It took them 15 years to hack a master key for 40,000 hotels. But they did it

What if you came back to your hotel room and found that your laptop was missing? What if there was no trace of an intruder, no forced entry, no evidence that the room was entered at all? Security firm F-Secure was faced with that question, and their answer was a simple one: Find out how to make the impossible possible. Find out how to be a ghost.

F-Secure announced this week that it had uncovered a massive vulnerability affecting millions of electronic locks worldwide. The exploit would let anyone walk into a hotel room undetected, leaving no trace. We sat down with the researchers who discovered the exploit, Timo Hirvonen and Tomi Tuominen, to talk about the events leading to its discovery and how this exploit may have made your next hotel stay a whole lot safer.

One night in Berlin

“The story starts in 2003, when we were attending a hacker conference in Berlin, Germany,” said Tomi Tuominen, Practice Leader at F-Secure. “When we got back to the hotel, we noticed our friend’s laptop had been stolen from his hotel room — and this was a nice hotel. We notified the staff, and they didn’t really take us seriously because they had looked at the log and there was no sign of entry or forced entry.”

“That got us thinking: how was it possible that somebody was able to enter the hotel room literally leaving no traces whatsoever?

That theft, adds Timo Hirvonen, senior security consultant at F-Secure, was the first step toward discovering a critical vulnerability in one of the most popular electronic lock systems in the world — the Assa Abloy Vision VingCard locking system.

“Our friend was doing some pretty interesting stuff back in those days, definitely a reason for someone to lift his laptop. That got us thinking, okay, how was it possible that somebody was able to enter the hotel room literally leaving no traces whatsoever?” Tuominen said.

For the next fifteen years, Tomi, Timo, and the rest of the F-Secure team worked on the exploit as a side project. They’re quick to point out though, that it wasn’t so much an intractable problem they were clamoring to solve as much as it was a puzzle — a hobby they worked on more out of curiosity than a drive to crack the VingCard system.

“Some people play football some people play golf, and we just do… these kinds of things,” Tuominen said with a laugh.

Cybersecurity firm F-Secure utilized a device called Proxmark (left) to hack the VingCard security system used in hotel keycards (right). and F-Secure

As you can imagine, after spending so much time and energy on finding a way to circumvent the VingCard system’s security, they were ecstatic when they found the answer. It wasn’t just a single “Aha” moment though, the exploit came together in bits and pieces, but when they tried it for the first time and it worked on a real hotel lock, the F-Secure team knew they had something special on their hands.

“It was pretty amazing, I’m quite sure that we were high-fiving. There were smaller successes before that, but when the pieces finally came together for the first time,” Tuominen said. “When we realized how to turn this into a practical attack that takes only a few minutes, we were like yeah this is going to happen. We went to a real hotel and tested it and it worked, and it was pretty mind blowing.”

The master key

All right, so how does this attack work? Well, F-Secure didn’t go into the details for security reasons, but how it works in practice is — like Tuominen said — mind-blowing. It starts with a small device that anyone can pick up online, and once the F-Secure team loads their firmware onto the device, they could walk into any hotel using the VingCard system and have master-key access in a matter of minutes.

“We could ride an elevator with a guest, if the guest had a key in their pocket we could read the key through the pocket with our device. Then we’d just walk up to any of the doors and typically in less than a minute we can find the master key.”

“It takes only minutes. For example, we could ride an elevator with a guest, if the guest had a key in their pocket we could read the key through the pocket with our device. Then we’d just walk up to any of the doors and typically in less than a minute we can find the master key,” Hirvonen explained.

The attack works by first reading any card from the hotel they want to break into — even if its expired, or just a regular guest’s card. That part can be done remotely, as  Tuominen explained, reading the information they need right out of your pocket.

how f secure hacked 40000 hotels to make you safer infographic

Then, it’s just a matter of touching the device to one of the electronic locks in the hotel long enough for it to guess the master key code based on the information in the card it first read. It’s not only a thorough circumvention of an electronic lock system, but it’s a practical attack using off the shelf hardware.

“It’s a small device, the hardware is called Proxmark, it’s something publicly available, you can buy it online for a couple hundred euros. The device is rather small, you can fit it in your hand easily, it’s about the size of a cigarette lighter,”  Tuominen explained.

Luckily, F-Secure is reasonably sure that this exploit hasn’t been used in the wild. The solution is fairly novel and once they knew they had a reproducible attack on their hands, they immediately reached out to lock manufacturer Assa Abloy to let them know.

“It was early 2017 when we first managed to create the master key. And immediately after we discovered that we had this capability we contacted Assa Abloy. We met them the first time face-to-face in April 2017. We explained our findings and explained the attack, and ever since then we have been working together to fix these vulnerabilities,” Tuominen said. “Initially they thought they’d be able to fix the vulnerabilities themselves, but when they fixed the vulnerability and sent us the fixed versions we broke those as well a few times in a row. We’ve been working together with them ever since.”

