A new study has found that hackers can use a used hotel key card to create a master key that gains entry into any room in the building without detection.
According to Reuters, Tomi Tuominen and Timo Hirvonen, security consultants for Finnish data security company F-Secure, said they discovered the vulnerability about a year ago. At that time, they reported it to Assa Abloy, the world’s largest lock manufacturer, which owns the key card system in question, Vision by VingCard.
“We found out that by using any key card to a hotel … you can create a master key that can enter any room in the hotel. It doesn’t even have to be a valid card; it can be an expired one,” Hirvonen said in an interview.
Tuominen and Hirvonen first started thinking about the issue 14 years ago, when a laptop was stolen from a computer security expert’s room at a high-class hotel in Berlin. The thief left no trace in the room or within the electric lock system, and the laptop was never recovered.
The incident left the duo wondering if someone could actually hack a hotel’s locking system without being detected. Their research was able to solve that mystery.
While Tuominen and Hirvonen were able to help Assa fix the issue for a software update released to hotel chains in February, only some locations have implemented the change, and it will take a couple more weeks to completely resolve the issue.
“I highly encourage the hotels to install those software fixes,” Hirvonen said. “But I think there is no immediate threat, since being able to develop this attack is going to take some time.”
Many hotels have replaced Vision by VingCard with new technology, but the system is still being used in several hundred thousand hotel rooms worldwide. In addition, the researchers aren’t sure whether other systems have the same problem.
“I wouldn’t be surprised if other electronic lock systems have similar vulnerabilities. You cannot really know how secure the system is unless someone has really tried to break it,” Hirvonen said.