F-Secure Hack Can Unlock Millions of Hotel Rooms With Handheld Device

Twitter icon
Facebook icon
Google icon
LinkedIn icon

By Ryan Whitwam

It’s very rare these days that a hotel will give you a real key when you check in. Instead, most chain hotels and mid-sized establishments have switched over to electronic locks with a keycard system. As researchers from F-Secure have discovered, these electronic locks may not be very secure. Researchers from the company have managed to create a “master key” for a popular brand of hotel locks that can unlock any door.

The team began this investigation more than a decade ago, when an F-Secure employee had a laptop stolen from a hotel room. Some of the staff began to wonder how easy it would be to hack the keycard locks, so they set out to do it themselves. The researchers are quick to point out this has not been a focus of F-Secure for 10 years — it took several thousand total man-hours, mostly in the last couple years.

F-Secure settled on cracking the Vision by VingCard system built by Swedish lock manufacturer Assa Abloy. These locks are used in more than 42,000 properties in 166 countries. The project was a huge success, too. F-Secure reports they can create a master key in about a minute that unlocks any door in a hotel. That’s millions of potentially vulnerable hotel rooms around the world.

The hack involves a small handheld computer and an RFID reader (it also works with older magnetic stripe cards). All the researchers need to pull off the hack is a keycard from a hotel. It doesn’t even have to be an active one. Even old and invalid cards have the necessary data to reconstruct the keys that unlock doors. The custom software then generates a key with full privileges that can bypass all the locks in a building. Many hotels use these keys not only for guest rooms, but also elevators and employee-only areas of the hotel.

    “We wanted to find out if it’s possible to bypass the electronic lock without leaving a trace,” said @TimoHirvonen https://t.co/rsFhcf5SUr pic.twitter.com/29eUMuua3E

    — F-Secure (@FSecure) April 25, 2018

F-Secure disclosed the hack to Assa Abloy last year, and the lock maker developed a software patch to fix the issue. It’s available for customers to download now, but there’s one significant problem. The firmware on each lock needs an update, and there’s no guarantee every hotel with this system will have the resources to do that. Many of them might not even know the vulnerability exists. This hack could work for a long time to come, but F-Secure isn’t making the attack tools generally available. Anyone who wants to compromise these locks will have to start from scratch.



My main problem with publications like this is that they are often sensationalized. This type of technology has been around for years and years, same with Casino machine hacks. People who figured this out and developed the devices for it often only use them lowkey, because that's the smart thing to do. Then you have someone who finds out and pushes a news story about it, spinning it to be some massive breakthrough in the hacking world and we're all no longer safe behind hotel keycard locks. There was a documentary I watched a few years ago, maybe it was on netflix but I don't think so, but it was about a guy who figured out how to hack certain Hotel door locks and he abused that to his advantage for upwards of a decade. Why was he able to do this for so long? Because he didn't go running to the press when he figured it out, and to a larger extent because its extremely costly to replace the technology in an entire hotel(same as why companies get hit with malware that exploit bugs that should've been patch months/years prior).

That's not to discredit this team, I'm sure they are full of great people doing honest work.

There's a reason hotel room doors have deadbolts and chains in addition to the keycard - they've never been considered 'secure'...

I'm sure the work that F-Secure did was very technically impressive, but I don't think this demonstrates that "these electronic locks may not be very secure" as the article states.

I'd imagine that there are very few commercial technologies that couldn't be hacked if you can get research on a working copy and throw "several thousand total man hours" of highly qualified researchers at it, including building a custom device. And the hack has already been patched!

And then the end payout is that you can get into hotel rooms, which are regularly accessed by low-paid hotel employees and generally considered not a secure place to leave valuables—there's a reason for the safes in the closet of every hotel room.

And a good old default "master" password for those safes in more than 1/10 of five star hotels.

Security forces have already been hacking hotel door locks for years. For example, Mossad agents were caught on camera in 2010 cracking the lock on Mahmoud Al-Mabhouh's room before assassinating him: https://en.wikipedia.org/wiki/Assassination_of_Mahmoud_Al-Ma...

I remember reading a related article (sorry, can't find the source now) about the assassination that claimed the agents had tools to break into a large variety of electronic lock companies, so it's unlikely that F-Secure's hack is a one-off discovery.

Add new comment