Two weeks ago, we published the story of two of our ethical hackers who’ve figured out a way to create master keys that let them bypass the electronic locks on millions of hotel room doors worldwide. Since then, F-Secure’s Tomi Tuominen and Timo Hirvonen have described the hack in their talk at the Infiltrate conference and their story has been featured in hundreds of news articles from BBC to Wired to The Economist.
Fortunately for us, they also found time to stop by the Cyber Sauna. Listen to Episode 7 to hear about the hotel hack in their own words – and get the real, unvarnished truth about what it was like to spend thousands of hours plugging away at a project they didn’t know if they would ever succeed at. (Spoiler: Hacking’s not as sexy as you might think.)
Got a question for Tomi and Timo? May 11 is your chance – that’s when they’ll be participating in a Reddit “Ask Me Anything” session. Check out this post for details.
Welcome to the show, guys.
Tomi: Thanks for having us.
Timo: Thank you, Janne.
What is this, in a nutshell?
Tomi: It’s about creating a master key out of thin air, basically granting you access to each and every door on a specific facility.
Timo: And doing it without leaving a trace.
What was it that got you started down this rabbit hole?
Tomi: It all started back in 2003 when we were attending a hacker conference in Berlin, Germany, and once we got back to the hotel we found that one of the laptops was gone. So basically our friend lost his laptop and we didn’t really know how that happened.
So no signs of breaking and entering or anything like that?
Tomi: That was the thing. There was nothing visible, no signs of physical entry, or breaking and entering. The hotel staff didn’t find anything suspicious. They didn’t really believe us that the laptop was gone. Which is kind of understandable, if you think how we used to look back then.
Okay. So that got you started in looking at hotel locks and how to bypass them.
Tomi: That was basically the kind of pulse or the motivation behind it. Because we wanted to find out if it would be possible to get into a hotel room without leaving any traces.
Now just to get the scope of this, what kind of hotels use this lock system, and how many hotels are we talking about?
Tomi: So we don’t have exact numbers, but the vendor marketing material says that these kind of systems are being used in 166 countries, 42 thousand facilities and about eight million doors. Not all of those are this specific system, so the real number of doors is maybe half of it, or – well, we’re still talking about millions of doors.
So it’s a widespread problem.
Tomi: It definitely is.
Yeah, I remember personally, I’ve been bringing hotel key cards for you guys for a bunch of years, and every time I brought one, it was yeah, this is the one we’re researching. So very widely used.
Tomi: Extremely widely deployed. As far as we know, Assa Abloy is a market leader, they have about 95% market share of the hospitality industry.
Right. So what was it about the software, about the lock, that made the attack possible?
Timo: There were no obvious mistakes in the lock or in the software, so it took us quite some time to research the software and to understand how the system is built. And then we identified some small mistakes, and once we understood the whole thing well enough we were able to combine those small mistakes and then basically create those master keys out of thin air.
So for those of us who are not professional hackers, how does that work? When you start picking at something, do you get a sense that I’m on the right track, do you find dead ends, do you get frustrated at all?
Tomi: If you go back, we started back in 2003, and immediately after 2017 we were able to crack this one, so-
Only 15 years or so.
Tomi: Yeah, so…nowadays when you go to industry events or hacker conferences, it looks like everyone’s walking on water, but that’s not the case. That’s the reason why we don’t really have any good hacker movies, because it’s boring as hell. It’s like watching paint dry, and there’s nothing sexy in it. So this took a lot of trial and error to get where we are at this point. To make it crystal clear, we have done each and every mistake possible on our way here.
Timo: Yeah, and we didn’t even start the research from the electronic locks. We started by first looking at the mechanical lock, whether it would be possible to somehow bypass that one. And we also did research into reprogramming the lock. So there were like at least two different tracks that we researched before we focused on creating these master keys.
Tomi: The original research was done on magstripe, and because our hardware was so crappy, we were getting so many errors, that the last thing you want to have is that when you’re swiping the card twice you get a different result from the same card, it’s not exactly optimal. So we ditched that track and started paying attention to the RFID locks instead, which were much more reliable.
So we’re approaching the hot topic now. How does this attack actually work?
Timo: To start, you need any key to the hotel. It doesn’t need to be valid anymore. It can be a key to the hotel from your stay five years ago. Or it can be a key to the garage, or gym or anything. Then we read a piece of information from that card, and then we have our own device that we use. We show the device to the lock, and it does a couple of attempts, and at some point the lock will show you a green light, and then you know that you have the master key.
