every room and the passwords for their room-safes are found on the internet but _we_ clients get a frown when we order a hooker?