Ghost in the Locks
F-Secure researchers have found that global hotel chains and hotels worldwide are using an electronic lock system that could be exploited by an attacker to gain access to any room in the facility.
The researchers simulated the attack with an ordinary electronic key to the target facility. Using information on the key, they were able to create a master key that can open any door using the same lock system in the facility. The key doesn't even have to be a working key – even one that's long expired, discarded, or used to access spaces such as a garage or closet could be used. The attack can be performed without being noticed.
The design flaws discovered in the smart lock system's software, which is known as Vision by VingCard and used to secure millions of hotel rooms worldwide, have prompted the world's largest lock manufacturer, Assa Abloy, to issue software updates with security fixes to mitigate the issue.
GHOST IN THE LOCKS PRESENTATION
F-Secure researchers Tomi Tuominen and Timo Hirvonen explain the hotel room lock hacking experiment at INFILTRATE 2018 Security Conference.
"Our success rate in completely subverting the security of nearly 100% of our tested targets is only equal to the ability of ensuring their security, and safety, before deployment. We had the privilege to help countless customers early on in their development phase, with a cost-effective approach instrumental for the security of their products whether operating on air, land, sea or space."
Andrea Barisani
Head of Hardware Security at F-Secure
Contact us
Get in touch with one of our hardware security experts to discuss your product security.
In the media
"Researchers say flaws they found in the equipment's software meant they could create "master keys" that opened the rooms without leaving an activity log."