Skip to main content

HACKERS HAVE BUILD A MASTER KEY, THAT UNLOCKS MILLIONS OF DOORS. If you often leave your valuable and expensive stuff like laptop and passports in the hotel rooms, then beware. Your room can be unlocked by not only a malicious staff having access to the master key, but also by an outsider. A critical design vulnerability in a popular and widely used electronic lock system can be exploited to unlock every locked room in a facility, leaving millions of hotel rooms around the world vulnerable to hackers. The vulnerability has been discovered in Vision by VingCard locking system—made by the world's largest lock manufacturer, Assa Abloy, and deployed in more than 42,000 facilities in 166 different countries, which equals to millions of doors. After thousands of hours work, F-Secure researchers Tomi Tuominen and Timo Hirvonen managed to build a master key that could be used to unlock doors and gain entry to any of the hotel rooms using the Vision by VingCard digital lock technology, without leaving a trace on the system. How Hackers Built a 'Master Key'! To create a master key to access a room secured by the Vision system, the first requirement is to get hold of an electronic keycard—any existing, old or expired electronic keycard to any room in the target facility would get the job done. To obtain the electronic key (RFID or magstripe), an attacker could read the data remotely by standing close to a hotel guest or employee having a keycard in his pocket, or simply could book a room and then use that card as the source. The attacker would then need to buy a portable programmer for a few hundred dollars online to overwrite it, and therefore creating a master key within minutes. However, F-Secure says it used its custom software which made this particular hack possible, and for obvious reason, the researchers will not be releasing it. The custom-tailored device (actually an RFID reader/writer) is then held close to the target lock, which tries different keys in less than one minute and locates the master key and unlocks the door. Now, you can either use this custom-tailored device as the master key to open any door in the facility or write the master key back to your keycard. Once done, you can now access any room in the hotel using the master key. "You can imagine what a malicious person could do with the power to enter any hotel room, with a master key created basically out of thin air," said Tuominen in a blog postpublished Wednesday. "We don't know of anyone else performing this particular attack in the wild right now." Researchers have also provided a video demonstration, which shows the hack in action. Researchers reported their findings to Assa Abloy in April 2017, and for the last year, the two have worked together to develop a solution, which included effective randomization of the whole keyspace. Assa Abloy released software fixes for its systems in February 2018, and the updates have been made available to the affected facilities. "I would like to personally thank the Assa Abloy R&D team for their excellent cooperation in rectifying these issues," Tuominen said. "Because of their diligence and willingness to address the problems identified by our research, the hospitality world is now a safer place. We urge any establishment using this software to apply the update as soon as possible." F-Secure has not yet released full technical details of the hack. Also, there's no evidence that the hack has ever been exploited in the wild, but cyber attacks against hotels are not at all surprising. About a year ago, we saw how hackers forced a luxurious hotel in Austria to pay ransom in Bitcoin, after ransomware hit the hotel's IT system, locking hundreds of guests out of their rooms.

HACKERS HAVE BUILD A MASTER KEY, THAT UNLOCKS MILLIONS OF DOORS.          


If you often leave your valuable and expensive stuff like laptop and passports in the hotel rooms, then beware. Your room can be unlocked by not only a malicious staff having access to the master key, but also by an outsider.

A critical design vulnerability in a popular and widely used electronic lock system can be exploited to unlock every locked room in a facility, leaving millions of hotel rooms around the world vulnerable to hackers.

The vulnerability has been discovered in Vision by VingCard locking system—made by the world's largest lock manufacturer, Assa Abloy, and deployed in more than 42,000 facilities in 166 different countries, which equals to millions of doors.

After thousands of hours work, F-Secure researchers Tomi Tuominen and Timo Hirvonen managed to build a master key that could be used to unlock doors and gain entry to any of the hotel rooms using the Vision by VingCard digital lock technology, without leaving a trace on the system.

How Hackers Built a 'Master Key'!

To create a master key to access a room secured by the Vision system, the first requirement is to get hold of an electronic keycard—any existing, old or expired electronic keycard to any room in the target facility would get the job done.

To obtain the electronic key (RFID or magstripe), an attacker could read the data remotely by standing close to a hotel guest or employee having a keycard in his pocket, or simply could book a room and then use that card as the source.

The attacker would then need to buy a portable programmer for a few hundred dollars online to overwrite it, and therefore creating a master key within minutes.

However, F-Secure says it used its custom software which made this particular hack possible, and for obvious reason, the researchers will not be releasing it.

The custom-tailored device (actually an RFID reader/writer) is then held close to the target lock, which tries different keys in less than one minute and locates the master key and unlocks the door.

Now, you can either use this custom-tailored device as the master key to open any door in the facility or write the master key back to your keycard. Once done, you can now access any room in the hotel using the master key.

