Hotels worldwide and global hotel chains are using an electronic lock system that could be exploited by an attacker to gain access to any room in the facility, according to a new report published today by cybersecurity firm F-Secure.
The design flaws discovered in the lock system’s software, which is known as Vision by VingCard and used to secure millions of hotel rooms worldwide, have prompted the world’s largest lock manufacturer, Assa Abloy, to issue software updates with security fixes to mitigate the issue.
Using the information on the key, the researchers are able to create a master key with privileges to open any room in the building.
F-Secure
The researchers’ attack involves using any ordinary electronic key to the target facility – even one that’s long expired, discarded, or used to access spaces such as a garage or closet. Using the information on the key, the researchers are able to create a master key with privileges to open any room in the building. The attack can be performed without being noticed, the cybersecurity advisory warned.
The researchers’ interest in hacking hotel locks was sparked a decade ago when a colleague’s laptop was stolen from a hotel room. When the researchers reported the theft, hotel staff dismissed their complaint given that there was no sign of forced entry, and no evidence adequate evidence. The researchers decided to investigate the issue further, and chose to target a brand of lock known for quality and security. These security oversights were not obvious holes. It took a thorough understanding of the whole system’s design to identify small flaws that, when combined, produced the attack, F-Secure noted.
The research took several thousand hours and was done on an on-and-off basis, and involved considerable amounts of trial and error.
F-Secure
The research took several thousand hours and was done on an on-and-off basis, and involved considerable amounts of trial and error. “We wanted to find out if it’s possible to bypass the electronic lock without leaving a trace,” said F-Secure's Senior Security Consultant Timo Hirvonen.
F-Secure notified Assa Abloy of the findings and has collaborated with the clockmakers over the past year to implement software fixes and has updated the software on the affected properties.
0 Comments