Open search

Electronic lock system

Software update secures hotel doors

Researchers from F-Secure (Finland) have hacked electronic lock systems. Market-leading lockmaker Assa Abloy issued software updates to fix the security flaw of the key cards.

The attackers developed a device that generates a master key from any key card (Photo: F-Secure)

F-Secure researchers found that electronic lock systems used in many hotels could be attacked by means of a device that generates from a key card a master key card. The design flaw was in the lock system’s software. Assa Abloy’s brand Vingcard has fixed the security issue by means of a software update. Millions of hotel room doors are affected.

CiA member Assa Abloy uses the CiA 416 CANopen application profile for communication of electronic door devices with doors. This communication is secured by a proprietary security protocol. The attackers used a design flaw in the card reader’s software not in the communication software. They did not need access to the bus-lines.

The researchers’ attack involves using any ordinary electronic key to the target facility – even one that’s long expired, discarded, or used to access spaces such as a garage or closet. Using information on the key, the researchers are able to create a master key with privileges to open any room in the building. The attack can be performed without being noticed.

Once the master key is generated any door can be opened (Photo: F-Secure)

“You can imagine what a malicious person could do with the power to enter any hotel room, with a master key created basically out of thin air,” said Tomi Tuominen, Practice Leader at F-Secure Cyber Security Services. “We don’t know of anyone else performing this particular attack in the wild right now.” The researchers’ interest in hacking hotel locks was sparked a decade ago when a colleague’s laptop was stolen from a hotel room during a security conference. When the researchers reported the theft, hotel staff dismissed their complaint given that there was not a single sign of forced entry, and no evidence of unauthorized access in the room entry logs. The researchers decided to investigate the issue further, and chose to target a brand of lock known for quality and security. These security oversights were not obvious holes. It took a thorough understanding of the whole system’s design to identify small flaws that, when combined, produced the attack. The research took several thousand hours and was done on an on-and-off basis, and involved considerable amounts of trial and error.

“We wanted to find out if it’s possible to bypass the electronic lock without leaving a trace,” said Timo Hirvonen, Senior Security Consultant at F-Secure. “Building a secure access control system is very difficult because there are so many things you need to get right. Only after we thoroughly understood how it was designed were we able to identify seemingly innocuous shortcomings. We creatively combined these shortcomings to come up with a method for creating master keys.”

F-Secure notified Assa Abloy of the findings and has collaborated with the lockmaker over the past year to implement software fixes. Updates have been made available to affected properties.

“I would like to personally thank the Assa Abloy R&D team for their excellent cooperation in rectifying these issues,” said Tuominen. “Because of their diligence and willingness to address the problems identified by our research, the hospitality world is now a safer place. We urge any establishment using this software to apply the update as soon as possible.”