It took them 15 years to hack a master key for 40,000 hotels. But they did it

What if you came back to your hotel room and found that your laptop was missing? What if there was no trace of an intruder, no forced entry, no evidence that the room was entered at all? Security firm F-Secure was faced with that question, and their answer was a simple one: Find out how to make the impossible possible. Find out how to be a ghost.

F-Secure announced this week that it had uncovered a massive vulnerability affecting millions of electronic locks worldwide. The exploit would let anyone walk into a hotel room undetected, leaving no trace. We sat down with the researchers who discovered the exploit, Timo Hirvonen and Tomi Tuominen, to talk about the events leading to its discovery and how this exploit may have made your next hotel stay a whole lot safer.

One night in Berlin

“The story starts in 2003, when we were attending a hacker conference in Berlin, Germany,” said Tomi Tuominen, Practice Leader at F-Secure. “When we got back to the hotel, we noticed our friend’s laptop had been stolen from his hotel room — and this was a nice hotel. We notified the staff, and they didn’t really take us seriously because they had looked at the log and there was no sign of entry or forced entry.”

“That got us thinking: how was it possible that somebody was able to enter the hotel room literally leaving no traces whatsoever?

That theft, adds Timo Hirvonen, senior security consultant at F-Secure, was the first step toward discovering a critical vulnerability in one of the most popular electronic lock systems in the world — the Assa Abloy Vision VingCard locking system.

“Our friend was doing some pretty interesting stuff back in those days, definitely a reason for someone to lift his laptop. That got us thinking, okay, how was it possible that somebody was able to enter the hotel room literally leaving no traces whatsoever?” Tuominen said.

For the next fifteen years, Tomi, Timo, and the rest of the F-Secure team worked on the exploit as a side project. They’re quick to point out though, that it wasn’t so much an intractable problem they were clamoring to solve as much as it was a puzzle — a hobby they worked on more out of curiosity than a drive to crack the VingCard system.

“Some people play football some people play golf, and we just do… these kinds of things,” Tuominen said with a laugh.

Cybersecurity firm F-Secure utilized a device called Proxmark (left) to hack the VingCard security system used in hotel keycards (right). Proxmark.org and F-Secure

As you can imagine, after spending so much time and energy on finding a way to circumvent the VingCard system’s security, they were ecstatic when they found the answer. It wasn’t just a single “Aha” moment though, the exploit came together in bits and pieces, but when they tried it for the first time and it worked on a real hotel lock, the F-Secure team knew they had something special on their hands.

“It was pretty amazing, I’m quite sure that we were high-fiving. There were smaller successes before that, but when the pieces finally came together for the first time,” Tuominen said. “When we realized how to turn this into a practical attack that takes only a few minutes, we were like yeah this is going to happen. We went to a real hotel and tested it and it worked, and it was pretty mind blowing.”

The master key

All right, so how does this attack work? Well, F-Secure didn’t go into the details for security reasons, but how it works in practice is — like Tuominen said — mind-blowing. It starts with a small device that anyone can pick up online, and once the F-Secure team loads their firmware onto the device, they could walk into any hotel using the VingCard system and have master-key access in a matter of minutes.

“We could ride an elevator with a guest, if the guest had a key in their pocket we could read the key through the pocket with our device. Then we’d just walk up to any of the doors and typically in less than a minute we can find the master key.”

“It takes only minutes. For example, we could ride an elevator with a guest, if the guest had a key in their pocket we could read the key through the pocket with our device. Then we’d just walk up to any of the doors and typically in less than a minute we can find the master key,” Hirvonen explained.

The attack works by first reading any card from the hotel they want to break into — even if its expired, or just a regular guest’s card. That part can be done remotely, as  Tuominen explained, reading the information they need right out of your pocket.

how f secure hacked 40000 hotels to make you safer infographic
F-Secure

Then, it’s just a matter of touching the device to one of the electronic locks in the hotel long enough for it to guess the master key code based on the information in the card it first read. It’s not only a thorough circumvention of an electronic lock system, but it’s a practical attack using off the shelf hardware.

“It’s a small device, the hardware is called Proxmark, it’s something publicly available, you can buy it online for a couple hundred euros. The device is rather small, you can fit it in your hand easily, it’s about the size of a cigarette lighter,”  Tuominen explained.

Luckily, F-Secure is reasonably sure that this exploit hasn’t been used in the wild. The solution is fairly novel and once they knew they had a reproducible attack on their hands, they immediately reached out to lock manufacturer Assa Abloy to let them know.

“It was early 2017 when we first managed to create the master key. And immediately after we discovered that we had this capability we contacted Assa Abloy. We met them the first time face-to-face in April 2017. We explained our findings and explained the attack, and ever since then we have been working together to fix these vulnerabilities,” Tuominen said. “Initially they thought they’d be able to fix the vulnerabilities themselves, but when they fixed the vulnerability and sent us the fixed versions we broke those as well a few times in a row. We’ve been working together with them ever since.”

Should you be worried?

If you have a summer vacation planned, or if you’re a frequent traveler you might be wondering, is this something you need to worry about? Probably not. F-Secure and Assa Abloy have been working hand-in-hand to deliver software patches to affected hotels.

“[Assa Abloy] announced the patches at the beginning of 2018, so they’ve been available for a few months now. They have a product website where you can register and download the patches for free,” Tuominen explained. “It’s a software only patch, but first you need to update the backend software, and after that you need to go to each and every door and update the firmware of that door or lock manually.”

how f secure hacked 40000 hotels to make you safer tomi tuominen
Tomi Tuominen F-Secure

So, you probably don’t need to keep an eye out for Assa Abloy brand electronic locks next time you’re in a hotel. The patches have been available since the beginning of the year, and according to F-Secure there’s no reason to believe this particular exploit has been used in the wild — outside their own testing of course. This is a point that Assa Abloy is quick to reiterate in its official statement, downplaying the hack.

Still, it never hurts to be cautious so if you’re traveling with expensive or sensitive electronics, make sure you keep them on your person or physically secured in your hotel room’s safe. It’s important to remember this won’t be the last time an electronic lock system is compromised like this. We’re just lucky it was F-Secure who found this vulnerability. Other companies, individuals, or even governments, might not be so forthcoming.