Basically generating new keys based on a key that once was.
Tomi: If you’ve ever seen the Terminator 2 movie, where the guy puts this device against a lock, it’s exactly like that. Stunt hacking.
So for once we have something that’s exactly like in the movies.
Timo: That’s true, yeah!
Tomi: That was our main motivation.
I’m sure. (laughing) So the lock we’re talking about now is manufactured by Assa Abloy. When did you notify Assa Abloy about your findings, and what were they like to work with?
Tomi: We contacted Assa guys more than a year ago, so early 2017. They took us very very seriously from the beginning, and they actually built a lab environment where they wanted us to demonstrate the attack. So the lab setup was basically a lock and a card that didn’t open that specific lock. So they wanted to see if we can actually read that card and derive the master key that will open the lock. And once they saw that we were able to do that, that’s how it started the cooperation between F-Secure and Assa.
So what was their first reaction when they saw the magic happen?
Tomi: I guess it was something like, Uh oh, this is not good. I guess that was it, if my memory serves me right.
Timo: Yeah. (laughing)
So what was it like to work with them after that initial meeting?
Tomi: I think it went really well. We had a good connection with their CTO, and also the head of engineering or head of R&D, and the cooperation was pretty good. We were bouncing ideas back and forth and we were able to help them throughout the process of fixing those vulnerabilities.
You hear a lot of horror stories about vulnerabilities discovered, where the discoverer doesn’t get taken seriously by the company they contact, but that wasn’t the case here.
Tomi: I think it’s safe to say that the cooperation with R&D went extremely well. They were very open minded and actually wanted our help.
Timo: Yeah, and it was clear that they wanted to fix those issues.
So have they been fixed? Is there an update, a patch, how does it work?
Timo: Yeah. There is a patch available now. It has been available since March, I think.
Tomi: They pretty much patched the whole product line dating back a few years or so, so if you have an installation done within the past five years or so, I guess you should have a patched version available. And they also improved the process of getting security updates, so nowadays you have a website where you can subscribe and just download the patches from there.
Timo: I think it’s important to understand that patching this kind of a system isn’t actually trivial, because you need to reprogram the locks as well, you need to install new software to the locks too, so it’s not like just installing Windows updates or anything.
Tomi: It’s like back in the 90’s you had Adidas networks, so that’s how it works.
Do you know if the manufacturer has contacted hotels using this equipment and notified them of the need to update?
Timo: Yes, they have reached out to their customers.
Tomi: As far as we know, yes.
All right. And now, just between you and I and the three people listening to this podcast, how likely is it that this is gonna get ever fixed in all instances?
Tomi: Frankly, we don’t have visibility to that. Patches are available, they’ve been available for some time by now. And all the customers have been notified, according to the vendor. So at least they have all the means to do that. It’s not trivial, we do understand that, but it’s definitely doable. We wanted to postpone the release of our research for this very specific fact because we didn’t want to put innocent people at risk. So the way we see it is that now the hotel industry or the hospitality industry is a safer place to be.
Timo: Call me an optimist, but I’m quite sure there’s many hotels out there who want to install the patch as soon as possible to make sure that their guests are safe.
Absolutely, you’d think that. So, how unique is this vulnerability, this research. Have there been any other similar types of attacks against access control systems?
Tomi: Breaking physical access control systems is nothing new. There’ve been multiple different attacks over the years. What we think is kind of unique in this case is that the impact is so huge. We are talking about millions of doors and thousands of facilities worldwide. But the fact that an electronic locking system gets popped is nothing new.
Right, so what does this mean for hotels and travelers who use them? Are we all at risk that someone might break into my room?
Tomi: That’s the funny part – well, funny, depending on your definition, but – there are easier ways. So, with an investment of two euros, or taking your suit to the dry cleaners, will actually give you all the tools to break into pretty much any hotel room on the planet. So in that regard it’s not unique, because you can just make a device that will open the handle inside the door, slide it under the door and then open the door from inside. So those type of attacks have been available for ages.
So this is more like for a highly skilled, highly motivated, specific type of attacker, going after a specific individual?
Tomi: Not necessarily. I mean, of course, if you’re carrying that kind of device with you that will enable you to open hotel doors or facility doors, it will raise suspicions, but if you’re carrying a small electronic device with you, or let’s say a smartphone, that will open the doors, it’s much more covert, if you will. So if we are thinking about the bad guys that would like to just pilfer all the hotel rooms, of course this attack is a more viable option. But I’m just saying that it’s not unique in the sense that you can get to the same end result with other means as well.
