A red team has created a master key to hack into millions of hotel rooms

If you see the VingCard logo on your room key, that's the system in question.

Two Finnish security researchers from IT firm F-Secure, challenged by a 2003 incident where a colleague’s laptop was stolen and the hotel claimed no responsibility, have created a master key that will work for any room in millions of hotels around the world. They’ve been working on it on-and-off for over 10 years, and now it's been successfully tested. 


They can create a master key “basically out of thin air,” said Tomi Tuominen and Timo Hirvonen, the security researchers from F-Secure.

Image from F-Secure.

Using expired key cards, even old ones lying around, they can create a master key that will get into every room in the hotel.

They stress that it’s not happening in the wild—at least, not yet.

"Developing [the] attack took considerable amount of time and effort," said Tuominen and Hirvonen, in an email to ZDNet. The attack is named, eerily enough, 'Ghost in the Locks', and works primarily on VingCard locks. 

"We built [an] RFID demo environment in 2015 and were able to create our first master key for a real hotel in March 2017. If somebody was to do this full time, it would probably take considerably less time.” 

However, they all stated, ”We don't know of anyone else performing this particular attack in the wild right now.”

Their discovery also prompted Swedish lock maker Assa Abloy, which is the maker for the VingCard key systems, to release a security patch to fix the flaws. Some of the hotel chains who have used Abloy’s lock systems over the years are Intercontinental, Hyatt, Radisson, and Sheraton. 

The software on some of the locks has been patched—that is, fixed—at the central server, but the firmware on each individual lock needs to be updated as well—something that will take time to deploy, if the companies involved decide to do so. 

What can you do?

The researchers made clear that these keys are not available “in the wild” yet, but they’re likely coming. So what are wary travelers to do?

Here’s a solution while you are inside the room to keep your door secure. 

There are some others out there, as well—some lower-tech and therefore easier to deploy.

Here's Kathleen Fischer on car hacking:

The connection paradox: Why are workplaces more isolating than ever?

How poor work practices turn us all into remote workers.

Videos
  • Technology's supposed interconnectivity doesn't breed human interaction, and has instead made many workers feel less happy and less productive.
  • Using email rather than walking over to someone's desk and having face-to-face time is a major culprit. Inter-office messaging apps can also make employees feel more distant from their co-workers.
  • Can the tech companies who created this issue turn workplace isolation around, or is this the new normal?
Keep reading Show less

Study: young men obsessed with building muscles have higher mental health risks

They're at a higher risk for depression, weekend binge drinking, and unnecessary dieting.

Palestinian participants flex their muscles during a bodybuilding competition in Gaza city on October 28, 2016. / AFP / MOHAMMED ABED (Photo credit should read MOHAMMED ABED/AFP/Getty Images)
popular
  • Body dysmorphia is not limited to women, a new study from Norway and Cambridge shows.
  • Young men that focus on building muscle are at risk for a host of mental and physical health problems.
  • Selfie culture is not helping the growing number of teens that are anxious and depressed.
Keep reading Show less

Intimacy and sexual desire in couples can be heightened by this practice

Researchers discover a link between nonverbal synchronization and relationship success.

Pixabay
Sex & Relationships
  • Scientists say coordinating movements leads to increased intimacy and sexual desire in a couple.
  • The improved rapport and empathy was also observed in people who didn't know each other.
  • Non-verbal clues are very important in the development stages of a relationship.
Keep reading Show less