Skip to main content

HACKERS HAVE BUILD A MASTER KEY, THAT UNLOCKS MILLIONS OF DOORS. If you often leave your valuable and expensive stuff like laptop and passports in the hotel rooms, then beware. Your room can be unlocked by not only a malicious staff having access to the master key, but also by an outsider. A critical design vulnerability in a popular and widely used electronic lock system can be exploited to unlock every locked room in a facility, leaving millions of hotel rooms around the world vulnerable to hackers. The vulnerability has been discovered in Vision by VingCard locking system—made by the world's largest lock manufacturer, Assa Abloy, and deployed in more than 42,000 facilities in 166 different countries, which equals to millions of doors. After thousands of hours work, F-Secure researchers Tomi Tuominen and Timo Hirvonen managed to build a master key that could be used to unlock doors and gain entry to any of the hotel rooms using the Vision by VingCard digital lock technology, without leaving a trace on the system. How Hackers Built a 'Master Key'! To create a master key to access a room secured by the Vision system, the first requirement is to get hold of an electronic keycard—any existing, old or expired electronic keycard to any room in the target facility would get the job done. To obtain the electronic key (RFID or magstripe), an attacker could read the data remotely by standing close to a hotel guest or employee having a keycard in his pocket, or simply could book a room and then use that card as the source. The attacker would then need to buy a portable programmer for a few hundred dollars online to overwrite it, and therefore creating a master key within minutes. However, F-Secure says it used its custom software which made this particular hack possible, and for obvious reason, the researchers will not be releasing it. The custom-tailored device (actually an RFID reader/writer) is then held close to the target lock, which tries different keys in less than one minute and locates the master key and unlocks the door. Now, you can either use this custom-tailored device as the master key to open any door in the facility or write the master key back to your keycard. Once done, you can now access any room in the hotel using the master key. "You can imagine what a malicious person could do with the power to enter any hotel room, with a master key created basically out of thin air," said Tuominen in a blog postpublished Wednesday. "We don't know of anyone else performing this particular attack in the wild right now." Researchers have also provided a video demonstration, which shows the hack in action. Researchers reported their findings to Assa Abloy in April 2017, and for the last year, the two have worked together to develop a solution, which included effective randomization of the whole keyspace. Assa Abloy released software fixes for its systems in February 2018, and the updates have been made available to the affected facilities. "I would like to personally thank the Assa Abloy R&D team for their excellent cooperation in rectifying these issues," Tuominen said. "Because of their diligence and willingness to address the problems identified by our research, the hospitality world is now a safer place. We urge any establishment using this software to apply the update as soon as possible." F-Secure has not yet released full technical details of the hack. Also, there's no evidence that the hack has ever been exploited in the wild, but cyber attacks against hotels are not at all surprising. About a year ago, we saw how hackers forced a luxurious hotel in Austria to pay ransom in Bitcoin, after ransomware hit the hotel's IT system, locking hundreds of guests out of their rooms.

HACKERS HAVE BUILD A MASTER KEY, THAT UNLOCKS MILLIONS OF DOORS.          



If you often leave your valuable and expensive stuff like laptop and passports in the hotel rooms, then beware. Your room can be unlocked by not only a malicious staff having access to the master key, but also by an outsider.


A critical design vulnerability in a popular and widely used electronic lock system can be exploited to unlock every locked room in a facility, leaving millions of hotel rooms around the world vulnerable to hackers.


The vulnerability has been discovered in Vision by VingCard locking system—made by the world's largest lock manufacturer, Assa Abloy, and deployed in more than 42,000 facilities in 166 different countries, which equals to millions of doors.


After thousands of hours work, F-Secure researchers Tomi Tuominen and Timo Hirvonen managed to build a master key that could be used to unlock doors and gain entry to any of the hotel rooms using the Vision by VingCard digital lock technology, without leaving a trace on the system.


How Hackers Built a 'Master Key'!


To create a master key to access a room secured by the Vision system, the first requirement is to get hold of an electronic keycard—any existing, old or expired electronic keycard to any room in the target facility would get the job done.


To obtain the electronic key (RFID or magstripe), an attacker could read the data remotely by standing close to a hotel guest or employee having a keycard in his pocket, or simply could book a room and then use that card as the source.


The attacker would then need to buy a portable programmer for a few hundred dollars online to overwrite it, and therefore creating a master key within minutes.


However, F-Secure says it used its custom software which made this particular hack possible, and for obvious reason, the researchers will not be releasing it.


