"You can imagine what a malicious person could do with the power to enter any hotel room,
with a master key created basically out of thin air."
Practice Leader at F-Secure Cyber Security Services
Ghost in the Locks
F-Secure researchers have found that global hotel chains and hotels worldwide are using an electronic lock system that could be exploited by an attacker to gain access to any room in the facility.
The researchers simulated the attack with an ordinary electronic key to the target facility. Using information on the key, they were able to create a master key that can open any door using the same lock system in the facility. The key doesn't even have to be a working key – even one that's long expired, discarded, or used to access spaces such as a garage or closet could be used. The attack can be performed without being noticed.
The design flaws discovered in the smart lock system's software, which is known as Vision by VingCard and used to secure millions of hotel rooms worldwide, have prompted the world's largest lock manufacturer, Assa Abloy, to issue software updates with security fixes to mitigate the issue.
Ghost in the Locks presentation
F-Secure researchers Tomi Tuominen and Timo Hirvonen explain the hotel room lock hacking experiment at INFILTRATE 2018 Security Conference.
"Our success rate in completely subverting the security of nearly 100% of our tested targets is only equal to the ability of ensuring their security, and safety, before deployment. We had the privilege to help countless customers early on in their development phase, with a cost-effective approach instrumental for the security of their products whether operating on air, land, sea or space."
Head of Hardware Security at F-Secure
Get in touch with one of our hardware security experts to discuss your product security.
F-Secure researchers Tomi Tuominen and Timo Hirvonen were interviewed about the Ghost in the Locks case in our Cyber Security Sauna podcast.Listen to the podcast
Behind the scenes
The researchers' interest in hacking hotel locks was sparked a decade ago when a colleague's laptop was stolen from a hotel room. When the researchers reported the theft, hotel staff dismissed their complaint as there was no sign of forced entry, and no evidence of unauthorized access in the room entry logs. The researchers decided to investigate the issue further.Read more