Most hotels use some form of the electronic lock system. The receptionist can provide guests with a cheap one-time key card instead of a physical key. These key cards are based on RFID technology. Researchers at F-Secure turned their attention to the popular hotel lock system built by Assa Abloy, the world’s largest manufacturer.
F-Secure highly appreciated Assa Abloy. In the blog post, it describes it as “a high-quality brand” and stated that its locks are known for their quality and safety. But that has not stopped them find the underlying software (called Vision, by a third party company VingCard developed ) vulnerabilities allow an intruder to access this particular system of each room.
In a statement, F-Secure stated: “The researchers’ attack involves using any ordinary electronic key to the target facility – even one that’s long expired, discarded, or used to access spaces such as a garage or closet. Using the information on the key, the researchers are able to create a master key with privileges to open any room in the building. The attack can be performed without being noticed. You can imagine what a malicious person could do with the power to enter any hotel room, with a master key created basically out of thin air.”
The attacker can then use the device to access any room in the property without hindrance. Or, they can print it on a blank keycard and pass it on to an accomplice. According to F-Secure, this attack applies to both magnetic strips and to more complex RFID hotel key cards.
After discovering this flaw, F-Secure notified Assa Abloy last year and quietly worked with the Swedish company to solve the problem. Repairs have been created and published to affected hotels. F-Secure will not publish complete details of any code or bugs. This is sensible because some hotel room lock systems may not be patched, so there are still risks.
Source: digitaltrends
