Breaking News
Home / Business / Two hackers have found how to break into hotel-room locks

Two hackers have found how to break into hotel-room locks

WHEN a hacker gets hacked, hackers hack back. That is exactly what an attendee at a hacking conference in Berlin in 2003 did when the keycard-operated lock of his hotel room got hacked. On returning to his hotel room, he found that his laptop had been stolen, but there was no evidence of forced entry. So how did the thief get into the room? Two of his colleagues spent more than a decade trying to answer that question. Now they have succeeded—and in the process they have exposed a security vulnerability that leaves millions of hotel rooms susceptible to theft.

Get our daily newsletter

Upgrade your inbox and get our Daily Dispatch and Editor’s Picks.

Tomi Tuominen and Timo Hirvonen of F-Secure, a cyber-security firm, devised a hack that they say allows them to create a master key that mimics the guest keycards produced by VingSecure, a manufacturer of hotel locks. According to F-Secure, the affected software is used in more than 40,000 hotel properties across 166 countries. The BBC reports that big hotel chains such as Sheraton, Hyatt and Radison use locks made by VingSecure’s parent company, Sweden’s Assa Abloy (although the company has not formally stated which hotels use the vulnerable version of the software).

Messrs Tuominen and Hirvonen have not revealed exactly how their hack works, for fear of inspiring more hackers and thefts like the one that hit their colleague. But the basic concept goes something like this. Many keycards use electromagnetic fields known as radio-frequency identification (RFID). By holding an RFID reader near a keycard, a hacker can capture the card’s response and then use it later to create a new card with the same properties. Staff keys, such as those carried by cleaners, are particularly valuable targets, since they can access all guest rooms. Messrs Tuominen and Hirvonen say their hack, which uses software they created, allows them to turn any VingSecure keycard—including discarded and disabled ones—into a master key.

The pair of hackers told Gizmodo, a technology-news website, that it is not just keycards that are vulnerable to thieves. Guests’ personal data are also at risk. The hackers gained access to VingSecure’s server by unplugging a cable from a computer at a hotel’s reception desk, allowing them to see guests’ room assignments. F-Secure told the site, “a malicious actor could download guest data or create, delete, and modify guest entries.”

Since identifying the vulnerability, F-Secure has been working with Assa Abloy over the past year to develop a fix that will make its key systems harder to hack. Assa Abloy, for its part, sought to downplay the severity of the risk. A company spokeswoman emphasised to the BBC that the hack succeeded only after “12 years and thousands of hours of intensive work by two employees at F-Secure”, and that “these old locks represent only a small fraction [of the those in use] and are being rapidly replaced with new technology.” Still, for travellers, the saga is a reminder that many hotel rooms are not as safe as they may seem. And that if something goes missing, it is not always fair to blame the cleaners.

Check Also

Trade talks expose a chasm between China and America

START with the good news from the trade negotiations between China and America. After weeks of threatening tariffs and counter-tariffs, representatives from the world’s two biggest economies are at last talking. Over two days of meetings in Beijing, which ended on May 4th, Chinese and American officials laid out their grievances and their demands. That, unfortunately, is where the good news ends. The positions that both sides took were so extreme and contradictory that compromise appears a remote prospect. What, until now, has largely been a war of words could easily careen into a full-fledged trade war.

Publicly, the two countries put a positive gloss on the outcome. Xinhua, China’s official news agency, described the talks as candid and constructive. It noted that they had agreed on some issues and recognised their “considerable differences” on others. On the evening the talks closed, President Donald Trump tweeted a sentiment that, by his standards, was sympathetic: “it is...Continue reading

Leave a Reply

Your email address will not be published. Required fields are marked *