Skip to main content

It took them 15 years to hack a master key for 40,000 hotels. But they did it

What if you came back to your hotel room and found that your laptop was missing? What if there was no trace of an intruder, no forced entry, no evidence that the room was entered at all? Security firm F-Secure was faced with that question, and their answer was a simple one: Find out how to make the impossible possible. Find out how to be a ghost.

F-Secure announced this week that it had uncovered a massive vulnerability affecting millions of electronic locks worldwide. The exploit would let anyone walk into a hotel room undetected, leaving no trace. We sat down with the researchers who discovered the exploit, Timo Hirvonen and Tomi Tuominen, to talk about the events leading to its discovery and how this exploit may have made your next hotel stay a whole lot safer.

One night in Berlin

“The story starts in 2003, when we were attending a hacker conference in Berlin, Germany,” said Tomi Tuominen, Practice Leader at F-Secure. “When we got back to the hotel, we noticed our friend’s laptop had been stolen from his hotel room — and this was a nice hotel. We notified the staff, and they didn’t really take us seriously because they had looked at the log and there was no sign of entry or forced entry.”

“That got us thinking: how was it possible that somebody was able to enter the hotel room literally leaving no traces whatsoever?

That theft, adds Timo Hirvonen, senior security consultant at F-Secure, was the first step toward discovering a critical vulnerability in one of the most popular electronic lock systems in the world — the Assa Abloy Vision VingCard locking system.

“Our friend was doing some pretty interesting stuff back in those days, definitely a reason for someone to lift his laptop. That got us thinking, okay, how was it possible that somebody was able to enter the hotel room literally leaving no traces whatsoever?” Tuominen said.

For the next fifteen years, Tomi, Timo, and the rest of the F-Secure team worked on the exploit as a side project. They’re quick to point out though, that it wasn’t so much an intractable problem they were clamoring to solve as much as it was a puzzle — a hobby they worked on more out of curiosity than a drive to crack the VingCard system.

“Some people play football some people play golf, and we just do… these kinds of things,” Tuominen said with a laugh.

Cybersecurity firm F-Secure utilized a device called Proxmark (left) to hack the VingCard security system used in hotel keycards (right). Proxmark.org and F-Secure

As you can imagine, after spending so much time and energy on finding a way to circumvent the VingCard system’s security, they were ecstatic when they found the answer. It wasn’t just a single “Aha” moment though, the exploit came together in bits and pieces, but when they tried it for the first time and it worked on a real hotel lock, the F-Secure team knew they had something special on their hands.

“It was pretty amazing, I’m quite sure that we were high-fiving. There were smaller successes before that, but when the pieces finally came together for the first time,” Tuominen said. “When we realized how to turn this into a practical attack that takes only a few minutes, we were like yeah this is going to happen. We went to a real hotel and tested it and it worked, and it was pretty mind blowing.”

The master key

All right, so how does this attack work? Well, F-Secure didn’t go into the details for security reasons, but how it works in practice is — like Tuominen said — mind-blowing. It starts with a small device that anyone can pick up online, and once the F-Secure team loads their firmware onto the device, they could walk into any hotel using the VingCard system and have master-key access in a matter of minutes.

“We could ride an elevator with a guest, if the guest had a key in their pocket we could read the key through the pocket with our device. Then we’d just walk up to any of the doors and typically in less than a minute we can find the master key.”

“It takes only minutes. For example, we could ride an elevator with a guest, if the guest had a key in their pocket we could read the key through the pocket with our device. Then we’d just walk up to any of the doors and typically in less than a minute we can find the master key,” Hirvonen explained.

The attack works by first reading any card from the hotel they want to break into — even if its expired, or just a regular guest’s card. That part can be done remotely, as  Tuominen explained, reading the information they need right out of your pocket.

F-Secure

Then, it’s just a matter of touching the device to one of the electronic locks in the hotel long enough for it to guess the master key code based on the information in the card it first read. It’s not only a thorough circumvention of an electronic lock system, but it’s a practical attack using off the shelf hardware.

“It’s a small device, the hardware is called Proxmark, it’s something publicly available, you can buy it online for a couple hundred euros. The device is rather small, you can fit it in your hand easily, it’s about the size of a cigarette lighter,”  Tuominen explained.

Luckily, F-Secure is reasonably sure that this exploit hasn’t been used in the wild. The solution is fairly novel and once they knew they had a reproducible attack on their hands, they immediately reached out to lock manufacturer Assa Abloy to let them know.

