Two Finnish security researchers from IT firm F-Secure, challenged by a 2003 incident where a colleague’s laptop was stolen and the hotel claimed no responsibility, have created a master key that will work for any room in millions of hotels around the world. They’ve been working on it on-and-off for over 10 years, and now it's been successfully tested.
They can create a master key “basically out of thin air,” said Tomi Tuominen and Timo Hirvonen, the security researchers from F-Secure.
Image from F-Secure.
Using expired key cards, even old ones lying around, they can create a master key that will get into every room in the hotel.
They stress that it’s not happening in the wild—at least, not yet.
"Developing [the] attack took considerable amount of time and effort," said Tuominen and Hirvonen, in an email to ZDNet. The attack is named, eerily enough, 'Ghost in the Locks', and works primarily on VingCard locks.
"We built [an] RFID demo environment in 2015 and were able to create our first master key for a real hotel in March 2017. If somebody was to do this full time, it would probably take considerably less time.”
However, they all stated, ”We don't know of anyone else performing this particular attack in the wild right now.”
Their discovery also prompted Swedish lock maker Assa Abloy, which is the maker for the VingCard key systems, to release a security patch to fix the flaws. Some of the hotel chains who have used Abloy’s lock systems over the years are Intercontinental, Hyatt, Radisson, and Sheraton.
The software on some of the locks has been patched—that is, fixed—at the central server, but the firmware on each individual lock needs to be updated as well—something that will take time to deploy, if the companies involved decide to do so.
What can you do?
The researchers made clear that these keys are not available “in the wild” yet, but they’re likely coming. So what are wary travelers to do?
Here’s a solution while you are inside the room to keep your door secure.
There are some others out there, as well—some lower-tech and therefore easier to deploy.
Here's Kathleen Fischer on car hacking: