Hackers have been able to sneak in-and-out of hotel rooms for years — using “off-the-shelf” hardware items to convert ordinary room cards into master keys, a report says.
Researchers from the Finnish cybersecurity firm, F-Secure, stumbled upon the frightening flaw about a year ago and have been working with Assa Abloy, the world’s largest lock manufacturer, to help fix it.
Hackers are going after your online bank account
TaskRabbit offline after security breach
Hackers hit Iranian networks with US flag, elections warning
Obama used cyber hotline to warn Putin against hacking
They’ve already managed to create a software update that would effectively resolve the issue, but it will be several weeks before it’s fully up and running.
The radio-frequency ID key card system in question, Vision by Vingcard, is currently being used by 40,000 major hotels — worldwide, according to the company.
F-Secure estimates that “millions” of rooms have been exposed to the long-existing vulnerability.
Described as a technical design problem, the hotel lock defect was first discovered by security consultants Tomi Tuominen, 45, and Timo Hirvonen, 32, following years of research.
The pair had become obsessed with the idea of hackers using easy-to-find plastic key cards to create master keys after catching wind of a story in 2003 about a laptop disappearing from a computer security expert’s room one night. There had been no traces of a break-in — and no signs of any tampering with the electric lock system.
“We wanted to find out if it’s possible to bypass the electronic lock without leaving a trace,” explained Hirvonen. “Building a secure access control system is very difficult because there are so many things you need to get right. Only after we thoroughly understood how it was designed were we able to identify seemingly innocuous shortcomings. We creatively combined these shortcomings to come up with a method for creating master keys.”
Tuominen and Hirvonen spent over a decade trying to complete the hack themselves, and finally succeeded last year. They’ve been able to carry out the “attack” several times over, using “off-the-shelf hardware” to create a small conversion device.
“The researchers’ attack involves using any ordinary electronic key to the target facility — even one that’s long expired, discarded, or used to access spaces such as a garage or closet,” F-Secure said in a statement.
“Using information on the key, the researchers are able to create a master key with privileges to open any room in the building,” the company added. “The attack can be performed without being noticed.”
While the hack has been successful on Vingcard’s older-generation Vision locks, the company says their newer Visionline products are protected. Still, that leaves an estimated 140,000 hotels in more than 160 countries potentially exposed.
“You can imagine what a malicious person could do with the power to enter any hotel room, with a master key created basically out of thin air,” Tuominen said.
“I wouldn’t be surprised if other electronic lock systems have similar vulnerabilities,” Hirvonen added. “You cannot really know how secure the system is unless someone has really tried to break it.”
With Post Wires
Source: Read Full Article