A Master Card That Gives Access to Rooms of More Than 42,000 Hotels

Under the premise that any electronic device can be compromised, the cybersecurity company, F-Secure, has created a device that, they claim, can extract data from hotel access cards and create a master card that would give access to all the rooms of one or several hotels.

This device takes advantage of a fault in the design of the electronic locks system, which would allow creating said master card by simply accessing a hotel card, no matter that it is no longer in use. The detail and the worrying thing is that this vulnerability is present in the electronic lock Vision by VingCard, owned by the company Assa Abloy, which is available today in more than 42,000 hotels in 166 countries.

A Master Card

One Card to Master Them All

This system of electronic locks has increased its use in an important way, which has positioned it as the most used security mechanism in hotels around the world. This is used not only in the rooms, either by RFID or magnetic stripe, but also in the elevators to limit access to the floors, as well as other restricted areas in the hotels.

As we know, these cards are returned once we check out and can be used again for a new guest. Sometimes, some people do not return them and this has caused them to become access doors to the data of the locks system because although they are deactivated they store information that in this case can be reused to create a master card.

More in News: Facebook is Unstoppable, Revenue Growth 68%, Users 13% in Q1 of 2018

Those responsible for this feat were Tomi Tuominen and Timo Hirvonen from F-Secure, who developed a personalized cloning system using a handheld device, which would be able to steal card data, manipulate them and identify which hotel or chain they belong With this data, the system would produce an access token with all the privileges that in the end would serve as master key, that is, as one of the cards used by the cleaning staff to access the rooms to do the cleaning.

It is not that Simple

It might sound simple, but Tuominen and Hirvonen explain that it is a job that took them a little over ten years, where they had to investigate these access systems, understand how the locks work and see the residual data left in the deactivated cards. Therefore, these researchers say that right now there is no one who is using a device of this type for malicious purposes.

You might also like: How to Play Morrowind on Android, The Legendary RPG on Android

F-Secure mentions that in April 2017 they were able to create the first cloning environment via RFID, and they immediately notified Assa Abloy of the finding. Throughout the past year, both companies worked to develop a solution to these vulnerabilities, so they have already managed to patch the central server software. However, hotels are responsible for applying this patch in their systems to prevent unauthorized access, in addition, they must update the firmware of each electronic lock if they do not want to remain vulnerable to this type of attack.

For more stuff visit our site techverses.com and discover what you want.

Leave a Comment

Scroll to Top