Master keys expose a security flaw in hotels' locking systems

Vision locking system was wrongfully deemed to be secure

When you decide to stay in a hotel and leave all important items, such as passports, money, credit cards, keys and similar, in the room, you don't have the slightest thought that your hotel room's locks might be unsafe. However, if the hotel is using Vision locking system by VingCard (Assa Abloy), thieves can use the master key to get in your room without being noticed.

Initially, it was thought that Vision locking system is well thought out and is remarkably safe to use as chips inside it provide a deep layer of security. However, F-Secure's Practice Leader Tomi Tuominen and Senior Security Consultant Timo Hirvonen managed to create a master key for any lock made by VingCard.

While it did take researchers thousands of hours to figure out how to crack the code, but after they did this,^[1] they said that the master key can be created “basically out of thin air.”

Research started because of a mere incident

According to Tuominen and Hirvonen, it took them years of research to come with the final hacking tool.

They started their work back in 2003 when their colleague's laptop was stolen from a hotel room with no sign of forced entry. Researchers decided to pick a manufacturer of a popular locking system and put an effort into creating a master key.

They noted that, while it seems that the research took quite long for them, it was not continual and was only a side project for them.

The way the hack was performed

To create the master key, the first thing that was initiated by F-Secure's specialists is obtaining a key card from the targeted hotel. It does not matter whether the card is expired or old, as long as it is still intact and the microchip is not broken, it will work.

Next, they needed to obtain the electronic key.^[2] This is quite an easy task to execute – all you need to do is stand close to the employee of the hotel or a customer. Alternatively, the potential hacker can book a room at the hotel. Then, the electronic key (RFID^[3] or magstripe^[4]) can be read remotely.

The last step would be obtaining the portable device that is capable of overwriting the key; thus, creating the master key in a few minutes.

Then, an RFID reader/writer can be held close to the lock while trying out different keys within a minute and unlocking the room as the result.

Bad actors can undertake similar research, resulting in devastating consequences

Assa Abloy was informed about these findings in April 2017. The firm reacted immediately and released a fix for the flaw a few months later. However, the software was only updated on the server; in-service lock systems' firmware should be updated manually.

Tomi Tuominen raised concerns^[5] saying:

You can imagine what a malicious person could do with the power to enter any hotel room, with a master key created basically out of thin air.

However, researchers also shared the good news saying that they are not aware of any hackers performing such tasks currently. They also urged visitors to take precautions when using a hotel room, i.e. using door chain when going to sleep or avoiding leaving valuables when they are out.

As it stands now, it is highly unlikely that such hacks will occur anytime soon as researchers did not share any tools used or the information about the process. Nevertheless, it does not mean that such outcome is not possible.