Millions of electronic door locks fitted to hotel rooms worldwide have been found to be vulnerable to a hack.
Researchers say flaws they found in the equipment’s software meant they could create « master keys » that opened the rooms without leaving an activity log.
The F-Secure team said it had worked with the locks’ maker over the past year to create a fix. But the Swedish manufacturer is playing down the risk to those hotels that have yet to install an update.
« Vision Software is a 20-year-old product, which has been compromised after 12 years and thousands of hours of intensive work by two employees at F-Secure, » said a spokeswoman for the company, Assa Abloy. « These old locks represent only a small fraction [of the those in use] and are being rapidly replaced with new technology. »
She added that hotels had begun deploying the fix two months ago. « Digital devices and software of all kinds, are vulnerable to hacking. However, it would take a big team of skilled specialists years to try to repeat this. »
Assa Abloy’s locks are used by some of the world’s biggest hotel chains – including Intercontinental, Hyatt, Radisson and Sheraton – although it has not disclosed which properties still use a compromised version of the Vision by VingCard system.
The F-Secure researchers said they began their inquiry after a colleague’s laptop was stolen from a hotel room without the thief leaving behind any sign of unauthorised access.
« We wanted to find out if it’s possible to bypass the electronic lock without leaving a trace, » explained Timo Hirvonen, describing the Ghost In The Locks exploit. « Only after we thoroughly understood how it was designed were we able to identify seemingly innocuous shortcomings [and] come up with a method for creating master keys. »
He added that data scanned from any discarded VingCard could be used to mount the attack, even if the card’s access privileges had long expired or had been used to open a garage or other parts of the targeted hotel rather than a bedroom.
The hack can also be applied to access other areas of a hotel – including sending a lift to a VIP floor of a property – if it is protected by the same system.
F-Secure has confirmed it will not be sharing the hardware and software tools it used to demonstrate its attack with others.