The custom-tailored device (actually an RFID reader/writer) is then held close to the target lock, which tries different keys in less than one minute and locates the master key and unlocks the door.


Now, you can either use this custom-tailored device as the master key to open any door in the facility or write the master key back to your keycard. Once done, you can now access any room in the hotel using the master key.


"You can imagine what a malicious person could do with the power to enter any hotel room, with a master key created basically out of thin air," said Tuominen in a blog postpublished Wednesday. "We don't know of anyone else performing this particular attack in the wild right now."





Researchers have also provided a video demonstration, which shows the hack in action.


Researchers reported their findings to Assa Abloy in April 2017, and for the last year, the two have worked together to develop a solution, which included effective randomization of the whole keyspace.


Assa Abloy released software fixes for its systems in February 2018, and the updates have been made available to the affected facilities.


"I would like to personally thank the Assa Abloy R&D team for their excellent cooperation in rectifying these issues," Tuominen said. "Because of their diligence and willingness to address the problems identified by our research, the hospitality world is now a safer place. We urge any establishment using this software to apply the update as soon as possible."





F-Secure has not yet released full technical details of the hack. Also, there's no evidence that the hack has ever been exploited in the wild, but cyber attacks against hotels are not at all surprising.


About a year ago, we saw how hackers forced a luxurious hotel in Austria to pay ransom in Bitcoin, after ransomware hit the hotel's IT system, locking hundreds of guests out of their rooms.


Comments

Popular posts from this blog

Escaped Murder Suspect Finally Arrested in Yumbe Regional Referral Hospital, Yumbe District.

Story by Osuta Yusuf. 19-November-2024. 📸: Eyotre Kennedy handcuffed on bed while receiving medication this morning at Yumbe Regional Referral Hospital in Yumbe District. Eyotre Kennedy originating from Etoko village, Nyoroo Parish, Nyadri Sub-county in Maracha District who has for many years been terrorizing residents in his village, has finally been arrested this Monday morning 19-November-2024 while receiving treatment at Yumbe Regional Referral Hospital in Yumbe District following injuries he sustained from Theft mission on Saturday night 16-November-2024 in Owapi village, Azapi parish in Odupi Sub-county, Terego East Constituency in Terego District. Click here on the link  https://informationispowah.blogspot.com/2024/11/fugitive-who-chopped-3-people-killed.html   to read the story on his Theft of Goats in Terego. Upon getting cut on the finger and leg by the Mob as he attempted to fight and overpower owner of the goats he attempted to steal on Saturday night ...

41-Years-Old Man Digs His Own Grave in Maracha District.

Story by Osuta Yusuf.  Maracha District.  📸: The grave been dug by Mr Opiga Michael, a victim of frustration. Photo taken by Osuta Yusuf , on Wednesday 11-September-2024. The residents of Ebapi village, Baria Parish in Nyadri Sub-county, Maracha east constituency, Maracha District are in shock after a 41 year old man started digging his own grave. The man, identified as Mr Opiga Michael, who seems to be frustrated over some challenges in life, started digging his own grave on Tuesday 10-September-2024 until he was stopped by the elders in Nyaria clan. 📸: Opiga Michael, the Victim of Frustration. Photo by Osuta Yusuf , Information is Power. While speaking to our reporter on Wednesday evening 11-September-2024, Mr Opiga Michael, said, his main plan  was to commit suicide after finishing digging the grave for burying himself, explained that, he feels frustrated, abandoned and hated by his own clan people, whom he accused of piling lies against him a...

Wedded Ayivu West MP Lematia John Fights Over Another Woman.

  📸: Hon Lematia John. By URN. Police in Arua district are investigating a case of assault and threatening violence involving the Member of Parliament for Ayivu West Constituency John Lematia and James Ariko, a DSTV technician in Arua city. Drama ensued on Easter Sunday 31-3-2024 at Dream Land Hotel located at Kuluva trading center along Arua-Nebbi highway in Arua district when the legislator and the technician engaged in a fight reportedly over a woman identified as Faith Eyotaru 25, a relationship officer at Victoria University Kampala. The scuffle started after Ayivu West Mp John Lematia went to swim at Dreamland Hotel with Faith Eyotaru only to find Ariko, who had gone to the same hotel earlier. However, upon seeing the duo coming out of the vehicle, Ariko confronted Lematia with both men claiming to be having a relationship with the lady. It took the intervention of the staff at the hotel who intervened and separated the fight between the men. Josephine Angucia, the West Nil...