Researchers at a cybersecurity company have discovered a way of unlocking millions of electronic door locks fitted to hotel rooms around the world that have been found vulnerable to a hack.
Cybersecurity company F-Secure announced that their researchers have found a bug in the software of electronic locks made by Assa Abloy, and they have successfully created a master key using information from a key card for any room, even from long-expired or discarded keys.
Hotels including Sheraton, Radisson, and Hyatt are using locking system of Assa Abloy.
F-Secure’s researchers Tomi Tuominen and Timo Hirvonen decided to research on electronic locks when one of their team member's laptop had been stolen from a hotel room during a security conference, and hotel staff found no trace of any kind of forced entry and no evidence of unauthorized access to the room through their logs.
“We wanted to find out if it’s possible to bypass the electronic lock without leaving a trace,” Hirvonen, said in a public statement. “Building a secure access control system is very difficult because there are so many things you need to get right."
“Only after we thoroughly understood how it was designed were we able to identify seemingly innocuous shortcomings,” he added. “We creatively combined these shortcomings to come up with a method for creating master keys.”
However, researchers have stressed that the exact details of the hack will not be disclosed.
F-Secure has informed Assa Abloy about their findings and investigation. They have even helped them to fix this bug.
The company has rolled out their new updates, but it is not clear whether all hotels have updated their software or not.
“We have worked together with Assa Abloy for over a year to address these security issues and the patch has been available since early 2018”, Hirvonen told Telegraph Travel.
“The patches fix all the vulnerabilities we have identified. However, it is up to the hotels whether they patch their systems in a timely manner. Installing the updates is somewhat labour-intensive since you need first to update the backend software and then go to each and every lock to update the lock firmware.”
Cybersecurity company F-Secure announced that their researchers have found a bug in the software of electronic locks made by Assa Abloy, and they have successfully created a master key using information from a key card for any room, even from long-expired or discarded keys.
Hotels including Sheraton, Radisson, and Hyatt are using locking system of Assa Abloy.
F-Secure’s researchers Tomi Tuominen and Timo Hirvonen decided to research on electronic locks when one of their team member's laptop had been stolen from a hotel room during a security conference, and hotel staff found no trace of any kind of forced entry and no evidence of unauthorized access to the room through their logs.
“We wanted to find out if it’s possible to bypass the electronic lock without leaving a trace,” Hirvonen, said in a public statement. “Building a secure access control system is very difficult because there are so many things you need to get right."
“Only after we thoroughly understood how it was designed were we able to identify seemingly innocuous shortcomings,” he added. “We creatively combined these shortcomings to come up with a method for creating master keys.”
However, researchers have stressed that the exact details of the hack will not be disclosed.
F-Secure has informed Assa Abloy about their findings and investigation. They have even helped them to fix this bug.
The company has rolled out their new updates, but it is not clear whether all hotels have updated their software or not.
“We have worked together with Assa Abloy for over a year to address these security issues and the patch has been available since early 2018”, Hirvonen told Telegraph Travel.
“The patches fix all the vulnerabilities we have identified. However, it is up to the hotels whether they patch their systems in a timely manner. Installing the updates is somewhat labour-intensive since you need first to update the backend software and then go to each and every lock to update the lock firmware.”