Hackers Can Use Old Key Cards To Break Into Any Hotel Room, Security Researchers Reveal
"It can be your own room key, a cleaning staff key, even to the garage or workout facility."
By John Lim — 27 Apr 2018, 01:17 PM
In an alarming study, a security firm has revealed that millions of hotel rooms around the world have been vulnerable to a hack, after researchers discovered a way of creating a master key that can open doors
The research carried out by Finnish security data firm F-Secure, who said they discovered the vulnerability about a year ago, was published on Wednesday, 25 April.
Hotel rooms fitted with electronic locks made by Assa Abloy, the world's largest lock manufacturer, were found to be at risk, Reuters reported.
Telegraph said hotels with an Assa Abloy locking system include major chains such as Sheraton, Radisson, and Hyatt.
The inspiration to embark on the study came in 2003 when a laptop belonging to a colleague was stolen from his hotel room. As there were no signs of forced entry, nothing much was done.
F-Secure decided to investigate themselves.
"We wanted to find out if it’s possible to bypass the electronic lock without leaving a trace," Hirvonen said.
What's even more shocking is that hackers can use any keycard - new or old - to access hotels rooms if correct modifications are made to it
"We found out that by using any key card to a hotel. You can create a master key that can enter any room in the hotel. It doesn’t even have to be a valid card, it can be an expired one," Timo Hirvonen, a security consultant for the company, said in an interview with Reuters.
The firm revealed that the hack involves finding a key card, a piece of hardware wired with customised software to help read the card and search for the master key code, and then copy the key code onto a new or existing card.
"It can be your own room key, a cleaning staff key, even to the garage or workout facility," Hirvonen added.
While the revelation is worrying, there is good news. It took the researchers awhile to develop the device and F-Secure is unaware of any such devices being used maliciously in the real world.
The firm has informed Assa Abloy of their findings as well and helped the lock-making company to develop software fixes and upgrades.