Two hackers have found how to break into hotel-room locks

By A.W. | WASHINGTON, DC

WHEN a hacker gets hacked, hackers hack back. That is exactly what an attendee at a hacking conference in Berlin in 2003 did when the keycard-operated lock of his hotel room got hacked. On returning to his hotel room, he found that his laptop had been stolen, but there was no evidence of forced entry. So how did the thief get into the room? Two of his colleagues spent more than a decade trying to answer that question. Now they have succeeded—and in the process they have exposed a security vulnerability that leaves millions of hotel rooms susceptible to theft.

Tomi Tuominen and Timo Hirvonen of F-Secure, a cyber-security firm, devised a hack that they say allows them to create a master key that mimics the guest keycards produced by VingSecure, a manufacturer of hotel locks. According to F-Secure, the affected software is used in more than 40,000 hotel properties across 166 countries. The BBC reports that big hotel chains such as Sheraton, Hyatt and Radison use locks made by VingSecure’s parent company, Sweden’s Assa Abloy (although the company has not formally stated which hotels use the vulnerable version of the software).

Messrs Tuominen and Hirvonen have not revealed exactly how their hack works, for fear of inspiring more hackers and thefts like the one that hit their colleague. But the basic concept goes something like this. Many keycards use electromagnetic fields known as radio-frequency identification (RFID). By holding an RFID reader near a keycard, a hacker can capture the card’s response and then use it later to create a new card with the same properties. Staff keys, such as those carried by cleaners, are particularly valuable targets, since they can access all guest rooms. Messrs Tuominen and Hirvonen say their hack, which uses software they created, allows them to turn any VingSecure keycard—including discarded and disabled ones—into a master key.

The pair of hackers told Gizmodo, a technology-news website, that it is not just keycards that are vulnerable to thieves. Guests’ personal data are also at risk. The hackers gained access to VingSecure’s server by unplugging a cable from a computer at a hotel’s reception desk, allowing them to see guests’ room assignments. F-Secure told the site, “a malicious actor could download guest data or create, delete, and modify guest entries.”

Since identifying the vulnerability, F-Secure has been working with Assa Abloy over the past year to develop a fix that will make its key systems harder to hack. Assa Abloy, for its part, sought to downplay the severity of the risk. A company spokeswoman emphasised to the BBC that the hack succeeded only after “12 years and thousands of hours of intensive work by two employees at F-Secure”, and that “these old locks represent only a small fraction [of the those in use] and are being rapidly replaced with new technology.” Still, for travellers, the saga is a reminder that many hotel rooms are not as safe as they may seem. And that if something goes missing, it is not always fair to blame the cleaners.