Skip to main content

HACKERS HAVE BUILD A MASTER KEY, THAT UNLOCKS MILLIONS OF DOORS. If you often leave your valuable and expensive stuff like laptop and passports in the hotel rooms, then beware. Your room can be unlocked by not only a malicious staff having access to the master key, but also by an outsider. A critical design vulnerability in a popular and widely used electronic lock system can be exploited to unlock every locked room in a facility, leaving millions of hotel rooms around the world vulnerable to hackers. The vulnerability has been discovered in Vision by VingCard locking system—made by the world's largest lock manufacturer, Assa Abloy, and deployed in more than 42,000 facilities in 166 different countries, which equals to millions of doors. After thousands of hours work, F-Secure researchers Tomi Tuominen and Timo Hirvonen managed to build a master key that could be used to unlock doors and gain entry to any of the hotel rooms using the Vision by VingCard digital lock technology, without leaving a trace on the system. How Hackers Built a 'Master Key'! To create a master key to access a room secured by the Vision system, the first requirement is to get hold of an electronic keycard—any existing, old or expired electronic keycard to any room in the target facility would get the job done. To obtain the electronic key (RFID or magstripe), an attacker could read the data remotely by standing close to a hotel guest or employee having a keycard in his pocket, or simply could book a room and then use that card as the source. The attacker would then need to buy a portable programmer for a few hundred dollars online to overwrite it, and therefore creating a master key within minutes. However, F-Secure says it used its custom software which made this particular hack possible, and for obvious reason, the researchers will not be releasing it. The custom-tailored device (actually an RFID reader/writer) is then held close to the target lock, which tries different keys in less than one minute and locates the master key and unlocks the door. Now, you can either use this custom-tailored device as the master key to open any door in the facility or write the master key back to your keycard. Once done, you can now access any room in the hotel using the master key. "You can imagine what a malicious person could do with the power to enter any hotel room, with a master key created basically out of thin air," said Tuominen in a blog postpublished Wednesday. "We don't know of anyone else performing this particular attack in the wild right now." Researchers have also provided a video demonstration, which shows the hack in action. Researchers reported their findings to Assa Abloy in April 2017, and for the last year, the two have worked together to develop a solution, which included effective randomization of the whole keyspace. Assa Abloy released software fixes for its systems in February 2018, and the updates have been made available to the affected facilities. "I would like to personally thank the Assa Abloy R&D team for their excellent cooperation in rectifying these issues," Tuominen said. "Because of their diligence and willingness to address the problems identified by our research, the hospitality world is now a safer place. We urge any establishment using this software to apply the update as soon as possible." F-Secure has not yet released full technical details of the hack. Also, there's no evidence that the hack has ever been exploited in the wild, but cyber attacks against hotels are not at all surprising. About a year ago, we saw how hackers forced a luxurious hotel in Austria to pay ransom in Bitcoin, after ransomware hit the hotel's IT system, locking hundreds of guests out of their rooms.

HACKERS HAVE BUILD A MASTER KEY, THAT UNLOCKS MILLIONS OF DOORS.          



If you often leave your valuable and expensive stuff like laptop and passports in the hotel rooms, then beware. Your room can be unlocked by not only a malicious staff having access to the master key, but also by an outsider.


A critical design vulnerability in a popular and widely used electronic lock system can be exploited to unlock every locked room in a facility, leaving millions of hotel rooms around the world vulnerable to hackers.


The vulnerability has been discovered in Vision by VingCard locking system—made by the world's largest lock manufacturer, Assa Abloy, and deployed in more than 42,000 facilities in 166 different countries, which equals to millions of doors.


After thousands of hours work, F-Secure researchers Tomi Tuominen and Timo Hirvonen managed to build a master key that could be used to unlock doors and gain entry to any of the hotel rooms using the Vision by VingCard digital lock technology, without leaving a trace on the system.


How Hackers Built a 'Master Key'!


To create a master key to access a room secured by the Vision system, the first requirement is to get hold of an electronic keycard—any existing, old or expired electronic keycard to any room in the target facility would get the job done.


To obtain the electronic key (RFID or magstripe), an attacker could read the data remotely by standing close to a hotel guest or employee having a keycard in his pocket, or simply could book a room and then use that card as the source.


The attacker would then need to buy a portable programmer for a few hundred dollars online to overwrite it, and therefore creating a master key within minutes.


However, F-Secure says it used its custom software which made this particular hack possible, and for obvious reason, the researchers will not be releasing it.


