A pair of security researchers who work for Finnish privacy and cybersecurity firm F-secure have attempted to unlock a mystery, for the past fifteen years. They’ve now opened that door.
It began with a stolen laptop belonging to a friend of Finnish security researcher Tomi Tuominen, who was attending a security conference in Berlin. The theft occurred at the hotel room and it was a mystery. The upscale hotel had no signs of a forced entry and no one knew how it went missing.
The researcher was convinced that someone had gained access by exploiting a vulnerability in the electronic lock. Together with his co-worker Timo Hirvonen, the two set out to solve the mystery before finally striking gold.
The two researchers spent around $300 building an electronic codebreaker capable of figuring a hotel’s overall ‘master-code’ in 20 or fewer guesses by analyzing the data of a previously used keycard. In under a minute, the attack fundamentally exploits a major manufacturer’s locks – used all over the world – that opens the door seamlessly.
The entire process can be seen here:
The researcher told Wired that the locks are, on estimate, used in the doors of roughly 140,000 hotels in 160 countries around the world. In essence, there are millions of hotel rooms that the ‘master key’ would be able to exploit.
Specifically, the locks are developed by Vingcard and are not the latest generation of product by the lock manufacturer. Still, researchers added that Assa Abloy, Vingcard’s parent company, admitted that the problem could be prevalent in anywhere between 500,00 and a million locks.
A representative from the parent company urged hotel operators and owners to install an upgrade to the locks, stating:
This is the new normal. If you have software you need to upgrade it all the time. We upgrade our phones and computers. We need to upgrade locks as well.”
Image credit: Pixabay.