Lock maker offers fixes to prevent hackers from using fake master keys to open hotel locks
Lock maker offers fixes to prevent hackers from using fake master keys to open hotel locks

Lock maker Assa Abloy has provided fixes to address design vulnerabilities in the Vision by VingCard software for electronic lock systems used by global hotel chains and other hotels around the world that can be exploited to allow hackers access to any room in a hotel.

“You can imagine what a malicious person could do with the power to enter any hotel room, with a master key created basically out of thin air,” said Tomi Tuominen, practice leader at F-Secure Cyber Security Services, whose researchers discovered the flaws.

Despite the risk, Tuominen said in a release the company doesn't “know of anyone else performing this particular attack in the wild right now.”

The researchers wanted to see if it was “possible to bypass the electronic lock without leaving a trace,” said the company's senior security consultant, Timo Hirvonen. “Building a secure access control system is very difficult because there are so many things you need to get right. Only after we thoroughly understood how it was designed were we able to identify seemingly innocuous shortcomings. We creatively combined these shortcomings to come up with a method for creating master keys.”

F-Secure took its findings Assa Abloy and worked with the company

"Smart hotels use technology to create more convenience for the busy traveler where amenities can be accessed with a click or touch of a screen, but they can also be a hotbed for hackers and scammers,” said Adam K. Levin, founder of CyberScout and author of "Swiped."  “From room keys that use facial recognition to sensors attuned to guests, to televisions that talk back, touch screen surfaces, smart toilets and temperature controls, these connected devices can have vulnerabilities that can turn your dream vacation into a nightmare.”

Levin noted that “with smart hotels and connected rooms, the hotel is collecting troves of data and hackers and scammers are standing by looking to cash in on a hotel guest's personal and financial data.”

Hotel systems, he said, “are only as safe as their security measures” and “connected devices rely on the internet to function, which increases their attackable surface.”

He urged “savvy travelers” who want a "smart" hotel experience without being a target to use “long and strong passwords that don't repeat across sites, opt to use a VPN or Virtual Privacy Network when using hotel WiFi, enable two factor authentication on all your devices and make sure to never click on strange links, that may look like they are coming from the hotel, but are actually spoofed, leaving your device infected with malware."