Skip to main content

It took them 15 years to hack a master key for 40,000 hotels. But they did it

What if you came back to your hotel room and found that your laptop was missing? What if there was no trace of an intruder, no forced entry, no evidence that the room was entered at all? Security firm F-Secure was faced with that question, and their answer was a simple one: Find out how to make the impossible possible. Find out how to be a ghost.

F-Secure announced this week that it had uncovered a massive vulnerability affecting millions of electronic locks worldwide. The exploit would let anyone walk into a hotel room undetected, leaving no trace. We sat down with the researchers who discovered the exploit, Timo Hirvonen and Tomi Tuominen, to talk about the events leading to its discovery and how this exploit may have made your next hotel stay a whole lot safer.

 

One night in Berlin

“The story starts in 2003, when we were attending a hacker conference in Berlin, Germany,” said Tomi Tuominen, Practice Leader at F-Secure. “When we got back to the hotel, we noticed our friend’s laptop had been stolen from his hotel room — and this was a nice hotel. We notified the staff, and they didn’t really take us seriously because they had looked at the log and there was no sign of entry or forced entry.”

“That got us thinking: how was it possible that somebody was able to enter the hotel room literally leaving no traces whatsoever?

That theft, adds Timo Hirvonen, senior security consultant at F-Secure, was the first step toward discovering a critical vulnerability in one of the most popular electronic lock systems in the world — the Assa Abloy Vision VingCard locking system.

“Our friend was doing some pretty interesting stuff back in those days, definitely a reason for someone to lift his laptop. That got us thinking, okay, how was it possible that somebody was able to enter the hotel room literally leaving no traces whatsoever?” Tuominen said.

For the next fifteen years, Tomi, Timo, and the rest of the F-Secure team worked on the exploit as a side project. They’re quick to point out though, that it wasn’t so much an intractable problem they were clamoring to solve as much as it was a puzzle — a hobby they worked on more out of curiosity than a drive to crack the VingCard system.

“Some people play football some people play golf, and we just do… these kinds of things,” Tuominen said with a laugh.

Cybersecurity firm F-Secure utilized a device called Proxmark (left) to hack the VingCard security system used in hotel keycards (right). Proxmark.org and F-Secure

As you can imagine, after spending so much time and energy on finding a way to circumvent the VingCard system’s security, they were ecstatic when they found the answer. It wasn’t just a single “Aha” moment though, the exploit came together in bits and pieces, but when they tried it for the first time and it worked on a real hotel lock, the F-Secure team knew they had something special on their hands.

“It was pretty amazing, I’m quite sure that we were high-fiving. There were smaller successes before that, but when the pieces finally came together for the first time,” Tuominen said. “When we realized how to turn this into a practical attack that takes only a few minutes, we were like yeah this is going to happen. We went to a real hotel and tested it and it worked, and it was pretty mind blowing.”

The master key

All right, so how does this attack work? Well, F-Secure didn’t go into the details for security reasons, but how it works in practice is — like Tuominen said — mind-blowing. It starts with a small device that anyone can pick up online, and once the F-Secure team loads their firmware onto the device, they could walk into any hotel using the VingCard system and have master-key access in a matter of minutes.

“We could ride an elevator with a guest, if the guest had a key in their pocket we could read the key through the pocket with our device. Then we’d just walk up to any of the doors and typically in less than a minute we can find the master key.”

“It takes only minutes. For example, we could ride an elevator with a guest, if the guest had a key in their pocket we could read the key through the pocket with our device. Then we’d just walk up to any of the doors and typically in less than a minute we can find the master key,” Hirvonen explained.

The attack works by first reading any card from the hotel they want to break into — even if its expired, or just a regular guest’s card. That part can be done remotely, as  Tuominen explained, reading the information they need right out of your pocket.

F-Secure

Then, it’s just a matter of touching the device to one of the electronic locks in the hotel long enough for it to guess the master key code based on the information in the card it first read. It’s not only a thorough circumvention of an electronic lock system, but it’s a practical attack using off the shelf hardware.

