New hacking device may threaten door locks, PoS systems

Data theft is a constant concern for hotels, but a new tool developed by a security researcher may raise the alarm on physical security in hospitality.

Weston Hecker, a security researcher with Internet security company Rapid7, modified existing technology to create a device capable of reading and duplicating hotel keycards, and is even capable of guessing every room’s key across a property.

The device can guess a room's entry data nearly 50 times per second.

The device was designed by altering the MagSpoof tool developed last year by hacker Samy Kamkar. At the time of its development, MagSpoof was able to wirelessly read magstripes off of cards used for door entry or payment transactions by producing a magnetic field similar to a mag stripe when swiped, storing card data for later use. Hacker’s modification only adds $6 worth of hardware to the MagSpoof, and allows a hacker to take the information from any key, which includes encoded information regarding guestroom numbers and checkout dates, and then guesses the correct information to create a copy. The device can then run through every possible combination of these details before letting the user into a room.

Mediterranean Resort & Hotel Real Estate Forum

Experience the Opportunities in Mediterranean Resort Investment | 17–19 October 2018

Join 300 of your industry peers at the 4th annual MR&H in Athens, Greece, to experience exclusive investment and development opportunities available in the Mediterranean.

While hotel door locks continue their shift to radio frequency identification and Bluetooth technology and away from magstripes, it remains to be seen how this device would be used to access rooms under these circumstances. However, not all hotels have fully upgraded past magstripes, making them more vulnerable than ever to entry. 

At the same time, while credit card companies are shifting to chipped cards and card readers, magstripes still remain a popular option for travelers meaning point-of-sale systems could become a larger target. Hacker’s tool can inject keystrokes into a PoS system with a magstripe reader simply by being placed near it, forcing the reader to accept data as long as it remains within a few inches.

Hecker’s machine will be on display at the DEF CON conference hosted in Las Vegas this week.