Hotels are weird. When we check in somewhere, it’s typically for a very short time — often a week or less. Despite that, we often come to look upon our rooms as our homes away from home. From the moment you drop your luggage on the floor and climb under the Egyptian cotton sheets, you’re in your private, safe bubble.
For one F-Secure researcher, that bubble was burst when their laptop was stolen from their hotel room while attending an infosec conference in Berlin. With no sign of forced entry, the hotel staff dismissed the complaint — either thinking they’d merely misplaced it, or were lying.
This incident piqued the interest of two of the researcher’s colleagues, Timo Hirvonen and Tomi Tuominen, and the ethical hacker pair turned their attention to the digital lock systems used by hotels.
Most hotels (especially high-end or chain hotels) use some form of electronic lock system. Rather than handing out physical keys, which are expensive to replace if lost, receptionists provide guests with cheap, disposable keycards. These are increasingly RFID-based, rather than using traditional magstrip cards, which often have to be remagnetized several times during a stay.
The F-Secure researchers turned their attention to a popular hospitality lock system built by the world’s biggest manufacturer of these products: Assa Abloy.
F-Secure is pretty complimentary about Assa Abloy. In a blog post, it described it as a “high caliber brand,” and said its locks are known for quality and security. But that didn’t stop them from finding a vulnerability on the underlying software (called Vision, which is developed by a third-party company called VingCard) that would give an intruder access to every single room in a particular property.
“You can imagine what a malicious person could do with the power to enter any hotel room, with a master key created basically out of thin air,” says Tomi Tuominen, Practice Leader at F-Secure Cyber Security Services, who assisted in this research.
What’s most astonishing about this discovery is the trivial nature in which it can be exploited. First, you just need to obtain one keycard from the property you’re targeting.
It doesn’t even need to be the room you’re interested in breaking into. “Literally any key will suffice, be it a room key or a key to a storage closet or garage,” said F-Secure in a statement.
Worse, the key doesn’t even have to be currently active. “Even an expired key from a stay five years ago will work,” the company said.
Using a piece of specialized hardware that costs “a few hundred euros” online and some custom software, the attacker can analyze that key and using a process of computation, determine the master key.
The attacker can then use the device to access any room in a property without hinderance. Alternatively, they can imprint it on a blank keycard, and pass it to an accomplice. According to F-Secure, this attack works on both magstripe and the more sophisticated RFID hotel keycards.
Following responsible disclosure best practices, F-Secure informed Assa Abloy of the issue last year, and quietly worked with the Swedish company to resolve the issue. A fix has been created and issued to affected hotels.
“Because of Assa Abloy’s diligence and willingness to address the problems identified by our research, the hospitality world is now a safer place,” says Tuominen. “We urge any establishment using this software to apply the update as soon as possible.”
F-Secure will not release any code or the full details of the vulnerability. That’s wise given the fact that some properties may not have implemented the patch, and would therefore still be at risk.
This episode serves as a troubling reminder that computers are everywhere, and where there are computers, there are inevitable security issues. On the back of his findings, Tuominen encourages travelers to be more mindful of security when on the road.
“People should continue doing the things they hopefully are already doing,” he said. “That means don’t leave any valuables in your hotel room and use the door chain when you’re in the room or going to bed. If you haven’t been doing these things already, now might be a good time to start.”