Almost every hotel we stay nowadays has started using electronic keycards instead of the old metal alternative. These computerized door locking systems could be considered safe until now.
A team of security researchers at F-secure have created a device running custom software that can create a master key “out of thin air.” They’ve exploited vulnerabilities in the door lock software Vision by VingCard, developed by the Swedish company Assa Abloy. Their electronic door locking system is used in millions of hotel rooms across the globe.
All the researchers need is a keycard belonging to the target hotel. It doesn’t matter if it’s discarded or expired years ago because it has some information that can be used.
Within minutes, the master key created after scrapping data from RFID or magnetic strip-based keycards. It can be used to gain access to any affected lock in the target hotel without anyone noticing. The hack can work for a garage, closet, or any other place where the vulnerable Assa Abloy locking system is in use.
The idea to create such a thing sparked around ten years ago when one of their colleague’s laptop was stolen from a hotel room. The hotel didn’t take them seriously as there were no traced of unauthorized entry.
The researchers then started working on their master key making device. They chose Assa Abloy as the brand is popular and known for security and quality.
Designing the system wasn’t easy. During the years of their work, they had to get a thorough understanding of the ins and outs of the locking system. They were able to produce the attack after combining the small loopholes. It was a trial and error effort that took thousands of hours of work done on an on-and-off basis.
Assa Abloy was notified about the security loophole last year, and the researchers have worked with the company to develop a fix. An update is available, but it has to be manually installed on every affected door lock. It’s not known how many affected customers of the company have applied it to their systems.
The researchers have chosen not to publish the hacking tools and they didn’t break into any hotel room. Also, they aren’t aware if someone else is performing this particular attack in the wild.
