When most people rent a hotel room, security is one of the factors they take into consideration. Along with knowing whether the hotel has room service, air conditioning, or free Wi-Fi, we want to know that we – and our belongings – will be safe for the duration of our stay. The more reputable the hotel brand and the better the location, the more secure we feel.

But what if you found out the lock system that secures your $400-a-night hotel room is vulnerable and can be hacked? What if an attacker could not only access your room, but every room in the building?

It sounds scary, but that’s the scenario F-Secure researchers discovered when they investigated a widely deployed hospitality lock system made by the world’s largest lock manufacturer, Assa Abloy. The discovery affects millions of locks in tens of thousands of hotels around the world, including locations run by well-known international chains.

Ghost in the locks, Tomi Tuominen, Timo Hirvonen, INFILTRATE 2018 from Immunity Videos on Vimeo.

The beginning

Years ago, two of our ethical hackers attended an infosec conference in Berlin. The laptop of a fellow researcher was stolen from a locked hotel room while they were out. Intriguingly, there were no signs of forced entry. They reported the theft to hotel staff. But without a single indication of unauthorized room access (nothing physical and nothing in the software logs), the staff dismissed the complaint.

Our researchers’ curiosity was piqued. They decided to investigate whether it’s possible to enter a locked hotel room without the key…and completely without a trace. Finally, after more than a decade and thousands of hours of on-and-off research as a side project, they’ve figured out how to do exactly that.

Their target: a high caliber brand of lock known for quality and security.

“You can imagine what a malicious person could do with the power to enter any hotel room, with a master key created basically out of thin air,” says Tomi Tuominen, Practice Leader at F-Secure Cyber Security Services. He worked side by side with F-Secure’s Timo Hirvonen, Senior Security Consultant, to devise a way to exploit the software system, known as Vision by VingCard.

The hack

First an attacker needs to get access to an electronic key to the target facility. Literally any key will suffice, be it a room key or a key to a storage closet or garage. What’s more, the key need not be currently active: even an expired key from a stay five years ago will work.

An attacker will read the key and use a small hardware device to derive more keys to the facility. These derived keys can be tested against any lock in the same building. Within minutes the device is able to generate a master key to the facility. The device can then be used instead of a key to bypass any lock in the facility, or alternatively, to overwrite an existing key with the newly created master key.

The needed hardware is available online for a few hundred euros. However, it is the custom software developed by Tomi and Timo that makes the attack possible.

“Building a secure access control system is very difficult because there are so many things you need to get right,” says Timo “Only after we thoroughly understood how the whole system was designed were we able to identify seemingly innocuous shortcomings. We creatively combined these shortcomings to come up with a method for creating master keys.”

In addition, during their research Tomi and Timo found that the Vision software could be exploited within the same network to get access to sensitive customer data.

The solution

Tomi and Timo notified Assa Abloy of their findings in April 2017, and since then, have worked with the lockmaker’s R&D team to fix the flaws. Assa Abloy recently issued a software update and made it available to the affected hotels.

“Because of Assa Abloy’s diligence and willingness to address the problems identified by our research, the hospitality world is now a safer place,” says Tomi. “We urge any establishment using this software to apply the update as soon as possible.”

The duo will not be publishing full attack details, nor will they make any attack tools available. To date, they are not aware of any cases of this same attack being carried out in the wild.

Hospitality is a target industry in the infosec battleground. So what precautions should travelers take to protect themselves against these kinds of attacks when renting a room?

“My recommendation is that people should continue doing the things they hopefully are already doing,” says Timo. “That means don’t leave any valuables in your hotel room and use the door chain when you’re in the room or going to bed. If you haven’t been doing these things already, now might be a good time to start.”

Find out more from Tomi and Timo on the Cyber Security Sauna podcast.