Security research firm F-Secure has discovered a critical vulnerability in electronic locks made by the world’s largest lock manufacturer, Assa Abloy. The vulnerability allowed F-Secure researchers to gain access to any locked room in hotels secured by one of Assa Abloy’s electronic lock systems — leaving roughly 40 thousand major hotels around the world potentially exposed.
“The researchers’ attack involves using any ordinary electronic key to the target facility – even one that’s long expired, discarded, or used to access spaces such as a garage or closet. Using information on the key, the researchers are able to create a master key with privileges to open any room in the building. The attack can be performed without being noticed,” F-Secure’s announcement reads.
With this exploit, F-Secure researchers were able to gain “master key” access to any hotel facility using Assa Abloy’s VingCard system — all they needed was a guest’s key card. Using off-the-shelf hardware, F-Secure’s researchers were able to read these key cards remotely — say, through your pocket — and using the same device, effectively circumvent the electronic key card system’s protections in just a matter of minutes, creating their own master keys out of thin air. To be clear though, this system is primarily used in the hospitality industry, and consumer Assa Abloy products are unaffected.
“You can imagine what a malicious person could do with the power to enter any hotel room, with a master key created basically out of thin air,” said Tomi Tuominen, practice leader at F-Secure.
Tomi said F-Secure doesn’t believe anyone is currently using this exact exploit in the wild, which should help all you frequent travelers breathe a sigh of relief. Still, that doesn’t mean there aren’t similar vulnerabilities in electronic key card systems. After all, F-Secure’s odyssey to discover this vulnerability was kicked off after one of its researchers experienced a similar exploit firsthand.
“The researchers’ interest in hacking hotel locks was sparked a decade ago when a colleague’s laptop was stolen from a hotel room during a security conference. When the researchers reported the theft, hotel staff dismissed their complaint, given that there was not a single sign of forced entry, and no evidence of unauthorized access in the room entry logs,” the announcement continues.
F-Secure has been working hand in hand with Assa Abloy to mitigate this particular vulnerability and develop software patches for all affected hotel properties.
“I would like to personally thank the Assa Abloy R&D team for their excellent cooperation in rectifying these issues,” said Tuominen. “Because of their diligence and willingness to address the problems identified by our research, the hospitality world is now a safer place. We urge any establishment using this software to apply the update as soon as possible.”
