It’s rare to check into any hotel today and be handed an actual door key. Global hotel chains and hotels worldwide have transitioned from the lock and keys of old to an electronic system so that guests need only swipe a card in front of the door. But researchers at F-Secure Cyber Security Services have discovered that room keys can be hacked, allowing nefarious actors entrance into any room in the building.
Using an ordinary electronic key – whether it was tossed in the garbage or long expired – researchers exploited a flaw in the Vision software from VingCard (now ASSA ABLOY). Hotels worldwide rely on VingCard's electronic lock system software to secure millions of hotel rooms, yet the researchers were able to create a master key that allowed them to open any room they wished.
"We could not believe our eyes when the lock finally opened with a master key we had created (from a regular room key). On paper, the system looked pretty solid. It was the combination of minor issues that allowed us to create a practical attack against the system,” said Tomi Tuominen, practice leader at F-Secure.
The choice to target a brand known for its quality and security was intentional, but it was not an overnight success. It took several thousand hours to gain an in-depth understanding of the system's design and identify inconspicuous security flaws. The researchers persisted through considerable amounts of trial and error intent on finding a way to bypass the electronic lock without leaving a trace.
"Building a secure access control system is very difficult because there are so many things you need to get right. Only after we thoroughly understood how it was designed were we able to identify seemingly innocuous shortcomings. We creatively combined these shortcomings to come up with a method for creating master keys,” said Timo Hirvonen, senior security consultant at F-Secure.
Once they succeeded, they disclosed the vulnerability to ASSA ABLOY, the lock manufacturer, and worked with them over the course of the past year to implement software fixes that have been made available to the affected properties.
In a statement released by F-Secure, Tuominen credited the ASSA ABLOY R&D team for their willingness to address the reported issues.