Story image

Electronic lock vulnerabilities can lead attackers directly to your hotel room

30 Apr 18

Next time you stay at a hotel as part of a business or personal trip, you may want to ask if the hotel’s locking systems are up-to-date.

Researchers at F-Secure discovered that hotels throughout the world use an electronic lock system that an attacker can exploit to gain access to any room in the building.

The vulnerabilities lie in the Vision by VingCard lock system software, which is used to secure millions of hotel rooms across the globe.

Researchers demonstrated that any ordinary key can be used to target the hotel – including keys that have been thrown away, expired, or ones to use spaces such as garages.

They were able to create a master key with privileges to open any room in the building, which can then be used to conduct a completely unnoticeable attack.

“You can imagine what a malicious person could do with the power to enter any hotel room, with a master key created basically out of thin air,” comments F-Secure Cyber Security Services practice leader Tomi Tuominen.

“We don’t know of anyone else performing this particular attack in the wild right now.”

The researchers decided to investigate the topic when a colleague’s laptop was stolen from a hotel room during a security conference 10 years ago.

Researchers say that when they reported the theft, hotel staff dismissed the complaint because they couldn’t find evidence of forced entry, or any evidence of unauthorised access in the room entry logs.

The researchers decided to investigate the issue further, and chose to target a brand of lock known for quality and security. These security oversights were not obvious holes, they add.

It took a thorough understanding of the whole system’s design to identify small flaws that, when combined, produced the attack. The research took several thousand hours and was done on an on-and-off basis, and involved considerable amounts of trial and error.

“We wanted to find out if it’s possible to bypass the electronic lock without leaving a trace,” comments F-Secure senior security consultant Timo Hirvonen.

“Building a secure access control system is very difficult because there are so many things you need to get right. Only after we thoroughly understood how it was designed were we able to identify seemingly innocuous shortcomings. We creatively combined these shortcomings to come up with a method for creating master keys.”

Assa Abloy, the world’s largest lock manufacturer, has issued software updates with security fixes to mitigate the vulnerabilities.

“I would like to personally thank the Assa Abloy R&D team for their excellent cooperation in rectifying these issues,” says Tuominen.

“Because of their diligence and willingness to address the problems identified by our research, the hospitality world is now a safer place. We urge any establishment using this software to apply the update as soon as possible.”

GirlBoss wins 2018 YES Emerging Alumni of the Year Award
The people have spoken – GirlBoss CEO and founder Alexia Hilbertidou has been crowned this year’s Young Enterprise Scheme (YES) Emerging Alumni of the Year.
IDC: Standalone VR headset shipments grow 428.6% in 3Q18
The VR headset market returned to growth in 3Q18 after four consecutive quarters of decline and now makes up 97% of the combined market.
Meet Rentbot, the chatbot that can help with tenancy law
If you find yourself in a tricky situation  - or if you just want to understand your rights as a landlord or tenant, you can now turn to a chatbot for help.
PlayerUnknown’s Battlegrounds (PUBG) finally releases on PS4
PUBG on PS4 feels like it’s still in Early Access as the graphics look horribly outdated and the game runs poorly too. 
How AI can fundamentally change the business landscape
“This is an extremely interesting if not pivotal time to discuss how AI is being deployed and leveraged, both in business and at home.”
CERT NZ highlights rise of unauthorised access incidents
“In one case, the attacker gained access and tracked the business’s emails for at least six months. They gathered extensive knowledge of the business’s billing cycles."
Report finds GCSB in compliance with NZ rights
The Inspector-General has given the GCSB its compliance tick of approval for the fourth year in a row.
Game review: Just Cause 4 on PC
Rico Rodriguez returns to wreak over-the-top havoc for a fourth time. This time the island nation of Solís is our hero’s sandbox, ripe for destruction.