"You can imagine what a malicious person could do with the power to enter any hotel room, with a master key created basically out of thin air," said Tuominen in a blog postpublished Wednesday. "We don't know of anyone else performing this particular attack in the wild right now."


Researchers have also provided a video demonstration, which shows the hack in action.

Researchers reported their findings to Assa Abloy in April 2017, and for the last year, the two have worked together to develop a solution, which included effective randomization of the whole keyspace.

Assa Abloy released software fixes for its systems in February 2018, and the updates have been made available to the affected facilities.

"I would like to personally thank the Assa Abloy R&D team for their excellent cooperation in rectifying these issues," Tuominen said. "Because of their diligence and willingness to address the problems identified by our research, the hospitality world is now a safer place. We urge any establishment using this software to apply the update as soon as possible."


F-Secure has not yet released full technical details of the hack. Also, there's no evidence that the hack has ever been exploited in the wild, but cyber attacks against hotels are not at all surprising.

About a year ago, we saw how hackers forced a luxurious hotel in Austria to pay ransom in Bitcoin, after ransomware hit the hotel's IT system, locking hundreds of guests out of their rooms.

Comments

Popular posts from this blog

We Bring You Brief Series of Sanctions Against Uganda Government Officials.

📸: Gen Abel Kandiho. On 9-December-2021, USA slapped sanctions against the then CMI Commander Gen Abel Kandiho. 📸: Gen Kale Kayihura. On 9-December-2022, UK slapped sanctions against former Police Boss Gen Kale Kayihura. 📸: Commissioner General of Prisons, Johnson Byabashaija. Again on this 4-December-2023, the same USA has slapped sanctions against Uganda Prisons Commander Johnson Byabashaija over alleged torture and human rights abuses in Prisons across Uganda. We ask, has USA and UK made December as an LCM to slap sanctions against high ranking government officials in Uganda even when the sanctions just remain on paper without deeper investigations to ascertain logical conclusions or remedy to that effect ?. #iip_updates  #Information_is_Power  #we_inform_the_uninformed

How to Host a Website for Free From Your PC or Laptop.

Why pay for a web hosting service when your old computer can do the same thing? Learn how to self-host your site. If you're planning to launch a website but don't want to pay recurring monthly or annual hosting fees, you can use any old laptop or desktop PC to host a website for free. It's a great way to utilize your old system instead of throwing it away. In this guide, we will install and set up services on our 10-year-old laptop to host a WordPress, Joomla, or custom HTML or PHP-based website with a free SSL certificate. MAKEUSEOF VIDEO OF THE DAY Things You Will Need to Host a Website Following are the pre-requisites to host a website for free from home with just your computer: An old laptop or PC running Ubuntu Server. A registered domain name for your website Ethernet cable to connect the laptop or PC to router for reliable and fast connection Step 1: Update and Upgrade the Packages After  installing Ubuntu Server on your computer , execute the following c...

WHERE IS MINISTER OF SEX SIMON LOKODO?. (He deserves a battle of soda from me! Ministe`r esalanga mabee. He is quick to run after Mrs Dr Stella Nyanzi and other Opposition elements. Government aza aza edo zuu vaa kpere bua). Anyway, below is the article! POLICE OFFICER AKOL ESTHER CHARGED OF BEING A PUBLIC NUISANCE Naughty Officer Officer who embarrassed police after leaking nude photo charged 13.03.2018 She serves in the 'Very Important Persons Protection Unit'  Akol Esther  (Courtesy) A female police officer whose nude photo surfaced on social media has been charged of being a public nuisance. Akol Esther serves in the Very Important Persons Protection Unit (VIPPU) of the police force. Kampala Metropolitan Police spokesperson Luke Owoyesigire says Akol Esther might be demoted or expelled from the police force if found guilty of circulating nude photos. Police court is yet to announce date when Akol Esther is expected to appear for a hearing. This comes at a time when Pornography Control Committee is taking tough measures against persons circulating pornography content. The committee warned and promised to arrest persons who will circulate pornographic content.

POLICE OFFICER AKOL ESTHER CHARGED OF BEING A PUBLIC NUISANCE Naughty Officer Officer who embarrassed police after leaking nude photo charged 13.03.2018 She serves in the 'Very Important Persons Protection Unit' Akol Esther  (Courtesy) A female police officer whose nude photo surfaced on social media has been charged of being a public nuisance. Akol Esther serves in the Very Important Persons Protection Unit (VIPPU) of the police force. Kampala Metropolitan Police spokesperson Luke Owoyesigire says  Akol Esther might be demoted or expelled from the police force if found guilty of circulating nude photos . Police court is yet to announce date when Akol Esther is expected to appear for a hearing. This comes at a time when Pornography Control Committee is taking tough measures against persons circulating pornography content. The committee warned and promised to arrest persons who will circulate pornographic content.