google-site-verification: google30a059f9a075f398.html

A faked master key gives hackers access to millions of hotel rooms

CyberWisdom Safe Harbor Commentary:

A recent story from wired.co.uk says after “thousands of hours of work,” F-Secure researchers created a master key that can be used to access any room in the hotel using VingCard digital lock technology. The company stated that the master key dedicated to the Assa Abloy Vision system can be generated using any common electronic key card, even if it is expired or discarded for a long period of time.

“We wanted to know if it was possible to bypass the electronic lock without leaving any traces,” said Timo Hirvonen, senior security consultant at F-Secure, in a statement. it is. His colleague, Tomi Tuominen, F-Secure’s practice leader, said: “You can imagine what a malicious person can do with the ability to enter any hotel room and basically create a master key out of thin air.”

How is the vulnerability exploited? In theory, this is easy. First, the attacker needs an electronic key – RFID or magnetic strip – from the hotel or even the storeroom or garage. Then they need to buy portable programmers online for hundreds of pounds to cover it, creating a master key in minutes. However, F-Secure said that its custom software makes this special hack possible, and it will not be released (for obvious reasons).

 

After attacking Assa Abloy’s Vision Digital Locking System, F-Secure contacted the company about a year ago and worked together to develop software fixes available in February. Christophe Sut, Assa Abloy’s executive vice president and hotel director, said that Vision is a fairly old system – in fact, it was developed 20 years ago, which means that hackers are not amenable to its more recent versions. He said: “This is not a system we promote, or we build our technology, but the challenge we face is that we don’t know if these systems are still running.” The problem is, not all hotels will have fully upgraded their technology. , so it may still be vulnerable.

There is no evidence that this vulnerability has been used in the real world, but it is not surprising that hacker attacks on hotels. Although there is currently no detailed information on which hotel has installed Assa Abloy’s Vision security system, any attacks against the hotel may become targeted rather than indiscriminate.

Particularly disturbing is that such robbery is not easy to trace because there are no signs of breaking into the door. Tuominen said: “Once we have the master key, we can write it into a normal hotel key. The use of keys to access the room is much less suspicious than using a wire to connect the device to the lock.” The master key created is a perfectly normal legal way to open any door. We cannot say whether it is us or the legal owner. ”

Before you start panicking, it’s worth noting that F-Secure’s hacking attacks are difficult to duplicate, and cybercriminals may be more willing to turn their ideas into simpler thefts. “This is not a straightforward approach,” Sut said. “I would say this is an extreme technical achievement.” Assa Abloy said that it had never been hacked before – if it did, it would know it. “When hotels encounter security issues, they usually come to us,” he said.

In other words, there have been incidents where hackers attack other hotels’ digital locks. Last year, a clever robbery involving the hijacking of Onity’s room door lock revealed a story – the series of hackers thief took away merchandise with a value of $ 500,000 before being arrested. In early 2017, there was a case in which Romantik Seehotel Jägerwirt of Austria claimed that cybercriminals used ransomware to lock in the creation of a keycard system.

Although cybercrime is relatively new to hotels, digital keys will soon be lost. “Digital locks are generally safer and harder than hard keys,” says Stefan Vito Hiller, a security expert at Sky Touch Global, a hotel consulting company. “Electronic locks have the benefit of recording actions.” “

However, improvements can still be made. Although biometric locks – where guests use facial recognition or fingerprints to enter their rooms – are not likely to be discovered soon (people are overly stressed about their personal data being abused), cloud-based security systems can be monitored and updated in real time , time may be the next step.

At the same time, using your smart phone to unlock doors, for example, is now available at several Hilton and Marriott hotels, which is an upgrade to a one-time plastic card. Sut said they provide a very high level of security.

In a matter of minutes a hacker with the right knowledge could spoof their way into almost any hotel room in the world By Jenny Southan After “several thousand hours of work”, F-Secure researchers created a master key that could be used to gain entry to any room in hotels using VingCard digital lock technology. The firm says the master key – which specifically worked on the Assa Abloy Vision system – could be generated from any ordinary electric keycard, even ones long expired or discarded. “We wanted to find out if it’s possible to bypass the electronic lock without leaving a trace,” said Timo Hirvonen, senior security consultant at F-Secure, in a statement. It was. His colleague, Tomi Tuominen, practice leader at F-Secure, says: “You can imagine what a malicious person could do with the power to enter any hotel room, with a master key created basically out of thin air.” By Victoria Turk After hacking Assa Abloy’s Vision digital lock system, F-Secure contacted the company about a year ago and then worked together to develop software fixes that became available in February. Christophe Sut, executive vice president and head of hospitality at Assa Abloy, says that Vision is a specific system that is fairly old – in fact, it was developed 20 years ago, which means the hack doesn’t apply to it’s more up-to-date versions. Engaging post, Read More…

thumbnail courtesy of wired.co.uk

If you like to receive more of these curated safe harbor news alerts then subscribe to my mailing list. and come back soon at https://www.safeharboroncyber.com/Blog/ to read further CyberWisdom Safe Harbor Commentaries. Home » Curated SafeHarboronCyber’s CyberWisdom Post » A faked master key gives hackers access to millions of hotel rooms