26 Apr 2018

'Ghost in the Locks' exploit: Hotel rooms vulnerable to hack

12:13 pm on 26 April 2018

Millions of electronic door locks fitted to hotel rooms worldwide have been found to be vulnerable to a hack.

male hand touch Security alarm keypad with card

Photo: 123RF

Researchers found flaws in the equipment's software which meant they could create "master keys" that opened the rooms without leaving an activity log.

The F-Secure team said it had worked with the lockmaking company Assa Abloy over the past year to create a fix.

The Swedish manufacturer played down the risk to those hotels that had yet to install an update, however.

"Vision Software is a 20-year-old product, which has been compromised after 12 years and thousands of hours of intensive work by two employees at F-Secure," a spokeswoman for the company said.

"These old locks represent only a small fraction [of the those in use] and are being rapidly replaced with new technology."

She said hotels had begun deploying the fix two months ago.

"Digital devices and software of all kinds are vulnerable to hacking. However, it would take a big team of skilled specialists years to try to repeat this."

Assa Abloy's locks are used by some of the world's biggest hotel chains - including Intercontinental, Hyatt, Radisson and Sheraton. It has not disclosed which properties still use a compromised version of the Vision by VingCard system.

The F-Secure researchers said they began their inquiry after a colleague's laptop was stolen from a hotel room without the thief leaving behind any sign of unauthorised access.

"We wanted to find out if it's possible to bypass the electronic lock without leaving a trace," explained Timo Hirvonen, describing the Ghost In The Locks exploit.

"Only after we thoroughly understood how it was designed were we able to identify seemingly innocuous shortcomings [and] come up with a method for creating master keys."

He added that data scanned from any discarded VingCard could be used to mount the attack, even if the card's access privileges had long expired or had been used to open a garage or other parts of the targeted hotel rather than a bedroom.

The hack could also be applied to access other areas of a hotel - including sending a lift to a VIP floor of a property - if it was protected by the same system.

F-Secure confirmed it would not be sharing the hardware and software tools it used to demonstrate its attack with others.


Get the RNZ app

for ad-free news and current affairs