- Title: Finnish hackers discover a serious security flaw in hotel key system
- Date: 25th April 2018
- Summary: SCRIPT RUNNING ON SCREEN
- Embargoed: 9th May 2018 11:18
- Keywords: F-Secure Timo Hirvonen hotel hotely key hacking
- Location: VANTAA, HELSINKI, FINLAND
- City: VANTAA, HELSINKI, FINLAND
- Country: Finland
- Topics: Science
- Reuters ID: LVA0028CXH5QZ
- Aspect Ratio: 16:9
- Story Text:It started 15 years ago after a laptop disappeared from a computer security expert's room at a high-class hotel in Berlin.
The thief left no traces in the room nor the electric lock system, hotel personnel said.
The stolen laptop, which never turned up, belonged to a guest who had presented his research at a security conference.
Hearing of the theft at the conference, Tomi Tuominen and Timo Hirvonen - two youthful Finnish computer guys in hacker-style black hoodies - asked themselves: could one hack the locking system without leaving a trace?
For years, the two worked off and on to solve the mystery of the plastic cards, which guests often mindlessly neglect to return. First it was purely as a hobby, later a professional mission.
"We found out that by using any key card to a hotel… you can create a master key that can enter any room in the hotel. It doesn't even have to be a valid card, it can be an expired one," Hirvonen said in an interview.
The radio-frequency ID key card system in question, Vision by Vingcard, has been replaced by many hotels with new technology, but its current owner Assa Abloy estimated that the system is still being used in several hundreds of thousands of hotel rooms worldwide.
Tuominen, 45, and Hirvonen, 32, who both work as security consults for Finnish data security company F-Secure say they discovered the vulnerability about a year ago, and reported it to Assa.
Sitting at F-Secure's glass-and-steel-on-stilts headquarters by the Baltic Sea, the researchers showoff a small custom hardware device which they say is able to write a master key out of the information of any card in the Vingcard system.
Tuominen said the breakthrough was to figure out a weakness in how the locks are deployed and installed, together with a seemingly minor technical design flaw.
"These issues alone are not a problem, but once you combine those two things, it becomes exploitable."
The researchers helped Assa to fix the software for an update which was made available to hotel chains in February. Assa said some hotels have updated it but that it would take a couple of more weeks to fully resolve the issue.
"I highly encourage the hotels to install those software fixes," Hirvonen said. "But I think there is no immediate threat, since being able to develop this attack is going to take some time."
Any new security risk remains low since the researchers' tools and method will not be published, Assa noted.
Nonetheless, it's a wake-up call for the lodging industry to a problem that went undetected for years.
"I wouldn't be surprised if other electronic lock systems have similar vulnerabilities... you cannot really know how secure the system is unless someone has really tried to break it," Hirvonen said.
Assa Abloy stresses that its newer offerings are based on different technologies, including a system that allows hotel guests to open door locks with their smartphones.
"We were quite impressed with the knowledge of these (F-Secure) people," Christophe Sut, an executive at Assa Abloy Hospitality, said in a phone interview.
"The challenge of the security business is that it is a moving target. What is secure at a point of time, is not 20 years later."
The researchers asked for no money from Assa for their work or discovery, saying they were only driven by the challenge.
"Some people play football, some people go sailing, some do photography. This is our hobby," Tuominen said. - Copyright Holder: REUTERS
- Copyright Notice: (c) Copyright Thomson Reuters 2018. Open For Restrictions - http://about.reuters.com/fulllegal.asp
- Usage Terms/Restrictions: Footage contains computer game or software screenshots. User is responsible for obtaining additional clearances before publishing this clip.