When you leave a hotel, what do you do with that plastic keycard they give you to get into your room? Do you return it to the front desk, or maybe toss it in the trashcan outside the door?
Security researchers say any one of those abandoned cards could be picked up by a hacker and used to create a new "master key" that could unlock any room in the hotel. They know, because they say they've done it.
“We wanted to find out if it’s possible to bypass the electronic lock without leaving a trace,” Timo Hirvonen, senior security consultant at the cybersecurity firm F-Secure, said in a statement. “Building a secure access control system is very difficult because there are so many things you need to get right. Only after we thoroughly understood how it was designed were we able to identify seemingly innocuous shortcomings. We creatively combined these shortcomings to come up with a method for creating master keys.”
The exploitation works with many locks designed by VingCard, which use Swedish lock manufacturer Assa Abloy’s Vision system. The VingCard systems have been steadily replaced with new technology, but Assa Abloy told Reuters the tech was still being used in several hundred thousand hotel rooms. The company told Wired it could affect up to a million locks.
The company has since patched the issue on its main server, but those individual buildings still need to update the locks themselves, according to F-Secure. Plus, the researchers say the problem doesn't end with one keycard company.
“I wouldn’t be surprised if other electronic lock systems have similar vulnerabilities," one of the researchers told Reuters. "You cannot really know how secure the system is unless someone has really tried to break it.”
The hackers first began thinking about how to crack into keycard locks back in 2003, after one of their colleagues had a laptop stolen from his hotel room with no signs of a break-in, the researchers told ZDNet.
Working on and off for "thousands of hours," they created a way to steal data from a card, reprogram that data into a new master card, and then use it to unlock any door in the building that uses the system, they told the site.
They use a small hand-held card reader to read the data off a card, then cycle through possible keys until they get the master code. The process only takes a couple of minutes, Wired reported.
"Once we have the master key, we can write it to an ordinary hotel key. It’s much less suspicious to access a room using a key than connecting a device with wires to a lock. Furthermore, the master key we create is a totally normal, legitimate way of opening any door. It’s impossible to tell whether it was us or a legitimate owner," Tomi Tuominen from F-Secure told the magazine.
The original card could come from anywhere. It might only have unlocked the laundry room or the pool, or it may lead into just one guest bedroom. It could even have been deactivated. It didn't matter, according to F-Secure.
Although it took a long time for them to get their software up and running, they say part of the reason is because they were mostly working on the project as a hobby.
"If somebody was to do this full time, it would probably take considerably less time," they told ZDNet.
It's not the first time security experts have raised concerns about security on hotel door locks. In 2012, Forbes reported on a 24-year-old hacker who discovered a way to unlock hotel rooms that relied on a different locking program called Onity. The vulnerability was later linked to a string of break-ins.
But there is some good news.
"We don't know of anyone else performing this particular attack in the wild right now," the researchers wrote on their website. They also thanked the research team Assa Abloy for doing what it could to fix the issue.
“Because of their diligence and willingness to address the problems identified by our research, the hospitality world is now a safer place," the researchers wrote.