Master Key Hack Exploits Flaw in Key System to Unlock Hotel Rooms

The master key hack has the capability of unlocking not hundreds or thousands but millions of hotel rooms, claim F-Secure security researchers.

Until now, we had believed that it is easier to break into hotel rooms doors using the old-fashioned manual keys and electronic keys are quite reliable in maintaining security. However, cyber-security firm F-Secure has a surprising new revelation for us.

On Wednesday, the company announced that hotel rooms in 166 countries and 40,000 locations are currently at risk of being unlocked by hackers. F-Secure researchers successfully exploited the electronic keys software developed by Assa Abloy aka VingCard to prove their point.

Researchers Tomi Tuominen and Timo Hirvonen at F-Secure discovered that Vision, the electronic keys’ software used by hotels worldwide, is vulnerable to exploitation. It lets cybercriminals produce master keys and easily open any door in the facility by using a single hotel room key and an RFID reader. Through the reader, they can keep trying different code combinations to decode the electronic key card.

See: Hackers Infect Hotel Door Lock System with Ransomware

Keys that utilize electromagnetic fields or the RFID reader to function can easily be cloned and this can be done without even raising suspicion.

In a majority of cases, nearly 20 different key combos are used after which the code is identified and the hotel doors’ master key is created. Researchers are concerned because not only the attack method is simple but the entire hacking process takes just one minute. The company noted that as of now there is no evidence that the identified threat has actually been exploited by threat actors. F-Secure didn’t release its techniques as well.

Researchers opine that having totally fool-proof and flawless technology is merely a myth and no such thing exists. Electronic key cards although offer improved security but there is always a possibility of failure of software or hardware. In this particular case, the attacker can create a master key for the whole building in a few minutes with help of a regular hotel door key.

“You can imagine what a malicious person could do with the power to enter any hotel room, with a master key created basically out of thin air,” said Tomi Tuominen, Practice Leader at F-Secure Cyber Security Services. “We don’t know of anyone else performing this particular attack in the wild right now.”

To address the issue, F-Secure has collaborated with Assa Abloy, who has been taking their findings quite seriously and developed a software patch to fix the issue. All at-risk hotels are asked to update their security system in order to prevent the hacking threat.

“I would like to personally thank the Assa Abloy R&D team for their excellent cooperation in rectifying these issues,” said Tuominen. “Because of their diligence and willingness to address the problems identified by our research, the hospitality world is now a safer place. We urge any establishment using this software to apply the update as soon as possible.”

See: Insider hacks Marriott hotel reservation system; slashes rate up to 95%

Waqas

Waqas Amir is a Milan-based cybersecurity journalist with a passion for covering latest happenings in cyber security and tech world. In addition to being the founder of this website, Waqas is also into gaming, reading and investigative journalism.