“It was early 2017 when we first managed to create the master key. And immediately after we discovered that we had this capability we contacted Assa Abloy. We met them the first time face-to-face in April 2017. We explained our findings and explained the attack, and ever since then we have been working together to fix these vulnerabilities,” Tuominen said. “Initially they thought they’d be able to fix the vulnerabilities themselves, but when they fixed the vulnerability and sent us the fixed versions we broke those as well a few times in a row. We’ve been working together with them ever since.”

Should you be worried?

If you have a summer vacation planned, or if you’re a frequent traveler you might be wondering, is this something you need to worry about? Probably not. F-Secure and Assa Abloy have been working hand-in-hand to deliver software patches to affected hotels.

“[Assa Abloy] announced the patches at the beginning of 2018, so they’ve been available for a few months now. They have a product website where you can register and download the patches for free,” Tuominen explained. “It’s a software only patch, but first you need to update the backend software, and after that you need to go to each and every door and update the firmware of that door or lock manually.”

Tomi Tuominen F-Secure

So, you probably don’t need to keep an eye out for Assa Abloy brand electronic locks next time you’re in a hotel. The patches have been available since the beginning of the year, and according to F-Secure there’s no reason to believe this particular exploit has been used in the wild — outside their own testing of course. This is a point that Assa Abloy is quick to reiterate in its official statement, downplaying the hack.

Still, it never hurts to be cautious so if you’re traveling with expensive or sensitive electronics, make sure you keep them on your person or physically secured in your hotel room’s safe. It’s important to remember this won’t be the last time an electronic lock system is compromised like this. We’re just lucky it was F-Secure who found this vulnerability. Other companies, individuals, or even governments, might not be so forthcoming.

Jayce Wagner
Former Digital Trends Contributor
A staff writer for the Computing section, Jayce covers a little bit of everything -- hardware, gaming, and occasionally VR.
Microsoft’s Copilot Vision arrives to surf the web with select users
The Copilot logo

Microsoft's new Copilot Vision feature that can “see what you see, and hear what you hear” while you navigate the internet is finally being made available, though only to a limited number of Copilot Pro subscribers in the U.S.

"Starting today, we are introducing an experience where – with your permission – Copilot can now understand the full context of what you’re doing online," according to a Microsoft blog post. "When you choose to enable Copilot Vision, it sees the page you're on, it reads along with you, and you can talk through the problem you're facing together."

Read more
This HP Envy 2-in-1 is $300 off and has a gorgeous 16-inch 2K screen
The HP Envy x360 2-in-1 laptop on a white background.

Best Buy continues to offer some fantastic laptop deals with a huge $300 off the HP Envy 2-in-1 16-inch 2K Touchscreen laptop. It normally costs $900 but right now, you can buy it for just $600 which is a fantastic price for a laptop with such a good screen. It’d make the perfect gift for someone but also it’s simply a good laptop for all your working needs. Here’s a quick overview of what it has to offer.

Why you should buy the HP Envy 2-in-1 laptop
HP is one of the best laptop brands around and it has a particular penchant for making some of the best 2-in-1 laptops. With this HP Envy 2-in-1 laptop, you get some great hardware. It has an Intel Core Ultra 5 CPU, 16GB of RAM, and 512GB of SSD storage. For this price, you can’t really go wrong with these specs.

Read more
Black Friday’s best PC hardware deal is still live, and you’re sleeping on it
The Ryzen 5 7600X sitting among thermal paste and RAM.

I'm not mad, just disappointed. A couple of weeks ago, I covered the insane deal that essentially allowed you to score a Ryzen 5 7600X -- still one of the best processors you can buy -- for just $105. At the time, I thought, surely, this will sell out in a matter of hours. Who would pass up on a deal this good? And yet, two weeks later to the day, the craziest deal I've seen during all of Black Friday and Cyber Monday is still live on Newegg.

Let me break down the deal again. You can get the Ryzen 5 7600X for $225, which is not a good price. However, you can get an additional $30 off by using promo code DLCDZ342, bringing the price down to $195. The kicker is that you also get a free Team Group MP44L 1TB PCIe 4.0 SSD. That's a $90 hard drive that Newegg is just throwing in with a CPU that's already available for a decent price. The fact that the deal is still live suggests either Newegg has a ton of inventory, or not enough people know about this sale.

Read more