Hoteliers advised to update keycard room locks

By

Vulnerability found after 15 years and thousands of hours.

Millions of keycard locks in hotels around the world need to be updated after researchers found a way to exploit software vulnerabilities in them to create full-access master keys.

Hoteliers advised to update keycard room locks

Vingcard Vision locks made by Swedish company Assa Abloy - which use radio frequency identification readers - can be attacked with a handheld Proxmark device, and give up the master key code in about 20 tries, F-Secure researchers Tomi Tuominen and Timo Hirvonen found.

Once the code is found, it can be written to a keycard that opens every electronic Vingcard Vision lock in the target hotel without leaving a trace.

The attack also works on hotel lift card readers, providing access to floors restricted to guests with keycards.

Tuominen and Hirvonen believe 140,000 hotels in 160 countries around the world have the Vingcard Vision locks installed.

Assa Abloy confirmed to the researchers that millions of locks in total are vulnerable. The company's newer Vingcard Visionline locks are not vulnerable, however.

The researchers reported the vulnerability to Assa Abloy a year ago, and the company has issued software updates for the locks.

However, the locks have to be updated one at the time by a technician, as they are not networked, sparking fears that not all hotels have applied the security patches.

The F-Secure researchers have declined to publish full details of the vulnerability, to avoid assisting hotel burglars.

In 2012, Mozilla staffer Cody Brocious disclosed a number of vulnerabilites in the Onity HT electronic lock system that is used by most United States hotels.

The vulnerabilities could be exploited with a cheap and small device, and led to hundreds of hotel burglaries taking place in the US despite Onity issuing fixes for the locks.

Demonstration of hotel keycard hack. 

The F-Secure research began fifteen years ago, after Tuominen had his laptop stolen from his room at Alexanderplatz Radisson hotel while attending a security conference in Berlin.

There were no signs of unauthorised entry, and the Vingcard lock logs only had legitimate entries by hotel staff recorded.

Tuominen and Hirvonen spent years on working out how to guess hotel master keys by collecting thousands of keycards by themselves and through friends, and by looking for patterns in the encoding.

After finding a clue on Assa Abloy's training website, they were able to narrow down the possible master key codes, allowing them to guess the correct one in about a minute.

Got a news tip for our journalists? Share it with us anonymously here.
Copyright © iTnews.com.au . All rights reserved.
Tags:

Most Read Articles

NSW Police to embark on $126m IT overhaul

NSW Police to embark on $126m IT overhaul

CBA looks to GenAI to assist 1200 'security champions'

CBA looks to GenAI to assist 1200 'security champions'

Australia's super funds told to assess authentication controls

Australia's super funds told to assess authentication controls

WestJet probes cyber security incident

WestJet probes cyber security incident

Log In

  |  Forgot your password?