In 2003, Finnish security researcher Tomi Tuominen was attending a security conference in Berlin when a friend's laptop, containing sensitive data, was stolen from his hotel room. The theft was a mystery: The staff of the upscale Alexanderplatz Radisson had no clues to offer, the door showed no signs of forced entry, and the electronic log of the door's keycard lock—a common RFID card reader sold by Vingcard—had recorded no entries other than the hotel staff.

The disappearing laptop was never explained. But Tuominen and his colleague at F-Secure, Timo Hirvonen, couldn't let go of the possibility that Vingcard's locks contained a vulnerability that would let someone slip past a hotel room's electronically secured bolt. And they'd spend roughly the next decade and a half proving it.

Master Key

At the Infiltrate conference in Miami later this week, Tuominen and Hirvonen plan to present a technique they've found to not simply clone the keycard RFID codes used by Vingcard's Vision locks, but to create a master key that can open any room in a hotel.

With a $300 Proxmark RFID card reading and writing tool, any expired keycard pulled from the trash of a target hotel, and a set of cryptographic tricks developed over close to 15 years of on-and-off analysis of the codes Vingcard electronically writes to its keycards, they found a method to vastly narrow down a hotel's possible master key code. They can use that handheld Proxmark device to cycle through all the remaining possible codes on any lock at the hotel, identify the correct one in about 20 tries, and then write that master code to a card that gives the hacker free reign to roam any room in the building. The whole process takes about a minute.

F-Secure

"Basically it blinks red a few times, and then it blinks green," says Tuominen. "Then we have a master key for the whole facility."

'There's a good chance that not all the hotels have fixed this.' Tomi Tuominen, F-Secure

The two researchers say that their attack works only on Vingcard's previous-generation Vision locks, not the company's newer Visionline product. But they estimate that it nonetheless affects 140,000 hotels in more than 160 countries around the world; the researchers say that Vingcard's Swedish parent company, Assa Abloy, admitted to them that the problem affects millions of locks in total. When WIRED reached out to Assa Abloy, however, the company put the total number of vulnerable locks somewhat lower, between 500,000 and a million. They note, though, that the total number is tough to measure, since they can't closely track how many of the older locks have been replaced. Tuominen and Hirvonen say that they've collected more than a thousand hotel keycards from their friends over the last 10 years, and found that roughly 30 percent were Vingcard Vision locks that would have been vulnerable to their attack.