Two hackers have figured out how to break into hotel room locks
WHEN a hacker gets hacked, hackers hack back. That’s exactly what an attendee at a hacking conference in Berlin did in 2003 when his hotel room key card lock was hacked. When he returned to his hotel room, he discovered that his laptop had been stolen, but there was no evidence that it was necessary to get in. So how did the thief get into the room? Two of his colleagues spent more than ten years trying to answer that question. Now they’ve succeeded – and in the process they’ve exposed a security vulnerability that leaves millions of hotel rooms vulnerable to theft.
Tomi Tuominen and Timo Hirvonen of F-Secure, a cyber security company, designed a hack that they say allows them to create a master key that mimics the guest key cards made by VingSecure, a hotel lock manufacturer. According to F-Secure, the affected software is used in more than 40,000 hotel properties across 166 countries. The BBC reports that large hotel chains such as Sheraton, Hyatt and Radison use locks made by VingSecure’s parent company, Assa Abloy of Sweden (although the company has not formally disclosed which hotels a host that uses the vulnerable version of the software).
Messrs. Tuominen and Hirvonen have not revealed exactly how their hack works, for fear of encouraging more hackers and thefts like the one that hit their colleague. But the basic concept goes something like this. Many key cards use electromagnetic fields known as radio frequency identification (RFID). By holding an RFID reader close to a key card, a hacker can capture the card’s response and then use it later to create a new card with the same features. Staff keys, such as those carried by cleaners, are particularly valuable targets, as they provide access to all guest rooms. Messrs Tuominen and Hirvonen say their hack, which uses software they created, allows them to use any VingSecure keycard – including discarded and disabled ones – convert to primary key.
The pair of hackers told Gizmodo, a technology news website, that it’s not just credit cards that are vulnerable to thieves. Guests’ personal data is also at risk. The hackers gained access to the VingSecure server by unplugging a cable from a computer at a hotel reception desk, allowing them to view guest room assignments. F-Secure told the site, “a malicious actor could download guest data or create, delete and modify guest entries.” “
Since the vulnerability was identified, F-Secure has been working with Assa Abloy over the past year to develop a solution that makes its core systems more difficult to hack. Assa Abloy, for his part, tried to downplay the seriousness of the threat. A company spokesperson confirmed to the BBC that the hack was only successful after “12 years and thousands of hours of intensive work by two F-Secure employees”, and that “these old locks are not but a small fraction. [of the those in use] and new technology is rapidly replacing them.” However, for travellers, the saga is a reminder that many hotel rooms are not as safe as they could be. And if something goes missing, it’s not always fair to blame the cleaners.