F-Secure Hack Can Unlock Millions of Hotel Rooms With Handheld Device

F-Secure Hack Can Unlock Millions of Hotel Rooms With Handheld Device

It’s very rare these days that a hotel will give you a real key when you check in. Instead, most chain hotels and mid-sized establishments have switched over to electronic locks with a keycard system. As researchers from F-Secure have discovered, these electronic locks may not be very secure. Researchers from the company have managed to create a “master key” for a popular brand of hotel locks that can unlock any door.

The team began this investigation more than a decade ago, when an F-Secure employee had a laptop stolen from a hotel room. Some of the staff began to wonder how easy it would be to hack the keycard locks, so they set out to do it themselves. The researchers are quick to point out this has not been a focus of F-Secure for 10 years — it took several thousand total man-hours, mostly in the last couple years.

F-Secure settled on cracking the Vision by VingCard system built by Swedish lock manufacturer Assa Abloy. These locks are used in more than 42,000 properties in 166 countries. The project was a huge success, too. F-Secure reports they can create a master key in about a minute that unlocks any door in a hotel. That’s millions of potentially vulnerable hotel rooms around the world.

The hack involves a small handheld computer and an RFID reader (it also works with older magnetic stripe cards). All the researchers need to pull off the hack is a keycard from a hotel. It doesn’t even have to be an active one. Even old and invalid cards have the necessary data to reconstruct the keys that unlock doors. The custom software then generates a key with full privileges that can bypass all the locks in a building. Many hotels use these keys not only for guest rooms, but also elevators and employee-only areas of the hotel.

“We wanted to find out if it’s possible to bypass the electronic lock without leaving a trace,” said @TimoHirvonen https://t.co/rsFhcf5SUr pic.twitter.com/29eUMuua3E

— F-Secure (@FSecure) April 25, 2018

F-Secure disclosed the hack to Assa Abloy last year, and the lock maker developed a software patch to fix the issue. It’s available for customers to download now, but there’s one significant problem. The firmware on each lock needs an update, and there’s no guarantee every hotel with this system will have the resources to do that. Many of them might not even know the vulnerability exists. This hack could work for a long time to come, but F-Secure isn’t making the attack tools generally available. Anyone who wants to compromise these locks will have to start from scratch.

Continue reading

Xbox Series X Review: The Living Room Gaming PC I’ve (Mostly) Always Wanted
Xbox Series X Review: The Living Room Gaming PC I’ve (Mostly) Always Wanted

The Xbox Series X launches in five days, and we're clear to talk about it. I've never done a console review before, so I went into this from the perspective of what I'm used to — PC gaming. Microsoft objectively has a lot to be proud of, here.

ET Deals: Dell Inspiron 15 5000 Intel Core i7-1165G7 Laptop for $674, iRobot Roomba i7+ 7550 Robot Vacuum for $599
ET Deals: Dell Inspiron 15 5000 Intel Core i7-1165G7 Laptop for $674, iRobot Roomba i7+ 7550 Robot Vacuum for $599

Today you can take advantage of a 10 percent discount to snag a Dell Inspiron 15 5000 laptop with an Intel Core i7-1165G7 processor, 12GB of RAM and a 512GB NVMe SSD for just $674. You can also get iRobot's Roomba i7+ robot vacuum for just $599.00, which is the same price it was on Cyber Monday.

Scientists Create Ultra-Hard Diamonds at Room Temperature
Scientists Create Ultra-Hard Diamonds at Room Temperature

Natural diamonds only form deep in the Earth under intense heat and pressure, but researchers say they've developed a way to create diamonds at room temperature.

Why You Can’t Future-Proof Your Gaming PC
Why You Can’t Future-Proof Your Gaming PC

Trying to future-proof a system is a fool's errand. Plan your purchases intelligently, but don't pay a premium for features you can't use yet.