Electronic locks used by some of the world’s biggest hotel chains are vulnerable to hackers.
Research by cyber security firm F-Secure has prompted the world’s largest lock manufacture, Assa Abloy, to issue urgent software updates. It’s still not known whether all hotel chains affected have been able to install the secure version.
The design flaw was discovered in a system called Vision by VingCard, used to access millions of hotel rooms worldwide. Using an ordinary electronic hotel key a hacker could create a ‘master key’, which would allow them access to hotel rooms of chains including Intercontinental, Hyatt, Radisson and Sheraton. It’s not been disclosed which properties at the chains involved are still using the hackable version of VingCard.
‘You can imagine what a malicious person could do with the power to enter any hotel room, with a master key created basically out of thin air,’ said Tomi Tuominen of F-Secure Cyber Security Services.
Hotel room key updates
The researchers began investigating hotel security when a F-Secure employee had a laptop stolen from his hotel room during a security conference. There was no sign of forced entry and no evidence of unauthorised access.
‘We wanted to find out if it’s possible to bypass the electronic lock without leaving a trace,’ said Timo Hirvonen, F-Secure’s senior security consultant.
Since discovering the flaw, F-Secure has been working with Assa Abloy to create the update. There is no evidence that this hack has been used in the real world but, while hotels installing the updated software should be safe, older systems could still be vulnerable. Some hotel chains are planning to allow guests to open doors with an app on their mobile phone, and Hilton has already introduced this in the US and Canada.
Should you be concerned?
All hotels have their own master key, allowing cleaners and other staff to enter any room. However, these keys automatically leave a log recording the entry. F-Secure’s hack allowed them to create a key which would leave no record of unauthorised access.
Assa Abloy has played down the risk to its locks, arguing in a statement to the BBC that it took F-Secure many years and ‘thousands of hours of intensive work’ to find the security flaw. ‘Digital devices and software of all kinds are vulnerable to hacking,’ it said. ‘However, it would take a big team of skilled specialists years to try to repeat this.’