The key card given out by hotels to guests to access their rooms may not be as secure as thought.
According to research carried out by F-Secure, it is simple to create a “master key” for a popular type of hotel lock that can unlock any door.
The investigation into the problem began over ten years ago when a colleague's laptop was stolen from a hotel room during a security conference. When the researchers reported the theft, hotel staff dismissed their complaint given that there was not a single sign of forced entry, and no evidence of unauthorised access in the room entry logs.
It is investigating the issue further, researchers discovered critical design flaws in Assa Abloy Hospitality's widely deployed hotel lock software system, Vision by Vingcard.
They found that the security oversights were not obvious holes. According to researchers, It took a thorough understanding of the whole system's design to identify small flaws that, when combined, produced the attack. The research took several thousand hours and was done on an on-and-off basis and involved considerable amounts of trial and error.
To carry out the attack, a hacker needs to get access to an electronic key to the target facility. Literally any key will do, be it a room key or a key to a storage closet or garage. What's more, the key does not need to be currently active - even an expired key from a stay five years ago will work, according to researchers.
“An attacker will read the key and use a small hardware device to derive more keys to the facility. These derived keys can be tested against any lock in the facility. Within minutes, the device is able to generate a master key to the facility. The device can then be used in place of a key to bypass any lock in the facility, or alternatively overwrite an existing key to contain the master key,” said a report on the problem.
The research was carried out by F-Secure researchers, Tomi Tuominen and Timo Hirvonen. They also found that the Vision software could be exploited within the same network to get access to sensitive customer data.
“We wanted to find out if it's possible to bypass the electronic lock without leaving a trace,” said Timo Hirvonen, Senior Security Consultant at F-Secure. “Building a secure access control system is very difficult because there are so many things you need to get right. Only after we thoroughly understood how it was designed were we able to identify seemingly innocuous shortcomings. We creatively combined these shortcomings to come up with a method for creating master keys.”
F-Secure said that Assa Abloy has fixed the flaws in the Vision software and issued software updates. Hotels that have applied the updates to their systems are not vulnerable, Laurie Mercer, solutions engineer at HackerOne, told SC Media UK that devices such as electronic locks and RFID readers are driven by software.
“It is easy to introduce vulnerabilities into software. It is much harder to fix bugs once the devices have been installed. We should accept that software security bugs are inevitable and ensure that methods to discover, remediate and deploy security patches are well defined and well-rehearsed,” he said.
“Organisations should ask themselves how can we find vulnerabilities quickly and economically? How would we develop, test and deploy security fixes securely to remote devices? How can we rehearse this process to minimise the time window between the discovery and patching of a security vulnerability?”