A hotel room offers most of us a feeling of relative safety. It’s not home – or the office – but you still feel comfortable leaving your valuables behind when it’s time to do business or go explore the city around you.
Would you feel as safe if you knew someone could open your door completely unseen, without the original key?
F-Secure researchers Tomi Tuominen and Timo Hirvonen have found serious design flaws within Assa Abloy’s smart lock system Vision by Vingcard, used in a massive number of hotels and other institutions around the world. When exploited, these issues allow a potential attacker to open any door within a facility that uses the lock system, and get access to its restricted areas.
How does it work?
The attacker starts by getting ahold of an electronic keycard that opens a lock within the target facility. Any key will work, whether it’s used to open a highly-secure room or a broom closet.
Even worse? The key doesn’t need to be currently active – an old, expired one will do just as well. How many keycards do you think hotels lose each year? If Mikko Hypponen’s collection is anything to go by, it’s quite a few.
After acquiring a card, the attacker can use a small, easily concealable hardware device to create a master key (operating software that took years to research and will not be made publicly available). Yes, it’s as bad as it sounds – now they’re able to get past any lock in the facility with a single swipe.
Which hotels are affected?
Hotels using Assa Abloy’s “Vision” software system are affected.
It’s important to note that the company has other hospitality software products besides Vision that are not affected by the design flaws. Still, it’s an extremely widely-used smart lock system.
Can anyone exploit the design flaws?
Tomi and Timo are the first to tell you this stuff isn’t easy. Navigating the complex interplay between a modern lock system, the associated software and the actual keys is even trickier than it sounds.
Assa Abloy is a highly reputed lock manufacturer, and their products are generally regarded as well-designed. Getting past something of this caliber takes deep technical knowledge and thousands of hours of research – not to mention a lot of patience.
In essence? There are easier and cheaper ways for someone to gain access to your hotel room. We haven’t heard any reports of somebody exploiting this in the wild.
What does this mean for me?
To ensure the safety of both hotel guests and the institutions themselves, we will not reveal the full details of the attack method. The attack tools required to exploit the flaws will also not be made publicly available.
Assa Abloy has already issued a software patch which corrects the issues in the Vision software. Those locations which have not yet applied the update should do so as soon as possible.
In a nutshell? No need to panic – feel free to enjoy yourself at whatever hotel you happen to stay at next.
This doesn’t mean that you shouldn’t take precautions when traveling, however. Although attackers are unlikely to hack your hotel room door (thanks Tomi and Timo!), there are a bunch of other ways to compromise someone while they’re on the road.
You can check out our OpSec comic for some great travel security tips, but here are a few basics you should incorporate into your routine:
- Never leave valuable items and work-related documents unmonitored in your hotel room
- Avoid using hotel safes
- Use door chains/security locks when available
- Take good care of your keycard!
- Use a VPN service
Check out our website for more information on the vulnerability Tomi and Timo found!