A red team has created a master key to hack into millions of hotel rooms

If you see the VingCard logo on your room key, that's the system in question.

Two Finnish security researchers from IT firm F-Secure, challenged by a 2003 incident where a colleague’s laptop was stolen and the hotel claimed no responsibility, have created a master key that will work for any room in millions of hotels around the world. They’ve been working on it on-and-off for over 10 years, and now it's been successfully tested. 

They can create a master key “basically out of thin air,” said Tomi Tuominen and Timo Hirvonen, the security researchers from F-Secure.

Image from F-Secure.

Using expired key cards, even old ones lying around, they can create a master key that will get into every room in the hotel.

They stress that it’s not happening in the wild—at least, not yet.

"Developing [the] attack took considerable amount of time and effort," said Tuominen and Hirvonen, in an email to ZDNet. The attack is named, eerily enough, 'Ghost in the Locks', and works primarily on VingCard locks. 

"We built [an] RFID demo environment in 2015 and were able to create our first master key for a real hotel in March 2017. If somebody was to do this full time, it would probably take considerably less time.” 

However, they all stated, ”We don't know of anyone else performing this particular attack in the wild right now.”

Their discovery also prompted Swedish lock maker Assa Abloy, which is the maker for the VingCard key systems, to release a security patch to fix the flaws. Some of the hotel chains who have used Abloy’s lock systems over the years are Intercontinental, Hyatt, Radisson, and Sheraton. 

The software on some of the locks has been patched—that is, fixed—at the central server, but the firmware on each individual lock needs to be updated as well—something that will take time to deploy, if the companies involved decide to do so. 

What can you do?

The researchers made clear that these keys are not available “in the wild” yet, but they’re likely coming. So what are wary travelers to do?

Here’s a solution while you are inside the room to keep your door secure. 

There are some others out there, as well—some lower-tech and therefore easier to deploy.

Here's Kathleen Fischer on car hacking:

LinkedIn meets Tinder in this mindful networking app

Swipe right to make the connections that could change your career.

Getty Images
Swipe right. Match. Meet over coffee or set up a call.

No, we aren't talking about Tinder. Introducing Shapr, a free app that helps people with synergistic professional goals and skill sets easily meet and collaborate.

Keep reading Show less

Think you’re bad at math? You may suffer from ‘math trauma’

Even some teachers suffer from anxiety about math.

Image credit: Getty Images
Mind & Brain

I teach people how to teach math, and I've been working in this field for 30 years. Across those decades, I've met many people who suffer from varying degrees of math trauma – a form of debilitating mental shutdown when it comes to doing mathematics.

Keep reading Show less

A world map of Virgin Mary apparitions

She met mere mortals with and without the Vatican's approval.

Strange Maps
  • For centuries, the Virgin Mary has appeared to the faithful, requesting devotion and promising comfort.
  • These maps show the geography of Marian apparitions – the handful approved by the Vatican, and many others.
  • Historically, Europe is where most apparitions have been reported, but the U.S. is pretty fertile ground too.
Keep reading Show less

How KGB founder Iron Felix justified terror and mass executions

The legacy of Felix Dzerzhinsky, who led Soviet secret police in the "Red Terror," still confounds Russia.

Getty Images
Politics & Current Affairs
  • Felix Dzerzhinsky led the Cheka, Soviet Union's first secret police.
  • The Cheka was infamous for executing thousands during the Red Terror of 1918.
  • The Cheka later became the KGB, the spy organization where Russia's President Putin served for years.
Keep reading Show less