iStock / BlindTurtle

How hard is it to hack into the digital locks of hotels? Surprisingly simple, if you can create a key that opens any door. Finnish cybersecurity firm F-Secure has revealed it found a flaw in the digital lock system that may be used in millions of hotel rooms worldwide. It managed to spoof hotel master keys that would be able to unlock any door.

After “several thousand hours of work”, F-Secure researchers created a master key that could be used to gain entry to any room in hotels using VingCard digital lock technology. The firm says the master key – which specifically worked on the Assa Abloy Vision system – could be generated from any ordinary electric keycard, even ones long expired or discarded.


“We wanted to find out if it’s possible to bypass the electronic lock without leaving a trace,” said Timo Hirvonen, senior security consultant at F-Secure, in a statement. It was. His colleague, Tomi Tuominen, practice leader at F-Secure, says: “You can imagine what a malicious person could do with the power to enter any hotel room, with a master key created basically out of thin air.”

How was the vulnerability exploited? In theory, it’s easy. First, an attacker would need to get hold of an electronic key – RFID or magstripe – either from a hotel or even one that operates a storage closet or garage. They would then need to buy a portable programmer online for a few hundred pounds to overwrite it, thus creating a master key within minutes. However, F-Secure says it is its custom software made this particularly hack possible, and it won’t (for obvious reasons) be releasing it.

Read next A data fail left banks and councils exposed by a quick Google search A data fail left banks and councils exposed by a quick Google search

After hacking Assa Abloy’s Vision digital lock system, F-Secure contacted the company about a year ago and then worked together to develop software fixes that became available in February. Christophe Sut, executive vice president and head of hospitality at Assa Abloy, says that Vision is a specific system that is fairly old – in fact, it was developed 20 years ago, which means the hack doesn’t apply to it’s more up-to-date versions. He says: “It is not the system we promote any more or build our technology on [but] the challenge we have is we don’t know necessarily if those systems are still up and running.” The point is, not all hotels will have upgraded their technology sufficiently so could remain vulnerable.

There is no evidence that the exploit has been used in the real-world but hacks against hotels are not surprising. Although there are no details available on which hotels currently have Assa Abloy’s Vision security system installed, it is likely that any attacks against hotels would be targeted rather than indiscriminate.


These are the design tricks that make long-haul flights bearable Planes These are the design tricks that make long-haul flights bearable

What is particularly disconcerting is that robbery of this kind would not be easy to trace as there would be no sign of breaking and entering. Tuominen says: “Once we have the master key, we can write it to an ordinary hotel key. It’s much less suspicious to access a room using a key than connecting a device with wires to a lock. Furthermore, the master key we create is a totally normal, legitimate way of opening any door. It’s impossible to tell whether it was us or a legitimate owner.”

Before you start panicking, it’s worth noting that F-Secure’s hack would be very difficult to replicate and cyber criminals would probably prefer to put their minds to easier ways of stealing. “This was not something that was straightforward to do," Sut says. "I would say this was an extreme technical achievement.” Assa Abloy says it has never been hacked in this way before – and if it had, it would know about it. “When the hotels have a problem with their security they normally come to us,” he says.

That said, there have been incidents of hacking other hotel digital locks. Last year, a story came to light about an ingenious heist involving the hijacking of Onity hotel room door locks – the serial hacker-burglar made off with half a million dollars worth of goods until he was caught. There was also a case at the beginning of 2017 in which the Romantik Seehotel Jägerwirt in Austria claimed cyber criminals had used ransomware to lock its keycard creating systems.


While cybercrime is relatively new against hotels, it's unlikely digital keys will be dropped any time soon. “Digital locks are in general safer than hard keys and the better alternative," says Stefan Vito Hiller, a security expert at hotel consultants Sky Touch Global. "Electronic locks have the benefit that movements are logged.”

However, improvements can still be made. While biometric locks – whereby guests use facial recognition or fingerprints to access their room – are unlikely to catch on soon (people would be too nervous about their personal data being abused), cloud-based security systems that could be monitored and updated in real-time are probably the next step.

In the meantime, using your smartphone to unlock doors, which is now available at a number of Hilton and Marriott properties, for example, is a step-up from disposable plastic cards. Sut says they offer a very high level of security. “This is the latest technology so the level of encryption is top notch,” he says.