Skip to content ↓ | Skip to navigation ↓

What’s happened?

Security researchers at F-Secure have discovered a flaw that could allow millions of hotel rooms around the world to be accessed by unauthorised parties, without leaving a trace.

A design flaw in the widely-used Vision by VingCard electronic lock software could have been exploited by intelligence agencies, thieves, and other criminals to gain access to rooms – and potentially any computers left inside.

How’s that possible?

It’s unusual today to check into a hotel room and to be given an old-fashioned physical key. It’s much more likely today that you will be given an electronic key card to gain access to a room via the RFID card reader used by its lock.

So the trick is to somehow clone the key card?

Cloning a key card requires physical access to the card for a period of time, and that’s a challenge that someone keen to enter a room might not be able to pull off easily. Similarly, generating a new key card at the front desk might arouse suspicions and may invalidate the key card carried by the legitimate occupant of the hotel room.

What researchers Tomi Tuominen and Timo Hirvonen managed to do was find a vulnerability that allowed them to generate a master key that can open any room in a hotel, without leaving a trace.

Was the flaw easy to find? Is it possible that other criminals or intelligence agencies have also exploited it?

The researchers worked on-and-off on the challenge for a long time incorporating “several thousand hours of work,” after first becoming curious when a friend of Tuominen had his laptop stolen from his hotel room in 2003 while attending a security conference in Berlin.

Staff at the Alexanderplatz Radisson reportedly dismissed the issue at the time as there was no sign of forced entry or evidence of unauthorised access.

The fact that it took the researchers so long to find a way to unlock any room in a hotel, without leaving any evidence, proves that the flaw as not simple to uncover – but offers no guarantee that others, such as nefarious intelligence agencies, may have developed similar tools.

How likely is it that a thief or physical attacker would use a technique like this rather than just using brute force to achieve entry to the room?

Very low I expect. The threat is probably more from intelligence agencies who might have a vested interest in accessing a computer left in a hotel room, perhaps to steal information, or perhaps to plant a rootkit or spyware without the knowledge of the user.

An intelligence agency could achieve this through the well-known concept of an “evil maid”, and a hotel room master key would make such an attack considerably easier to pull off.

But is there any suggestion that intelligence agencies are in the habit of secretly accessing computers in hotel rooms?

Yes. For instance, according to Der Spiegel, Israel’s military intelligence agency Mossad is said to have planted a Trojan horse on the laptop of a senior Syrian government official when he left his computer in his hotel room during a visit to London in 2006.

Information was reportedly gathered from the laptop which resulted in an air-raid on a nuclear project in Syria’s eastern desert.

In another notorious case, Hamas military Commander Mahmoud al-Mabhouh was assassinated in his room at the Al-Bustan Rotana airport in Dubai, by a group of suspected Mossad agents, disguised as being on a tennis holiday. Mahmoud al-Mabhouh’s hotel room was protected with a VingCard lock.

Fascinating. So, is there a fix for the hotel room locks?

Don’t panic. The F-Secure researchers responsibly informed Assa Abloy, the world’s largest lock manufacturer and developers of Vision by VingCard, of the issue and over the last year the two companies have secretly collaborated to implement a fix for the vulnerable software, which has been made available to affected properties.

Tuominen praised the manufacturer for its response:

“Because of Assa Abloy’s diligence and willingness to address the problems identified by our research, the hospitality world is now a safer place. We urge any establishment using this software to apply the update as soon as possible.”

As responsible researchers, Tuominen and Hirvonen will not be publishing full details of how the attack can be pulled off, or publishing their attack tools. They say they are unaware to date or any cases of the same attack being carried out in the wild.

Fingers crossed that the many vulnerable hotels around the world have rolled out the update, or will expedite applying the patch following the widespread publicity that has now resulted.

So it’s safe to leave my laptop in a hotel room now?

I still wouldn’t recommend leaving a laptop containing sensitive data out in the open, as hotel staff may have access to your room. Locking it in an in-room safe may provide a higher level of protection – but if you really want to feel confident about who has access to your laptop, maybe the best advice is to keep it close to your person and guard it well. If it’s impractical to bring your computer with you, you could check it in with the hotel concierge, but like the safe this doesn’t guarantee that it is no guarantee that it will not be accessed and tampered with.

Of course, the usual advice applies about ensuring that your laptop utilises full disk encryption and is protected by a hard-to-crack, unique password. And if you visiting a country where you are nervous about someone accessing sensitive data on your electronic devices, maybe consider taking burner devices with you instead and keeping the data you carry with you to a minimum.


Editor’s Note: The opinions expressed in this guest author article are solely those of the contributor, and do not necessarily reflect those of Tripwire, Inc.