Hack Lets Burglars Enter Locked Hotel Rooms Without Leaving A Trace

Finnish security experts have successfully hacked a line of electronic door locks used in several major hotel chains, saying the exploit could be used to enter a hotel room without leaving a trace in computer logs.

The attack works on the Vision by VingCard system made by Assa Abloy, whose locks are used by hotel chains including Intercontinental, Hyatt, Radisson and Sheraton.

But the lock maker said F-Secure’s exploit only works on an older version of the Vision lock. It didn’t disclose which hotels used the compromised locks.

F-Secure said its method could allow a hacker to create counterfeit “master keys” that could open hotel room doors as well as other doors on hotel premises. The false key could also be used to send an elevator to restricted VIP areas of a hotel.

No record

The firm began looking for ways to exploit the locks after a colleague’s laptop was stolen from a hotel room without any record being left behind of the burglar’s entry.

“We wanted to find out if it’s possible to bypass the electronic lock without leaving a trace,” said F-Secure senior security consultant Timo Hirvonen of the Ghost In The Locks attack.

Hackers could produce the master key from an electronic RFID or magstripe key that had been used at the hotel to open room doors, or even a storage closet or garage.  The hack works even if the key’s privileges have long expired.

A portable programmer is then used to overwrite the key’s data and create the master, F-Secure said. But the hack only works with custom software developed by the security firm. F-Secure said it isn’t planning to make its software public.

Assa Abloy downplayed the implications of F-Secure’s discovery, saying it had taken the security firm’s team of two people 12 years and thousands of hours of intensive work to create the hack. It would take a large team of specialists years to repeat F-Secure’s achievement, the firm said.

The company also noted that the Vision software involved is 20 years old and is being rapidly replaced with new technology.

F-Secure said it contacted Assa Abloy a year ago to collaborate on a fix, which has been available since February.

Do you know all about security? Try our quiz!