Researchers Develop Master Key for Millions of Hotel Rooms
A vulnerability in the Vision by VingCard electronic locks from Assa Abloy has enabled researchers to create a universal βkey to all doors.β This popular electronic hotel lock management system, used in over 42,000 hotels across 166 countries, was found to have a flaw that allows hackers to generate a master key and unlock millions of hotel rooms worldwide without leaving any trace in the system.
Assa Abloy is the worldβs largest manufacturer of electronic hotel locks, and Vision by VingCard is widely deployed in the hospitality industry. Researchers from F-Secure, Tomi Tuominen and Timo Hirvonen, managed to create a master key capable of opening any hotel room equipped with Vision by VingCard locks, all without leaving any evidence in the system logs.
How the Master Key Can Be Created
To make a universal βkey to all doors,β an attacker needs to obtain an electronic key card from any room in the target hotel. This card can be expired or inactive. To get such a key (RFID or magnetic stripe), the attacker can simply get close enough to a guest or hotel staff member carrying a valid card. An even easier method is to book a room at the hotel and use the issued card as a base.
For a few hundred dollars, an attacker can purchase a special key programming device online and use it to create a master key. The F-Secure researchers used their own custom software to make this possible, but for obvious reasons, they do not plan to release it publicly.
Next, the attacker needs to hold a customized RFID reader/writer device up to the lock of the desired hotel room. The device uses a brute-force method (taking just one minute) to determine the correct master key and unlock the door. The attacker can then continue using the RFID device or write the discovered master key onto an existing key card.
Vulnerability Disclosure and Fix
The researchers reported the vulnerability to the manufacturer in April 2017 and worked with them for a year to develop a fix. Assa Abloy released a patch for their locks in February 2018, and the update is also available for hotels using vulnerable systems.
F-Secure has not yet disclosed technical details about the vulnerability, and there is no evidence that it has been exploited in real-world attacks.