Key Hack Discovered – Millions of Hotels at Risk

F-Secure, a cybersecurity company, announced this week that hotel rooms that feature Assa Abloy electronic locks (the world’s largest lock manufacturer) could have been easily exploited by attackers.

Unfortunately, hotels such as Sheraton, Hyatt and Radisson are on the list of accommodation spaces that feature these locks, making them vulnerable to unpleasant situations.

A decade ago, a member staff at F-Secure was surprised to notice that his laptop had been stolen from his hotel room during a security conference. Even so, there were no signs of forced entry, neither of unauthorized access to the room through their logs.

This is how the research started, as Tomi Tuominen and Timo Hirvonen decided to take the matter into their own hands and investigate the situation on their own.

“We wanted to find out if it’s possible to bypass the electronic lock without leaving a trace,” Timo Hirvonen, Senior Security Consultant at F-Secure, said in a public statement. “Building a secure access control system is very difficult because there are so many things you need to get right.

“Only after we thoroughly understood how it was designed were we able to identify seemingly innocuous shortcomings,” he added. “We creatively combined these shortcomings to come up with a method for creating master keys.”

The company revealed that the hack includes to following steps:

• Find a key card
• Use a cheap piece of hardware combined with custom-built software to read the card
• Search for the master key code
• Copy the master key information onto a new/existing card.

In just 60 seconds, Tuomin and Hirvonen were able to gain access to any room using the aove method. However, the precise details of the hack will not be disclosed in order to avoid the bad use of it.

“Although not impossible, most likely this is something that a bedroom hacker would have a hard time replicating. It took us a considerable amount of time and effort to come up with this attack,” Hirvonen said

After bypassing the lock system, the company immediately informed Assa Abloy of their discovery and helped them develop the necessary fixes. Even though the company rolled out updates, it is still not clear how many hotels have actually implemented the change.

“We have worked together with Assa Abloy for over a year to address these security issues and the patch has been available since early 2018”, Hirvonen declared

“The patches fix all the vulnerabilities we have identified. However, it is up to the hotels whether they patch their systems in a timely manner. Installing the updates is somewhat labour-intensive since you need first to update the backend software and then go to each and every lock to update the lock firmware.”

Source: telegraph.co.uk