“It’s a small device, the hardware is called Proxmark, it’s something publicly available, you can buy it online for a couple hundred euros. The device is rather small, you can fit it in your hand easily, it’s about the size of a cigarette lighter,”  Tuominen explained.

Luckily, F-Secure is reasonably sure that this exploit hasn’t been used in the wild. The solution is fairly novel and once they knew they had a reproducible attack on their hands, they immediately reached out to lock manufacturer Assa Abloy to let them know.

“It was early 2017 when we first managed to create the master key. And immediately after we discovered that we had this capability we contacted Assa Abloy. We met them the first time face-to-face in April 2017. We explained our findings and explained the attack, and ever since then we have been working together to fix these vulnerabilities,” Tuominen said. “Initially they thought they’d be able to fix the vulnerabilities themselves, but when they fixed the vulnerability and sent us the fixed versions we broke those as well a few times in a row. We’ve been working together with them ever since.”

Should you be worried?

If you have a summer vacation planned, or if you’re a frequent traveler you might be wondering, is this something you need to worry about? Probably not. F-Secure and Assa Abloy have been working hand-in-hand to deliver software patches to affected hotels.

“[Assa Abloy] announced the patches at the beginning of 2018, so they’ve been available for a few months now. They have a product website where you can register and download the patches for free,” Tuominen explained. “It’s a software only patch, but first you need to update the backend software, and after that you need to go to each and every door and update the firmware of that door or lock manually.”

Tomi Tuominen F-Secure

So, you probably don’t need to keep an eye out for Assa Abloy brand electronic locks next time you’re in a hotel. The patches have been available since the beginning of the year, and according to F-Secure there’s no reason to believe this particular exploit has been used in the wild — outside their own testing of course. This is a point that Assa Abloy is quick to reiterate in its official statement, downplaying the hack.

Still, it never hurts to be cautious so if you’re traveling with expensive or sensitive electronics, make sure you keep them on your person or physically secured in your hotel room’s safe. It’s important to remember this won’t be the last time an electronic lock system is compromised like this. We’re just lucky it was F-Secure who found this vulnerability. Other companies, individuals, or even governments, might not be so forthcoming.

Jaina Grey
Former Digital Trends Contributor
Jaina Grey is a Seattle-based journalist with over a decade of experience covering technology, coffee, gaming, and AI. Her…
A coding blunder just ruined a moment of joy for lottery winners
Eurojackpot lottery slips.

Imagine the joy of being notified of a huge lottery win. What would be the first thing you’d do? Get the champagne in? Book a fancy vacation? Call your boss and tell him where to go?

And then imagine being informed that the notification had, in fact, been sent in error. Well, you can always send the booze back and cancel the holiday, but trying to convince your boss that you were just joking ... well, that may be a bigger challenge.

Read more
This TP-Link Wi-Fi 6 router is 45% off in early Prime Day deal
The TP-Link AX1800 Archer AX21 Wi-FI 6 Router on a white background.

If you're planning to buy a new router to improve your home's Wi-Fi network, the good news is that you don't have to wait for Prime Day 2025 to take advantage of huge discounts on router deals from Amazon. Here's an excellent offer — the TP-Link Archer AX21 with an eye-catching 45% discount, which drops its price from $100 to just $55. The $45 in savings will only be available for a limited time though, so you better act fast and proceed with your purchase immediately as this early Prime Day deal may disappear at any moment.

Buy Now

Read more
Watch these AI humanoid robots play soccer like Mbappé … sort of
Humanoid robots playing soccer.

Watching these humanoid robots battle it out on the soccer field, you quickly realize that Kylian Mbappé and his fellow professionals really have little to worry about. At least, for now.

The footage (top) was captured last week in Beijing at the RoBoLeague World Robot Soccer League, China's first-ever three-on-three humanoid robot soccer league.

Read more