Hoteliers advised to update keycard room locks

Millions of keycard locks in hotels around the world need to be updated after researchers found a way to exploit software vulnerabilities in them to create full-access master keys.

Vingcard Vision locks made by Swedish company Assa Abloy - which use radio frequency identification readers - can be attacked with a handheld Proxmark device, and give up the master key code in about 20 tries, F-Secure researchers Tomi Tuominen and Timo Hirvonen found.

Once the code is found, it can be written to a keycard that opens every electronic Vingcard Vision lock in the target hotel without leaving a trace.

The attack also works on hotel lift card readers, providing access to floors restricted to guests with keycards.

Tuominen and Hirvonen believe 140,000 hotels in 160 countries around the world have the Vingcard Vision locks installed.

Assa Abloy confirmed to the researchers that millions of locks in total are vulnerable. The company's newer Vingcard Visionline locks are not vulnerable, however.

The researchers reported the vulnerability to Assa Abloy a year ago, and the company has issued software updates for the locks.

However, the locks have to be updated one at the time by a technician, as they are not networked, sparking fears that not all hotels have applied the security patches.

The F-Secure researchers have declined to publish full details of the vulnerability, to avoid assisting hotel burglars.

In 2012, Mozilla staffer Cody Brocious disclosed a number of vulnerabilites in the Onity HT electronic lock system that is used by most United States hotels.

The vulnerabilities could be exploited with a cheap and small device, and led to hundreds of hotel burglaries taking place in the US despite Onity issuing fixes for the locks.

Demonstration of hotel keycard hack. 

The F-Secure research began fifteen years ago, after Tuominen had his laptop stolen from his room at Alexanderplatz Radisson hotel while attending a security conference in Berlin.

There were no signs of unauthorised entry, and the Vingcard lock logs only had legitimate entries by hotel staff recorded.

Tuominen and Hirvonen spent years on working out how to guess hotel master keys by collecting thousands of keycards by themselves and through friends, and by looking for patterns in the encoding.

After finding a clue on Assa Abloy's training website, they were able to narrow down the possible master key codes, allowing them to guess the correct one in about a minute.