By getting hold of a widely used hotel key card, an attacker could create a master key to unlock any room in the building without leaving a trace, Finnish security researchers said in a study published this week, solving a 14-year-old mystery.
While the researchers have fixed the flaw together with Assa Abloy, the world's largest lock manufacturer which owns the system in question, the case serves as a wake-up call for the lodging industry to a problem that went undetected for years.
Tomi Tuominen, 45, and Timo Hirvonen, 32, security consultants for Finnish data security company F-Secure, say they discovered the vulnerability about a year ago, and reported it to Assa.
"We found out that by using any key card to a hotel ... you can create a master key that can enter any room in the hotel. It doesn't even have to be a valid card, it can be an expired one," Hirvonen said in an interview.
The researchers helped Assa fix the software for an update made available to hotel chains in February. Assa said some hotels have updated it but that it would take a couple more weeks to fully resolve the issue.
"I highly encourage the hotels to install those software fixes," Hirvonen said. "But I think there is no immediate threat, since being able to develop this attack is going to take some time."
Any fresh security risk remains low since the researchers' tools and method will not be published, Assa noted.
The radio-frequency ID key card system in question, Vision by Vingcard, has been replaced by many hotels with new technology, but its current owner Assa Abloy estimated that the system is still being used in several hundred thousand hotel rooms worldwide.
Tuominen said the breakthrough was to figure out a weakness in how the locks are deployed and installed, together with a seemingly minor technical design flaw.
cold case files
Sitting at F-Secure's glass-and-steel-on-stilts headquarters by the Baltic Sea, the researchers show off a small hardware device which they have made able to write a master key out of the information of any card in the Vingcard system.
Clues date back to 2003 when a laptop disappeared from a computer security expert's room at a high-class hotel in Berlin.
The thief left no traces in the room or within the electric lock system, hotel personnel said. The stolen laptop, which never turned up, belonged to a guest who had presented his research at a security conference.
Hearing of the theft at the conference, Tuominen and Hirvonen - then youthful computer guys in hacker-style black hoodies - asked themselves: Could one hack the locking system without leaving a trace?
For years, the two worked off and on to solve the mystery of the plastic cards, which guests often neglect to return. First it was purely a hobby, later a professional mission.
"These issues alone are not a problem, but once you combine those two things, it becomes exploitable," Hirvonen said.
"I wouldn't be surprised if other electronic lock systems have similar vulnerabilities. You cannot really know how secure the system is unless someone has really tried to break it."
The researchers say they have no evidence whether the vulnerabities they found have been put to work by criminals.
Assa Abloy stresses that its newer offerings are based on different technologies, including a system that allows hotel guests to open door locks with their smartphones.
"The challenge of the security business is that it is a moving target. What is secure at a point of time, is not 20 years later," Christophe Sut, an executive at Assa Abloy Hospitality, said in a phone interview.
The researchers asked for no money from Assa for their work or discovery, saying they were only driven by the challenge.
"Some people play football, some people go sailing, some do photography. This is our hobby," Tuominen said.
(Reporting by Jussi Rosendahl and Attila Cser, editing by Eric Auchard and Adrian Croft)