Hackers have found a way to break into hotel rooms using RFID and magstripe keycards
Thankfully, the ethical hackers are working with the hotels to fix this problem.
When you stay at a hotel, there is a general level of security you expect. Mainly, that randoms can’t enter your hotel room where you are keeping your valuables.
One F-Secure researcher felt the same way, that is until their room was broken into and their laptop was stolen during a conference in Berlin. The hotel looked into the issue but eventually determined that the researcher either lost the laptop somewhere else or was simply lying.
Determined to discover what happened, two other F-Secure researchers took on the task to find out if a room with magstripe or RFID could be broken into – turns out it is pretty easy. The ethical hackers tested this on products made by Assa Abloy, one of the largest manufacturers of locking systems used by hotels.
What they found was a vulnerability within the VingCard software used on these locks. This vulnerability led the team to basically replicate a master key, giving them access to any room in the building that used the system. The only thing required was an existing key (of any level) that could easily be obtained by booking a room in the hotel for one night. They also found that expired keys could accomplish the same thing. The team then used a cheap piece of hardware that can be bought online to analyze the key and create a master version.
“You can imagine what a malicious person could do with the power to enter any hotel room, with a master key created basically out of thin air,” says Tomi Tuominen, Practice Leader at F-Secure Cyber Security Services, one of the members who researched the issue.
The team took the findings to Assa Abloy and worked with them to issue a fix to affected hotels.
Tuominen tells TheNextWeb,
“Because of Assa Abloy’s diligence and willingness to address the problems identified by our research, the hospitality world is now a safer place. We urge any establishment using this software to apply the update as soon as possible.”