Security researchers have successfully created master keys that can open millions of hotel rooms, as well as many garages and storage units.
By exploiting a fundamental design flaw in Vision by VingCard, a widely-used hotel lock system sold by the Swedish company, Assa Abloy, the researchers at F-Secure were able to demonstrate that criminals could potentially severely compromise the security of people and property in more than 42,000 locations in 166 countries around the world.
While criminals have been attempting to create replicas of hotel keys for many years, the newly announced vulnerability is especially scary in that it allows unauthorized parties to create a master key for an entire building within minutes, with the only requirement for doing so being having access to a valid or expired regular room key from that facility. As such, if a criminal was to ever stay in a particular hotel, or find a discarded key after someone checked out of that facility, the crook could potentially gain access to every room there, with access records logging his or her illegal entries as if they were staff access.
The master-key creation technique, announced this past week by F-Secure’s Tomi Tuominen and Timo Hirvonen, exploits the fact that by analyzing the data on a regular hotel room key card, someone with knowledge of both cryptography and how the VingCard system works could narrow down the potential master key codes for a facility to a relatively small set of possibilities. By using a handheld Proxmark RFID card reading and writing tool (which today costs about $250-$300) to cycle through the possible codes while near any lock at the hotel, the researchers could quickly identify the correct master code – usually within about 20 tries — and then generate a hotel key card with the correct code on it. The entire process of reading from the regular room card, testing codes, and generating a new master key card took researchers as little as one minute.
This episode highlights one of the risks of hotel key-card access systems and other physical security systems based on RFID cards – that a small vulnerability in code can lead to a tremendous security and safety risk worldwide.
After being notified by Tuominen and Hirvonen, and prior to their disclosure of the vulnerability to the public, VingCard issued a patch to address the problem – and every facility that uses Vision should make sure that the patch is installed. Of course, for obvious reasons, F-Secure is not making available to the public the technical details as to how to create the master keys. That said, once criminals and nation states know that a vulnerability of this nature exists, there is little doubt that some will perform their own R&D to try to identify and exploit it.
In fact, Tuominen’s interest in the VingCard system originally began fifteen years ago when a friend of his had his laptop stolen from a hotel room – in a theft that involved no signs of forced entry and produced no records of anyone entering the room other than his friend and hotel staff, raising questions in Tuominen’s mind as to whether criminals had managed to find and exploit a vulnerability in the VingCard system. I am also personally aware of other people who claim to have had items disappear from hotel rooms with no signs of entry other than by authorized parties.
As such, we must realize that it is possible that this vulnerability and/or others in hotel lock systems may have been previously discovered and exploited by criminals; when traveling always chain lock your door when you are in a hotel room, and secure your valuables when you leave. Also, be sure to learn what not to do on social media while traveling.