A faked hotel master key could open the door of every room | WIRED UK

http://www.wired.co.uk/article/hotel-hack-digital-lock-door-system-fsecure-assa-abloy
Finnish cybersecurity firm F-Secure has revealed it found a flaw in the 20 years old digital lock system that may be used in millions of hotels worldwide.
VingCard digital lock technology master key – which specifically worked on the Assa Abloy’s Vision lock – could be generated from any ordinary electric keycard, even ones long expired or discarded. When this card is used there would be no sign of breaking and entering.

F-Secure contacted the lock company about a year ago and software fixes became available in February.

3 Comments

  1. Tomi Engdahl says:

    Hotel Rooms Around the World Susceptible to Silent Breach
    https://www.securityweek.com/hotel-rooms-around-world-susceptible-silent-breach

    In 2003, researchers from F-Secure were attending a security conference in Berlin — specifically, the ph-neutral hacker conference — when a laptop was stolen from a locked hotel room. They reported the theft to the hotel staff, but felt they weren’t taken too seriously because, dressed in typical hacker gear, “We kinda looked like a bunch of hippies.”

    More to the point, however, there was no sign of the door being forced, nor any indication from the electronic locking system’s logs that anyone had entered the room in their absence.

    The locking system was Assa Abloy’s Vision by VingCard — a state-of-the-art system from one of the world’s most trusted and widely-used facilities security firms. In short, the laptop was stolen by a ghost that could pass through locked doors and leave no trace.

    Vision by VingCard is deployed in 166 different countries, 40,000 facilities, and millions of doors.

    F-Secure researchers told SecurityWeek, “Our guy was working on some really interesting and specific stuff; and, yes, it would absolutely have been of interest to any 3, 4 or 5 letter agency in many different nation-states.” Without naming their victim researcher, they added, “This was not some Joe-average researcher, and we have always been 100% sure that the laptop was stolen.”

    With this background it is not surprising that the researchers started to investigate the locking system.

    It took thousands of hours work over the last 15 years examining the system and looking for the tiniest errors of logic.

    “We wanted to find out if it’s possible to bypass the electronic lock without leaving a trace,” said Timo Hirvonen, senior security consultant at F-Secure. “Building a secure access control system is very difficult because there are so many things you need to get right. Only after we thoroughly understood how it was designed were we able to identify seemingly innocuous shortcomings. We creatively combined these shortcomings to come up with a method for creating master keys.”

    In summary, with any existing, old or expired keycard to any room on the system, it is possible to generate a master key that can be used to gain entry to any of the hotel rooms without leaving a trace on the system. An attacker could book a room and then use that keycard as the source; or could even read the data remotely by standing close to someone who has a card in a pocket — in a hotel elevator, for example.

    “You can imagine what a malicious person could do with the power to enter any hotel room, with a master key created basically out of thin air,”

    The first requirement is to obtain any keycard, current or expired, to any door in the target facility. A custom-tailored device (actually a Proxmark RFID token reader/writer) is then held close to the target lock. The device tries different keys, and in an average of less than one minute, locates the master key and unlocks the door. “The final step is that you either use the device as the master key, or you write the master key back to your keycard. This only has to be done once. You have found the master key and you can access any room in the hotel.”

    The basic Proxmark can be bought online for around 300 euros

    The capacity of the card is 64 bytes; and of those some 48 bytes are usable. It includes multiple different data fields on the card. “Once we identified the eleven different data fields,” continued Hirvonen, “we realized that what remained could feasibly be attacked.”

    F-Secure reported its findings to Assa Abloy in April 2017, and for the last year the two firms have worked on a solution.

    “Because of Assa Abloy’s diligence and willingness to address the problems identified by our research,” says Tuominen in an associated blog published today, “the hospitality world is now a safer place. We urge any establishment using this software to apply the update as soon as possible.”

    Researchers Find Way to Create Master Keys to Hotels
    https://safeandsavvy.f-secure.com/2018/04/25/researchers-find-way-to-generate-master-keys-to-hotels/

    Reply
  2. Tomi Engdahl says:

    https://www.tivi.fi/Kaikki_uutiset/hotellihuoneiden-lukoista-paljastui-jattiaukko-loytyiko-selitys-myos-v-2010-tapahtuneeseen-salamurhaan-6724677

    The lock in the hotel room revealed a giant hole – was there an explanation for the assassination in 2010?

    Two F-Secure Finnish researchers have found a significant security gap around the room keys used in hotels around the world. Every one of the universal keys operated in the lock was reported in April .

    Researchers Tomi Tuominen and Timo Hirvonen , after the release of the research, held a so-called ” Ask Me Anything ” in the Reddit service . It is attracting a lot of interest in information security and hacking.

    Scientists learned about the hacking of hotel lock systems for years. Spark was lit up 10 years ago when a colleague’s notebook computer was apparently stolen from the hotel room. However, the hotel staff dismissed the theft complaint, as there were no signs of breaking into the room.

    The Reddit questionnaire was also attended by F-Secure’s research director, Mikko Hyppönen , security supervisor . He highlighted the assassination in Mahmoud Al-Mabhou of a Palestinian Hamas organization in Dubai in 2010.
    According to F-Secure researchers, that same hotel used the same VingCard Vision locks they are looking at.

    Reply

Leave a Comment

Your email address will not be published. Required fields are marked *

*

*