F-Secure researchers have discovered a flaw in electronic hotel door locks from Assa Abloy that could allow hackers to access guest rooms and other secure locations at millions of properties worldwide.
Software updates were issued to fix the flaw in the smart locks, called “the Vision by VingCard,” after F-Secure notified and worked with Assa Abloy over the past year.
The researchers had found a way to make a master key using information from a key card for any room, including closets and garages, and even long-expired or discarded keys. This method would have allowed hackers to carry out an attack without being noticed.
Persistence Pays Off
The researchers looked into the issue after a 2003 incident in which a colleague’s laptop was stolen during a security conference. The hotel staff reportedly had not taken the reported theft seriously, saying there were no signs of forced entry or unauthorized room access.
Over the years, the researchers spent thousands of hours, on and off, investigating the incident. They eventually settled on a lock known for its strong security and high quality.
“Only after we thoroughly understood how the system was designed were we able to identify seemingly innocuous shortcomings,” said Timo Hirvonen, senior security consultant for F-Secure. “We creatively combined these shortcomings to come up with a method of creating master keys.”
No actual hotel rooms were compromised during the research, according to the firm.
The vulnerability applies only to Vision by VingCard products, Hirvonen told the E-Commerce Times, adding that F-Secure agreed with Assa Abloy to withhold the mechanism of the vulnerability.
Multiple factors impact the effectiveness of electronic door locks, he pointed out, noting that encryption is used to protect the confidentiality of the data on the key card.
“Encryption raises the bar to start analyzing the system,” Hirvonen said. “However, encryption is not a silver bullet — the encryption key has to be securely generated and stored.”
Hotel Review
Marriott International confirmed that Assa Abloy notified the hotel chain about the vulnerability in a version of the company’s locking system.
“We are currently working with the vendor to understand the impact to our hotels,” said spokesperson Hunter Hardinge.
She added that Assa Abloy had issued the company a software patch and was working to deploy it as quickly as possible.
Andrew Howard, chief technology officer at Kudelski Security, based on reports he has read, said the hack is based on the cryptographic weaknesses of older-generation door locks.
He told the E-Commerce Times that the vulnerability allows the hackers’ tools to cycle through potential door access codes until they find the right one.
Brian Martin, vice president of vulnerability intelligence at Risk Based Security, said this report reminds us of the vulnerability of remote locks, particularly at a time when companies are increasingly selling smart lock devices controlled through mobile apps.
“All of this is a serious warning that these systems need strenuous testing before they are pushed to market,” he told the E-Commerce Times.
Just last year, New York Attorney General Eric Schneiderman reached a settlement with Safetech Products over allegations that its Bluetooth padlocks and wireless door locks were not secure.
Researchers found that the company transmitted password information from the locks to mobile phones without the encryption necessary to hide the data from hackers. The default passwords on the locks were easily figured out using brute force attacks.
In 2016, researchers at the University of Michigan, working with Microsoft, found a vulnerability in Samsung SmartThings IoT systems. The vulnerability allowed them to access PINs on electronic door locks and exploit a SmartApp to create a spare door key. The team notified Samsung and worked with the company to address the flaws.