Skip to content

Trending tags

Ask the Hotel Hackers Anything

Sandra Proske

02.05.18 3 min. read

Read Tomi and Timo’s reddit AMA here.

“Some people play football some people play golf, and we just do… these kinds of things,” Tomi Tuominen, Practice Leader at F-Secure Cyber Security Services, told Digital Trends.

Tomi and Timo Hirvonen, F-Secure Senior Security Consultant, spent more than a decade of their spare time trying to figure out what happened to a laptop that was stolen out of a hotel room, without a physical or digital trace, at a infosec conference in Berlin. Eventually, after endless experimentation, they figured out a way to make a master key that could slip them into hotels around the world in just seconds.

“We could ride an elevator with a guest, if the guest had a key in their pocket we could read the key through the pocket with our device. Then we’d just walk up to any of the doors and typically in less than a minute we can find the master key.”

The duo disclosed their findings to the lock’s manufacturer, which began updating the vulnerability early this year, and now their “hobby” has now made countless hotel rooms safer, while making news around the globe with stories in the BBC, Reuters, Gizmodo, WIRED, ZDNet, CNBC, PC Mag, Newsweek and hundreds of other publications.

Here’s their talk revealing their work at the Infiltrate conference:

[vimeo 267613809 w=640 h=360]

Ghost in the locks, Tomi Tuominen, Timo Hirvonen, INFILTRATE 2018 from Immunity Videos on Vimeo.

When most people heard about this hack, a simple question often came up: Is my hotel room safe?

“I highly encourage the hotels to install those software fixes,” Timo told Reuters. “But I think there is no immediate threat, since being able to develop this attack is going to take some time.”

The chances that you’ll be targeted by a hacker who knows about this vulnerability, finds you in a room with the exact right lock and manages to use the same attack Tomi and Timo came up with are not great. Especially since these two guys are the only two people who have ever pulled off this sort of attack in the wild and they are not releasing their attack tools.

But that’s the just the first question they’re generally hearing.

People want to know what it was like when they realized the hack worked, the tools that were used and what it’s like to hack businesses for a living, as these two do in their day job.

That’s why Tomi and Timo have decided to do their first reddit “Ask Me Anything” session. Like F-Secure fellows Mikko, Erka and Tom before them, they take on as many questions they can ethically answer.

Get ready for it by listening to their visit to our #CyberSauna podcast.

Follow them both on Twitter and check back here on the 11th of May when we’ll post the link. So start thinking about what you want to ask.

[Cover photo of Mikko Hypponen’s hotel keycard collection.]

Sandra Proske

02.05.18 3 min. read


Related posts


Newsletter modal

Thank you for your interest towards F-Secure newsletter. You will shortly get an email to confirm the subscription.

Gated Content modal

Congratulations – You can now access the content by clicking the button below.