If you think that your hotel room is safe, it may not be that good, say a security researcher who left without the laptop.

Hotel room door: an easy challenge for hackers

When we talk about hotel rooms we are talking about strange places. This is because, if we think about it, we register our presence, usually for a short time, where we leave our luggage with belongings that can be very valuable and usually do not have the security care we have in our homes, for example.

Are you safe in the hotel room?

We always have the idea that yes and our experience tells us that nothing was missing, that no one, strange to the service, can enter our stronghold, the place where we leave expensive material, money, things of the private forum basically. For an F-Secure security investigator, this bubble is sure that our hotel room might be compromised when your laptop is stolen from that room, that’s how the investigator ran out of his hotel room computer while participating in a conference on infosec in Berlin. The door had no sign of forced entry, the hotel team dismissed the complaint – as they pointed to other scenarios, which he had lost or was lying to. This incident sparked the interest of two of the investigator’s colleagues, Timo Hirvonen and Tomi Tuominen, and the ethical hacker pair turned their attention to the digital locking systems used by hotels.

RFID door locks

Most hotels (especially mid-range hotels) use some sort of electronic locking system. Instead of distributing physical keys, which are expensive to replace if lost, the receivers provide guests with key disposable, easy to program and inexpensive key cards. These are increasingly based on RFID, rather than using traditional cards, which often have to be remagnetized several times during a stay. F-Secure researchers have turned their attention to a popular hospitality locking system built by the world’s largest manufacturer of such products: Assa Abloy. This company even gets a lot of praise in the security chapter, as it can be read in a post where Assa Abloy is described as a “high calibre brand”. It is also mentioned that locks are known for quality and safety. But that did not stop them from finding a vulnerability in the underlying software (called Vision, developed by a third-party company called VingCard) that would give an attacker access to all rooms of a specific property.

The most surprising thing about this discovery is the trivial nature in which it can be explored. First, the “attacker” just needs to get a key card from the property you’re targeting. It does not even have to be the room you’re interested in invading. Using a specialized hardware, which costs “a few hundred dollars”, which can be easily bought online, and some custom software, the attacker can analyze this key and, using a computer process, determine the master key. An attacker could use the device to gain access to any room on an unimpeded property. Alternatively, they can print it on a blank keycard and pass it on to an accomplice. According to F-Secure, this attack works both on magnetic stripe cards and on more sophisticated RFID hotel key cards. Tomi Tuominen, the stock leader of F-Secure Cyber Security Services, said in a statement “You can imagine what a malicious person could do with the power of entering any hotel room, with a master key set up basically outside”.

A key that could open all the rooms

Following the best practices of responsible disclosure, the security company informed Assa Abloy on the issue found and silently worked with the Swedish company to solve the problem. A correction was issued and issued to affected hotels. Software was made available so that hotels could run it and thus upgrade the devices of the bedroom doors. We can see here in the video a demonstration of how everything was possible:-

The key question is whether it is a practice that we may fear happening frequently. The answer is always the same, if it is worth it, if the target is identified as “valuable”, then this type of robbery may be more frequent. Holidays and certain guest clusters can be a great incentive. So, what do you think about this? Simply share all your views and thoughts in the comment section below.