Hackers create hotel master keys that can access millions of rooms

Security researchers say it takes an average of 60 seconds to gain access to any hotel room using the hacking technique

Anthony Cuthbertson
Wednesday 25 April 2018 18:10
Comments
The technique works on key cards made by Assa Abloy, which counts some of the world's largest hotel chains among its customers.
The technique works on key cards made by Assa Abloy, which counts some of the world's largest hotel chains among its customers.

Millions of hotel rooms are vulnerable to hackers after researchers found a technique to create master keys that can open rooms.

Researchers from the cybersecurity firm F-Secure discovered the flaw with key cards used by some of the world’s biggest hotel chains, including Intercontinental, Radisson and Sheraton Hotels and Resorts.

Tomi Tuominen and Timo Hirvonen from F-Secure began investigating the vulnerability 15 years ago after a laptop belonging to one of their colleagues mysteriously went missing from a hotel room.

The flaws they discovered with key cards made by the world’s largest lock manufacturer, Assa Abloy, allowed them to create a master key using any key card from a hotel, even one that was long-since expired.

“The hack consists of three steps,” Mr Tuominen explains to The Independent. “Firstly, get access to a key card, it doesn’t matter which. Secondly, use a relatively-cheap piece of hardware, combined with our custom software, to read the card and search for the master key code.

“Thirdly, write the master key onto the key card, or any other key card, to gain access to any room in the facility.”

F-Secure researcher Timo Hirvonen shows a device that is able to create a master key out of a single hotel key card in Helsinki, Finland April 19, 2018.

Mr Tuominen and Mr Hirvonen say that it takes an average of 60 seconds to gain access to a room using this technique.

The researchers, who are set to present their findings at the Infiltrate conference later this week, informed Assa Abloy of the vulnerability and offered a patch to fix it. It is expected to take a long time to roll out the fix across all hotels affected.

“We appreciate F-Secure’s ethical approach in bringing these issues to our attention,” a spokesperson for Assa Abloy said.

“We strive for the utmost security and quality in our products, so we are glad to have the opportunity to ensure our products pass the most rigorous evaluations. With these updates, we have elevated hospitality security to the next level.”

Register for free to continue reading

Registration is a free and easy way to support our truly independent journalism

By registering, you will also enjoy limited access to Premium articles, exclusive newsletters, commenting, and virtual events with our leading journalists

Please enter a valid email
Please enter a valid email
Must be at least 6 characters, include an upper and lower case character and a number
Must be at least 6 characters, include an upper and lower case character and a number
Must be at least 6 characters, include an upper and lower case character and a number
Please enter your first name
Special characters aren’t allowed
Please enter a name between 1 and 40 characters
Please enter your last name
Special characters aren’t allowed
Please enter a name between 1 and 40 characters
You must be over 18 years old to register
You must be over 18 years old to register
Opt-out-policy
You can opt-out at any time by signing in to your account to manage your preferences. Each email has a link to unsubscribe.

By clicking ‘Create my account’ you confirm that your data has been entered correctly and you have read and agree to our Terms of use, Cookie policy and Privacy notice.

This site is protected by reCAPTCHA and the Google Privacy policy and Terms of service apply.

Already have an account? sign in

By clicking ‘Register’ you confirm that your data has been entered correctly and you have read and agree to our Terms of use, Cookie policy and Privacy notice.

This site is protected by reCAPTCHA and the Google Privacy policy and Terms of service apply.

Register for free to continue reading

Registration is a free and easy way to support our truly independent journalism

By registering, you will also enjoy limited access to Premium articles, exclusive newsletters, commenting, and virtual events with our leading journalists

Already have an account? sign in

By clicking ‘Register’ you confirm that your data has been entered correctly and you have read and agree to our Terms of use, Cookie policy and Privacy notice.

This site is protected by reCAPTCHA and the Google Privacy policy and Terms of service apply.

Join our new commenting forum

Join thought-provoking conversations, follow other Independent readers and see their replies

Comments

Thank you for registering

Please refresh the page or navigate to another page on the site to be automatically logged inPlease refresh your browser to be logged in