Should you be worried?

If you have a summer vacation planned, or if you’re a frequent traveler you might be wondering, is this something you need to worry about? Probably not. F-Secure and Assa Abloy have been working hand-in-hand to deliver software patches to affected hotels.

“[Assa Abloy] announced the patches at the beginning of 2018, so they’ve been available for a few months now. They have a product website where you can register and download the patches for free,” Tuominen explained. “It’s a software only patch, but first you need to update the backend software, and after that you need to go to each and every door and update the firmware of that door or lock manually.”

how f secure hacked 40000 hotels to make you safer tomi tuominen
Tomi Tuominen F-Secure

So, you probably don’t need to keep an eye out for Assa Abloy brand electronic locks next time you’re in a hotel. The patches have been available since the beginning of the year, and according to F-Secure there’s no reason to believe this particular exploit has been used in the wild — outside their own testing of course. This is a point that Assa Abloy is quick to reiterate in its official statement, downplaying the hack.

Still, it never hurts to be cautious so if you’re traveling with expensive or sensitive electronics, make sure you keep them on your person or physically secured in your hotel room’s safe. It’s important to remember this won’t be the last time an electronic lock system is compromised like this. We’re just lucky it was F-Secure who found this vulnerability. Other companies, individuals, or even governments, might not be so forthcoming.


Best deals on smart locks so you’ll never have to worry about unlocked doors

Is your front door locked? We found the best deals on smart home door locks that take the worry out of wondering if your home is secure. You can lock or unlock your doors remotely and some models let you control locks with voice commands.
Smart Home

Ring Alarm vs. Nest Secure: Which one is right for you?

Thanks to the advance of technology, it's become really easy nowadays to secure your home and protect it from thieves, intruders, and unwanted guests. Which one of these two top contenders is right for you?

Best deals on home security cameras to save you from package thieves

Home security camera systems can help keep your home and your family safe. Amazon's deals on Blink security cameras and Ring Video Doorbells also help you save money on devices you can access regardless of your current location.

Worried about your online privacy? We tested the best VPN services

Browsing the web can be less secure than most users would hope. If that concerns you, a virtual private network — aka a VPN — is a decent solution. Check out a few of the best VPN services on the market.

Windows 10 user activity logs are sent to Microsoft despite users opting out

Windows 10 Privacy settings may not be enough to stop PCs from releasing user activity data to Microsoft. Users discovered that opting out of having their data sent to Microsoft does little to prevent it from being released.

Intel's discrete graphics will be called 'Xe,' IGP gets Adapative Sync next year

Intel has officially dubbed its discrete graphics product Intel Xe, and the company also provided details about its Gen11 IGP. The latter will include adaptive sync support and will arrive in 2019.

Intel answers Qualcomm's new PC processors by pairing Core and Atom in 'Foveros'

Intel has announced a new packaging technology called 'Foveros' that makes it easier for the company to place multiple chips together on one package. That includes chips based on different Intel architectures, like Core and Atom.

Razer’s classic DeathAdder Elite gaming mouse drops to $40 on Amazon

If you're looking to pick up a new gaming mouse for the holidays, Amazon has you covered with this great deal on the classic Razer DeathAdder Elite gaming mouse with customizable buttons, RGB lighting, and a 16,000 DPI optical sensor.

Intel's dedicated GPU is not far off -- here's what we know

Did you hear? Intel is working on a dedicated graphics card. It's called Arctic Sound and though we don't know a lot about it, we know that Intel has some ex-AMD Radeon graphics engineers developing it.

Firefox 64 helps keep your numerous tabs under control

Mozilla officially launched Firefox 64 by placing new features into the laps of its users including new tab management abilities, intelligent suggestions, and a task manager for keeping Firefox's power consumption under control.

Here's our guide to how to charge your laptop using a USB-C cable

Charging via USB-C is a great way to power up your laptop. It only takes one cable and you can use the same one for data as well as power -- perfect for new devices with limited port options.

Apple MacBook Air vs. Microsoft Surface Pro 6

The MacBook Air was updated with more contemporary components and a more modern design, but is that enough to compete with standouts like Microsoft's Surface Pro 6 detachable tablet?

Installing fonts in Windows 10 is quick and easy -- just follow these steps

Want to know how to install fonts in Windows 10? Here's our guide on two easy ways to get the job done, no matter how many you want to add to your existing catalog, plus instructions for deleting fonts.

Email take-backsies! Gmail's unsend feature is one of its best

Everyone has sent a message they wish they could take back. How great would it be if you could undo that impulsive email? If you're a Gmail user, you can. Here's how to recall an email in Gmail.