This was published 6 years ago
Security flaw in hotel keycard locks allows hackers to create master keys
By Greg Dickinson
Hotel keycard locks can be hacked, a cybersecurity firm has found.Credit: SHUTTERSTOCK
Researchers at a leading cybersecurity company have revealed that millions of hotel rooms around the world have been vulnerable to a hack, after discovering a way of creating a master key that can open doors.
Cybersecurity company F-Secure this week announced that hotel rooms fitted with electronic locks made by Assa Abloy, the world's largest lock manufacturer, could have been exploited by attackers to access any room.
Hotels with an Assa Abloy locking system include major chains such as Sheraton, Radisson and Hyatt.
How did F-Secure discover the hack?
The research began over a decade ago when a member of staff at F-Secure discovered their laptop had been stolen from a hotel room during a security conference. Hotel staff found no sign of forced entry and there was no evidence of unauthorized access to the room through their logs.
So F-Secure's researchers Tomi Tuominen and Timo Hirvonen decided to investigate themselves.
"We wanted to find out if it's possible to bypass the electronic lock without leaving a trace," Timo Hirvonen, Senior Security Consultant at F-Secure, said in a public statement. "Building a secure access control system is very difficult because there are so many things you need to get right.
"Only after we thoroughly understood how it was designed were we able to identify seemingly innocuous shortcomings," he added. "We creatively combined these shortcomings to come up with a method for creating master keys."
F-Secure revealed that the hack involves the following steps: find a key card, use a cheap piece of hardware combined with custom-built software to read the card and search for the master key code, and then copy this master key information onto a new or existing card. Within sixty seconds, Tuomin and Hirvonen are able to gain access to a room using this method.
They have stressed that the exact details of the hack will not be disclosed.
Could a regular hacker replicate a similar attack?
"Although not impossible, most likely this is something that a bedroom hacker would have a hard time replicating. It took us a considerable amount of time and effort to come up with this attack," Hirvonen told Telegraph Travel.
Has the problem been fixed?
After successfully bypassing the electronic lock system, F-Secure informed Assa Abloy of their findings and they have helped to develop software fixes.
Assa Abloy have since rolled out updates, although it is not clear how many hotels have actually implemented the change.
"We have worked together with Assa Abloy for over a year to address these security issues and the patch has been available since early 2018", Hirvonen told Telegraph Travel.
"The patches fix all the vulnerabilities we have identified. However, it is up to the hotels whether they patch their systems in a timely manner. Installing the updates is somewhat labour-intensive since you need first to update the backend software and then go to each and every lock to update the lock firmware."
Should we be worried about hotel security?
While the revelation is worrying, we should keep things in perspective. The hack was carried out by a security firm and took years and thousands of hours to develop. If a malicious hacker had the ability and this much time on their hands, you could imagine they might spend it on something with higher gains than a hotel room heist.
Assa Abloy have played down the risks to hotel rooms using their software.
"Vision Software is a twenty-year-old product, which has been compromised after twelve years and thousands of hours of intensive work by two employees at F-Secure," a spokeswoman for the company told the BBC. "These old locks represent only a small fraction [of those in use] and are being rapidly replaced with new technology."
Telegraph Travel has contacted Hyatt, Sheraton and Radisson to ask if they are still using the compromised version of Vision Software that F-Secure were able to hack.
Would we be better off with a good old fashioned deadlatch lock?
The revelation raises questions about whether electronic locking systems are actually safer than a traditional deadlatch, as are common on house doors, or new technology such as fingerprint or eye-recognition scanners. Responding to this, Hirvonen said: "More important than a single technical or mechanical solution is the fact that it is implemented in a secure manner."
The Telegraph, London
Sign up for the Traveller newsletter
The latest travel news, tips and inspiration delivered to your inbox. Sign up now.