Okay, so this is not something people need to stay awake at nights worrying about. So from now on when I’m traveling, are there any special measures I should take in my hotel room when I don’t know if the rooms have been patched or not?
Timo: You probably want to travel with us, because we know.
Okay, that’s fair. (laughing) Let’s talk a little bit about you guys. I know a lot of you guys have pet projects that you spend years and years on, but when I go home, I try to put my work behind me. You guys pick it right back up after dinner. Don’t you ever want a break from all the hacking?
Tomi: No, that depends on your definition of work. We don’t see this as work. So, you know, it’s a dear hobby.
So this is how you guys relax. Breaking into hotel rooms.
Tomi: Well, you need to have hobbies, right?
Everybody needs a hobby.
Timo: I mean, come on. Some people play golf, some people play football.
Tomi: How sensible is that?!
That’s fair, that’s fair. Can you talk a little bit about the process of finding these vulnerabilities? Did you ever feel like this was never gonna go anywhere?
Tomi: Initially we did this sporadically. Trying a few things here and there. And about four or five years ago we decided that we actually want to get somewhere with this and started working on it every week. So every Wednesday we would start at 5:00 and work until midnight, and that’s how we started to get results. It’s funny, you put in the hours and you usually get results. But it was not that everything was great from the beginning. We had super bad experiences with pretty much everything we tried. It’s very difficult to know what works and what not before you have tried it. So we have spent hundreds of hours doing exactly all the wrong things.
Timo: Yeah, I mean, there were countless dead ends. One of my favorite examples was that we had the software that the hotel personnel used to create the keys, and we had an RFID reader that’s supposed to be supported by the software. And honestly we spent at least 20 hours trying to connect that reader to the virtual machine and trying to make it work with the software and it was quite frustrating.
Tomi: Yeah, and in the end the solution to this was that we just had to run the installer again because we had forgotten that when you start the installer it actually asks you if you want to have a magstripe setup or an RFID setup. We felt pretty stupid at that point.
Yeah, you guys should have tried turning it off and on again.
Timo: Exactly, yeah.
Tomi: Yeah, that Dilbert or Dogbert tech support solution. Shut up and reboot.
Timo: Janne, you should join us next time.
Absolutely. (laughing) So a hundred times when you felt you weren’t getting anywhere, did you ever feel like quitting?
Timo: No, never. Failure is not an option.
So what about the good times? Were there like those moments – you mentioned this was a bunch of little things coming together. What does it feel like when you know that you’re on to something?
Tomi: Well, those were the – Both times were awesome.
Timo: (laughing) Yeah.
Tomi: I don’t know if I can speak for Timo, but at least to me, it’s like a drug. You know, you’re basically high because you’re so happy that you were able to accomplish something. Especially, you have to understand that after working on something for months, maybe years, and then you finally figure out something that actually takes you to the next level, it’s a pretty rewarding feeling.
Timo: Tomi already said we worked on this every Wednesday, and I think there was a pattern that there were like two or three Wednesdays that we didn’t really make any progress, and then it was like the fourth or fifth time that we made a breakthrough, and –
Tomi: And those breakthroughs also, they tend to stack. So once we figured out something we were like, Oh! This means that and that means that, and so it kind of – we got this domino effect, that we understood something, we could see what we had been doing wrong, and then we were able to take it from there, and we realized that okay, once we fix this, we actually get here, and once we are there we can actually go here, and so on. So it was the gift that kept giving.
Timo: Yeah, and we even had this poor man’s ticketing system. So we had these smaller steps, like smaller goals that we wanted to achieve.
Tomi: Yeah, this was not just some random stuff that we were trying to pull off. We were actually tracking. We had tasks, we had deadlines, we had completion dates. We were managing it as a project.
Absolutely. Isn’t this also how like, the black hat hackers work when they’re researching something?
Tomi: We wouldn’t know.
So you mentioned the whole thing started in 2003 when your friend got his laptop stolen. If you could go back in time with the knowledge you have now, what would you tell them to do differently?
Tomi: The advice that we give usually is to carry all your electronic devices with you, if possible. If that’s not possible, store it securely. In this case the guy had just left his laptop on his bed, and that’s not the best place to store it. Put it somewhere – at least where, somewhere where it’s not visible or in plain sight.
All right. I want to thank you guys for sharing your experiences and for doing this research in the first place. And big thanks to Assa Abloy for responding to the issue like a company should. Thanks, Timo and Tomi.
Tomi: You’re welcome. Thanks.
Timo: Thank you, Janne.