F-Secure hacking device

Two security researchers from F-Secure have created a device that can read any valid or expired hotel key card and generate a master key that can open any room door or grant attackers access to secure hotel areas.

The device exploits a design vulnerability in the Vision line of key cards produced by VingCard, owned by Assa Abloy. This particular system is one of the most widely deployed key card systems. VingCard claims it's been installed at over 40,000 hotels, motels, and other hospitality businesses.

Device exploits software flaw in a popular key card system

The device created by the two researchers, Tomi Tuominen and Timo Hirvonen, works by reading a key card's RFID signal, and then generating other key card codes by exploiting the software flaw they found in the Vision system.

A software routine runs on the device until the device generates a master key code that can open all the doors deployed at a hotel. This usually takes from a few seconds to a few minutes.

Tuominen and Hirvonen say that they don't necessarily need to scan an active key card, even if that would be easy, as an attacker would only need to check into a hotel for one night. Even expired key cards are enough, the two said today.

The researchers have been working on this topic since 2003 when a thief stole a fellow researcher's laptop from a Berlin hotel room.

The door didn't show any signs of forced entry, and the hotel's key card software logs didn't contain any other evidence. This piqued researchers' interest in the topic, who continued to test key card systems for similar weaknesses.

Patch for vulnerable key card systems is available

But travelers don't need to worry about their work. The two don't plan to release any details or device blueprints, for obvious reasons, as this could be abused for thefts in the real world.

Tuominen and Hirvonen also worked with Assa Abloy since April 2017 to designa nd release patches for the Vision system.

"Because of Assa Abloy’s diligence and willingness to address the problems identified by our research, the hospitality world is now a safer place," Tuominen says. "We urge any establishment using this software to apply the update as soon as possible."

Related Articles:

Tumblr Fixes Security Bug that Leaked Private Account Info

Facebook States 30 Million People Affected by Last Month's "View As" Bug

Facebook Vulnerability Affecting 50 Million Users Allowed Account Takeover

WhatsApp Fixes Vulnerability That’s Triggered by Answering a Call.

Microsoft October 2018 Patch Tuesday Fixes 12 Critical Vulnerabilities