Finnish security researcher company F-Secure has found design flaws that allow hackers to open hotel room doors without leaving any record on older model Vingcard's Vision locks. By getting hold of a used hotel keycard, an attacker could create a master key to unlock any room in the building without leaving a trace, security consultants Tomi Tuominen and Timo Hirvonen said in a study published this week.
The F-Secure team said it had worked with Assa Abloy Hospitality over the past year to create a fix. The Swedish lock manufacturer is playing down the risk to those hotels that have yet to install an update.
“Vision Software is a 20-year-old product, which has been compromised after 12 years and thousands of hours of intensive work by two employees at F-Secure,” said a spokeswoman for Assa Abloy Hospitality.
Assa Abloy has fixed the flaws in the Vision software and issued software updates, released in February. Hotels that have applied the updates to their systems are not vulnerable, the company said. The software is patched at the central server, but the firmware on each lock needs to be updated. These locks represent only a small fraction of the hotel locks in the world and are rapidly being replaced with new, more advanced technology, according to Assa Abloy.
According to Wired, Assa Abloy put the total number of vulnerable locks between 500,000 and 1 million. It notes, though, that the total number is tough to measure because it can't closely track how many of the older locks have been replaced. Tuominen and Hirvonen said that they have collected more than 1,000 hotel keycards from their friends over the past 10 years, and found that roughly 30 percent were Vingcard Vision locks that would have been vulnerable to their attack.
“We wanted to find out if it's possible to bypass the electronic lock without leaving a trace,” said Hirvonen, describing the Ghost In The Locks project. “Only after we thoroughly understood how it was designed were we able to identify seemingly innocuous shortcomings [and] come up with a method for creating master keys.”
He added that data scanned from any discarded VingCard could be used to mount the attack, even if the card’s access privileges had long expired or had been used to open a garage or other parts of the targeted hotel rather than a guestroom. The hack can also be applied to access other areas of a hotel, including sending a lift to a VIP floor of a property, if it is protected by the same system.
The researchers started their room key bypass efforts in 2003 when a colleague’s laptop was stolen from a hotel room. With no sign of forced entry or unauthorized access to the room, the hotel staff are said to have dismissed the incident. The researchers set out to find a popular brand of smart lock to examine. In their words, finding and building the master key was far from easy, and took "several thousand hours of work" on an on-off basis, and using trial and error.
Hotels, unfortunately, are no strangers to hacking issues. In 2016, Weston Hecker, a security researcher with internet security company Rapid7, modified existing technology to create a device capable of reading and duplicating hotel keycards, and is even capable of guessing every room’s key across a property.
The device was designed by altering the MagSpoof tool developed by hacker Samy Kamkar. MagSpoof was able to wirelessly read magstripes off of cards used for door entry or payment transactions by producing a magnetic field similar to a mag stripe when swiped, storing card data for later use. Hacker’s modification only adds $6 worth of hardware to the MagSpoof, and allows a hacker to take the information from any key, which includes encoded information regarding guestroom numbers and checkout dates, and then guesses the correct information to create a copy. The device can then run through every possible combination of these details before letting the user into a room.
Back in 2012, software developer and security researcher Cody Brocius demonstrated a similar attack to Forbes' Andry Greenberg. At the time, the $50 device Brocious employed could likewise open millions of locked hotel room doors.