Researchers have discovered that hacking into a hotel room can be done with pretty much any electronic key lying around.
Master keys for hotel rooms can be created “out of thin air,” F-Secure, a Finnish cyber-security firm said in a statement this week, adding that room keys at major hotel chains worldwide “can be hacked to gain access to any room in the building.”
The design flaws were discovered in the lock system’s software, used to secure millions of hotel rooms worldwide, according to F-Secure. Assa Abloy, the lock manufacturer, has issued software updates in response to the security breach.
“Assa Abloy has fixed the flaws in the Vision software and issued software updates, released in February. Hotels that have applied the updates to their systems are not vulnerable,” Assa Abloy said in a statement.
Marriott, which uses Assa Abloy's locks, was recently made aware of the vulnerability, a company spokesperson told Fox News.
“We are currently working with the vendor to understand the impact to our hotels,” Marriott said. “Assa Abloy has developed a software patch that corrects the issue and we are working diligently to apply the software patch as quickly as possible.”
Here’s how the hack works: The bad guys get a keycard from the target hotel. “Even one that’s long expired, discarded, or used to access spaces such as a garage or closet,” according to F-Secure. The keycard’s data is scanned and a master key is produced “after a few minutes.” That key can then bypass any lock in the target hotel.
The most insidious part is, all of this can be done unnoticed, according to F-Secure.
“You can imagine what a malicious person could do with the power to enter any hotel room, with a master key created basically out of thin air,” Tomi Tuominen, Practice Leader at F-Secure Cyber Security Services, said in the statement.
So far, there are no known, publicly-disclosed cases of this happening, Tuominen added.
The genesis for this research is an incident about a decade ago when a laptop was stolen from a hotel room during a security conference. A complaint was lodged with the hotel but it was dismissed because there was no sign of forced entry or unauthorized access in the room entry logs.
Since the laptop had been stolen from colleague’s room, the researchers decided to investigate further. “We wanted to find out if it’s possible to bypass the electronic lock without leaving a trace,” Timo Hirvonen, Senior Security Consultant at F-Secure, said in a statement. The ensuing research to figure out how to hack the lock system took several thousand hours.
Indeed, the lock maker says it’s a lot more difficult to do than it sounds. “It would take a big team of skilled specialists years to try to repeat the effort. Since the tools are not made available, it is not about just going into a hotel and getting instant access,” Assa Abloy said.
“These locks represent only a small fraction of the hotel locks in the world and are being rapidly replaced with new, more advanced technology,” Assa Abloy added.