Hacked Hotel Master Key is a Big Risk for Travelers
By Jon Sands, AGS Core Technologies
Security researchers notified lock manufacturer Assa Abloy of critical vulnerabilities in their system. This has forced them to release an update earlier this year.
According to the researchers, the company admitted that the flaw they found could affect at least 500,000 hotels.
Two cybersecurity researchers have figured out a way to crack the security systems of hotel rooms around the world. They exploited lapses in the electronic lock systems made by manufacturer Assa Abloy, according to a Wednesday press release.
Assay Abloy has released it at 42,000 properties in 166 countries, including everything from hotel rooms to garages.
According to the researchers, the company admitted that the flaw they found could affect at least 500,000 hotels.
Researchers from F-Secure, discovered a way to breach the system. After nearly a decade of research following a strange occurrence at a Berlin security conference in 2003. A friend of theirs had a laptop stolen from his hotel room. With no signs of forced entry, this lead researchers on a decade-long journey to prove their theory that someone had figured out how to manipulate the RFID card reader.
The specific RFID card reader they were looking into was a typical kind sold by VingCard. What researchers have discovered is a program that can create a master key for every room. This gives potential thieves access to any part of any hotel they choose.
The main instruments needed are a $300 Proxmark RFID card reading and writing tool and any card, either old or new, from a hotel. From there, hackers only need one minute to steal data from the used card and create a master card. This master card can open any door on the same system.
Researchers have tried to downplay any fears hotels and customers may have about the loophole and have actively worked with Assay Abloy to fix their system. Although it took them more than a decade, they said if someone worked full time, they could create a similar system in far less time.
Although it took them more than a decade, they said if someone worked full time, they could create a similar system in far less time.
Assay Abloy has since created a new line of locks and released a patch update earlier this year to address the issue. The patch has to be installed manually by each hotel in each lock. This is leading most to wonder whether the updates had actually been implemented.
There was also a discrepancy in the number of hotel rooms that are vulnerable. Assay Abloy told researchers privately that “the problem affects millions of locks in total.”
A spokeswoman for Assay Abloy told the BBC that any electronic device is vulnerable to hacking and that a breach of this kind would require large teams and copious amounts of time.
“Vision Software is a 20-year-old product, which has been compromised after 12 years and thousands of hours of intensive work by two employees at F-Secure,” the spokeswoman told the BBC. “These old locks represent only a small fraction [of the those in use] and are being rapidly replaced with new technology.”
Many major international hotels, including the Intercontinental, Hyatt, Radisson and Sheraton, use VingCard’s system and are in the process of updating the locks now that the system’s vulnerabilities have been made public.
A similar situation six years ago led to a robbery spree of hotel rooms. A list of lock weakness was release by researchers in 2012.
There are some security companies that are advertising their ability to teach people how to crack VingCard locks.
Major hotels such as: the Intercontinental, Hyatt, Radisson and Sheraton, use VingCard’s system. These brands are in the process of updating the locks now that the system’s weaknesses have been made public.
It goes without saying that business travelers should use extra caution when traveling and staying at a hotel. Check with management to see if the locks have been updated. If you are worried, be sure to bring your valuables with you when you leave the room.
https://www.wired.co.uk/article/hotel-hack-digital-lock-door-system-fsecure-assa-abloy
Jon Sands is the Business Development Executive for AGS CORE Technologies in Stuart, FL. AGS CORE Technologies is your trusted IT partner and cyber security experts on the Treasure Coast.