The custom-tailored device (actually an RFID reader/writer) is then held close to the target lock, which tries different keys in less than one minute and locates the master key and unlocks the door.


Now, you can either use this custom-tailored device as the master key to open any door in the facility or write the master key back to your keycard. Once done, you can now access any room in the hotel using the master key.


"You can imagine what a malicious person could do with the power to enter any hotel room, with a master key created basically out of thin air," said Tuominen in a blog postpublished Wednesday. "We don't know of anyone else performing this particular attack in the wild right now."





Researchers have also provided a video demonstration, which shows the hack in action.


Researchers reported their findings to Assa Abloy in April 2017, and for the last year, the two have worked together to develop a solution, which included effective randomization of the whole keyspace.


Assa Abloy released software fixes for its systems in February 2018, and the updates have been made available to the affected facilities.


"I would like to personally thank the Assa Abloy R&D team for their excellent cooperation in rectifying these issues," Tuominen said. "Because of their diligence and willingness to address the problems identified by our research, the hospitality world is now a safer place. We urge any establishment using this software to apply the update as soon as possible."





F-Secure has not yet released full technical details of the hack. Also, there's no evidence that the hack has ever been exploited in the wild, but cyber attacks against hotels are not at all surprising.


About a year ago, we saw how hackers forced a luxurious hotel in Austria to pay ransom in Bitcoin, after ransomware hit the hotel's IT system, locking hundreds of guests out of their rooms.


Comments

Popular posts from this blog

Lab Student Drowned, Body Missing in Rokoze Lake in Nyadri Sub-county, Maracha District.

Maracha District.  5-December-2025. 📸: Residents gathered around the lake as they searched the missing body of the student. Photo by #Information_is_Power's news reporter.  This afternoon Friday 5-December-2025, a student from St Joseph Laboratory Training School in Maracha hospital, a one  Araku Denis drowned in Rokoze water body in Nyadri Sub-county and the  body has not been retrieved upto this night as the police and residents searched for it and in vain but they are expected to resume retrieving it tomorrow Saturday 6-December-2025. 📸: Photo of the deceased which we captured on his phone screen this night. Araku and his fellow students had  reportedly gone to pass time at water point after completing exams papers of today. Him and callagues got attracted to swimming at water body where he perished.  By press time, efforts to retrieve his body proved futile as the body remains invisible on water surface.  Rokoze water body...

Hon Oguzu Lee Denis Drags to Court, Maracha Constituency MP-Elect Uhuru Nelson and Electoral Commission.

Story by Osuta Yusuf.  Maracha District 6-April-2026. Following the 15-1-2026 general election, the two term MP for Maracha Constituency, Hon Oguzu Lee Denis has dragged to court the Winner for Maracha Constituency MP election, Uhuru Nelson as the first respondent and Election Commission as the second respondent.  📸: Copy of the court document shared in NEWS PLATFORM, one of the WhatsApp groups in WestNile region. In a document dated 1-April-2026 filed at Arua High Court, it's not yet clear which grounds the petitioner, Hon Oguzu Lee Denis has used to challenge the victory of the NRM Party candidate Uhuru Nelson.  It should be noted that, the NRM Party candidate Uhuru Nelson was declared the winner of the 15-1-2026 general election after he garnered 13,696 votes, followed by Independent candidate Obeta Moses Drakua who garnered 9,247 votes, the incumbent MP Hon Oguzu Lee Denis (FDC) fell in the third position after he got 3,290 votes, Eng. Aguta Sam (Independent) got 686...

Famous Arua City TikToker Arrested on Allegations of Lesbianism Act.

Arua City. 20-2-2026. A famous TikToker from Arua City, WestNile region, in the names of Torrero Bae was arrested on Wednesday 18-2-2026 and taken to Onduparaka Police Station on Allegations of engaging in Lesbianism acts with another girl. Story excerpts from the Facebook account of Kawawa Michael.  📸: Part of the screenshot  📸: Screenshot from Facebook.  I have spoken to a reliable source from Onduparaka Div police HQS  As concerns the case of these girls  It's true they have confessed to being lesbians and the whole of their dancing group is involved  She comes from a good family and the mother is a teacher by profession I will hide her names  It's alleged that she started her lesbiansim from school that is why she ran away from the mother that is according to her mother who was present at Onduparaka today  Police is trying to apprehend the whole group then make a decision on the file at the moment other...