A One-Minute Attack Let Hackers Spoof Hotel Master Keys

Credit to Author: Andy Greenberg| Date: Wed, 25 Apr 2018 12:00:00 +0000

In 2003, Finnish security researcher Tomi Tuominen was attending a security conference in Berlin when a friend's laptop, containing sensitive data, was stolen from his hotel room. The theft was a mystery: The staff of the upscale Alexanderplatz Radisson had no clues to offer, the door showed no signs of forced entry, and the electronic log of the door's keycard lock—a common RFID card reader sold by Vingcard—had recorded no entries other than the hotel staff.

The disappearing laptop was never explained. But Tuominen and his colleague at F-Secure, Timo Hirvonen, couldn't let go of the possibility that Vingcard's locks contained a vulnerability that would let someone slip past a hotel room's electronically secured bolt. And they'd spend roughly the next decade and a half proving it.

At the Infiltrate conference in Miami later this week, Tuominen and Hirvonen plan to present a technique they've found to not simply clone the keycard RFID codes used by Vingcard's Vision locks, but to create a master key that can open any room in a hotel.

With a $300 Proxmark RFID card reading and writing tool, any expired keycard pulled from the trash of a target hotel, and a set of cryptographic tricks developed over close to 15 years of on-and-off analysis of the codes Vingcard electronically writes to its keycards, they found a method to vastly narrow down a hotel's possible master key code. They can use that handheld Proxmark device to cycle through all the remaining possible codes on any lock at the hotel, identify the correct one in about 20 tries, and then write that master code to a card that gives the hacker free reign to roam any room in the building. The whole process takes about a minute.

"Basically it blinks red a few times, and then it blinks green," says Tuominen. "Then we have a master key for the whole facility."

'There's a good chance that not all the hotels have fixed this.'

Tomi Tuominen, F-Secure

The two researchers say that their attack works only on Vingcard's previous-generation Vision locks, not the company's newer Visionline product. But they estimate that it nonetheless affects 140,000 hotels in more than 160 countries around the world; the researchers say that Vingcard's Swedish parent company, Assa Abloy, admitted to them that the problem affects millions of locks in total. When WIRED reached out to Assa Abloy, however, the company put the total number of vulnerable locks somewhat lower, between 500,000 and a million. They note, though, that the total number is tough to measure, since they can't closely track how many of the older locks have been replaced. Tuominen and Hirvonen say that they've collected more than a thousand hotel keycards from their friends over the last 10 years, and found that roughly 30 percent were Vingcard Vision locks that would have been vulnerable to their attack.

Tuominen and Hirvonen quietly alerted Assa Abloy to their findings a year ago, and the company responded in February with a software security update that has since been available on its website. But since Vingcard's locks don't have internet connections, that software has to be installed manually by a technician, lock by lock. "There's a good chance that not all the hotels have fixed this," Tuominen says.

The researchers demonstrate their attack in this video, where they show they can use their Proxmark tool to access restricted floors on a hotel elevator.

In a phone call with WIRED, Assa Abloy's hospitality business unit head Christophe Sut downplayed the risk to hotel guests, and noted that F-Secure's researchers needed years of reverse-engineering work and expertise to develop their lock-hacking technique. But he urged hotels who use the Vingcard Vision locks to install the upgrade. "This is the new normal. If you have software you need to upgrade it all the time," Sut says. "We upgrade our phones and computers. We need to upgrade locks as well."

Tuominen and Hirvonen say they're not releasing all the details of the vulnerabilities in Vingcard's locks for fear of helping burglars or spies break into rooms. Six years ago, by contrast, a security researcher published the code necessary to exploit a glaring vulnerability in widely used Onity keycard locks on the web. That revelation led to a cross-country burglary spree that hit as many as a hundred hotel rooms.

But the two Finns say they spotted what they believed might be weaknesses in Vingcard's code system as soon as they examined it in 2003, at a time when the system used mag-stripe technology rather than touch-less radio frequency or RFID. Vingcard's system encodes a unique cryptographic key into each keycard—and another into every hotel's master keys—that are all designed to be unguessable. But by reading the magnetically encoded key values of keycards that had been used in the system and looking for patterns in those numbers, they began to narrow down the possible "key space" of possible codes.

Even so, the number of possible master key codes remained far too large to enable a practical break-in, requiring thousands upon thousands of tries."Even with those implementation mistakes, it looked like the key space would be too big," says Hirvonen. But he and Tuominen continued to puzzle over the system on-and-off for years, even after Vingcard switched its Vision locks to RFID, analyzing keycards they collected and reverse-engineering a copy of the Vingcard front-desk software they'd obtained.

++inset-left

Beyond creating a master key to open any door in a hotel, they could also spoof specific 'floor' and 'section' keys.

Finally, they say, they were tipped off to one final method of narrowing down the possible master key codes in Vingcard Vision locks by a clue on the company’s Assa Abloy University website for training hotel staff. Though they won’t elaborate further, the researchers note that the trick somehow involves a correlation between the location of a door in a hotel and its RFID enciphered code. The system means that beyond creating a master key to open any door in a hotel, they could also spoof specific "floor" and "section" keys that open only a subset of doors in a building—all the better to impersonate the sort of less-powerful keys that hotel housekeeping staff hold, for instance.

The F-Secure researchers admit they don’t know if their Vinguard attack has occurred in the real world. But the American firm LSI, which trains law enforcement agencies in bypassing locks, advertises Vingcard’s products among those it promises to teach students to unlock. And the F-Secure researchers point to a 2010 assassination of a Palestinian Hamas official in a Dubai hotel, widely believed to have been carried out by the Israeli intelligence agency Mossad. The assassins in that case seemingly used a vulnerability in Vingcard locks to enter their target’s room, albeit one that required re-programming the lock. "Most probably Mossad has a capability to do something like this," Tuominen says.

Given that Tuominen and Hirvonen have since worked with Assa Abloy to help fix that vulnerability, the real-world risk of those RFID-enabled intrusions may be smaller than ever. But for the coming months, as hotels get the message to upgrade their software, it never hurts to flip the door bolt, too.

https://www.wired.com/category/security/feed/