Skip to content
Technology & Innovation

A red team has created a master key to hack into millions of hotel rooms

If you see the VingCard logo on your room key, that's the system in question.
The hotel master key is a controlled test, but hackers could be on the same path if security isn't updated. (Image: Shutterstock/Big Think)

Two Finnish security researchers from IT firm F-Secure, challenged by a 2003 incident where a colleague’s laptop was stolen and the hotel claimed no responsibility, have created a master key that will work for any room in millions of hotels around the world. They’ve been working on it on-and-off for over 10 years, and now it’s been successfully tested. 


They can create a master key “basically out of thin air,” said Tomi Tuominen and Timo Hirvonen, the security researchers from F-Secure.

Image from F-Secure.

Using expired key cards, even old ones lying around, they can create a master key that will get into every room in the hotel.

They stress that it’s not happening in the wild—at least, not yet.

“Developing [the] attack took considerable amount of time and effort,” said Tuominen and Hirvonen, in an email to ZDNet. The attack is named, eerily enough, ‘Ghost in the Locks’, and works primarily on VingCard locks. 

“We built [an] RFID demo environment in 2015 and were able to create our first master key for a real hotel in March 2017. If somebody was to do this full time, it would probably take considerably less time.” 

Smarter faster: the Big Think newsletter
Subscribe for counterintuitive, surprising, and impactful stories delivered to your inbox every Thursday

However, they all stated, ”We don’t know of anyone else performing this particular attack in the wild right now.”

Their discovery also prompted Swedish lock maker Assa Abloy, which is the maker for the VingCard key systems, to release a security patch to fix the flaws. Some of the hotel chains who have used Abloy’s lock systems over the years are Intercontinental, Hyatt, Radisson, and Sheraton. 

The software on some of the locks has been patched—that is, fixed—at the central server, but the firmware on each individual lock needs to be updated as well—something that will take time to deploy, if the companies involved decide to do so. 

What can you do?

The researchers made clear that these keys are not available “in the wild” yet, but they’re likely coming. So what are wary travelers to do?

Here’s a solution while you are inside the room to keep your door secure. 

There are some others out there, as well—some lower-tech and therefore easier to deploy.

Here’s Kathleen Fischer on car hacking:


Related

Up Next