New hacking device may threaten door locks, PoS systems

Data theft is a constant concern for hotels, but a new tool developed by a security researcher may raise the alarm on physical security in hospitality.

Weston Hecker, a security researcher with Internet security company Rapid7, modified existing technology to create a device capable of reading and duplicating hotel keycards, and is even capable of guessing every room’s key across a property.

The device can guess a room's entry data nearly 50 times per second.

The device was designed by altering the MagSpoof tool developed last year by hacker Samy Kamkar. At the time of its development, MagSpoof was able to wirelessly read magstripes off of cards used for door entry or payment transactions by producing a magnetic field similar to a mag stripe when swiped, storing card data for later use. Hacker’s modification only adds $6 worth of hardware to the MagSpoof, and allows a hacker to take the information from any key, which includes encoded information regarding guestroom numbers and checkout dates, and then guesses the correct information to create a copy. The device can then run through every possible combination of these details before letting the user into a room.

Virtual Roundtable

Post COVID-19: The New Guest Experience

Join Hotel Management’s Elaine Simon for our latest roundtable—Post COVID-19: The New Guest Experience. The experts on the panel will share how to inspire guest confidence that hotels are safe and clean and how to win back guest business.

While hotel door locks continue their shift to radio frequency identification and Bluetooth technology and away from magstripes, it remains to be seen how this device would be used to access rooms under these circumstances. However, not all hotels have fully upgraded past magstripes, making them more vulnerable than ever to entry. 

At the same time, while credit card companies are shifting to chipped cards and card readers, magstripes still remain a popular option for travelers meaning point-of-sale systems could become a larger target. Hacker’s tool can inject keystrokes into a PoS system with a magstripe reader simply by being placed near it, forcing the reader to accept data as long as it remains within a few inches.

Hecker’s machine will be on display at the DEF CON conference hosted in Las Vegas this week.

Suggested Articles

Demand came in 67,000 rooms lower during the week ended July 4 than the previous week, according to Jan Freitag, STR’s SVP of lodging insights.

The In-Seat Contactless Platform is meant to give guests touch-free control over food and beverage at hotel restaurants.

As the economy slowly begins to right itself, hotels can look toward an unexpected way to save on operating costs: their trash.