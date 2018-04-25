Then, something bad happened: a colleague had their laptop computer stolen from a hotel room.
There were no signs of forced entry, and the staff were unable to find out what had happened. The victim was a well-known information security researcher, which gave them cause to suspect that the thief knew what they were doing.
How the burglary actually happened remained a mystery.
Since then, Tuominen and Hirvonen have been researching hotel room locking systems as a side project. To be more precise, they were interested in one of them: Assa Abloy Vision by Vingcard, which was used in the Berlin hotel.
The system is in use around the world.
A year ago, they solved the mystery.
Following an extensive multi-stage analysis, Tuominen and Hirvonen managed to create a device that can copy any key card and turn into a hotel master key.
Such a card could have been used in the burglary in Berlin.
However, the discovery was much more significant than solving their old burglary mystery. Every hotel and building using this key technology was also exposed to this risk.
According to the two men, this means millions of doors – including a large portion of the hotel doors in Finland.
At the core of the invention by Tuominen and Hirvonen lies a regular programmable reader, the Proxmark3, which anyone can order online. The device supports RFID keys, that is, access cards and badges that can be read at close range. NFC technology, which banks use for contactless payments, is more advanced than its predecessor RFID.
Making a master key only requires three steps:
1. A key for the hotel or property is copied to the device. The key is no longer required past this point.
2. The device is taken near a lock within the same building. The device suggests different key options for the lock, and once the master key is found, the lock will blink green.
3. The device now works as a master key for the entire hotel or property. If you wanted, you could even copy the master key onto any new card of your choice.
Tuominen and Hirvonen, who work at F-Secure, immediately warned the Assa Abloy company.
This is standard practice for information security researchers: The company affected by the vulnerability is given time to prepare as well as assistance in remedying the problem.
Solving the issue might have required replacing all of the hotel locks.
However, Timo Hirvonen came up with a way to patch the vulnerability without replacing every lock.
“Nevertheless, the repair requires visiting each door, as the software installed for every lock must be updated. You also need to update the software used for creating the keys”, Hirvonen explains.
A website was also created where hotel owners could register and receive information on the vulnerability.
On Friday, Hirvonen and Tuominen will talk about their findings at an information security conference in the United States. The plan was to disclose the information much earlier, but it was postponed in order to provide hotels with enough time to update their locks.
The updates have been available since January.
“In the end, it is up to the hotels to have the updates done”, Hirvonen says.
It is impossible to verify whether all of the affected locks have now been updated.
This is why Hirvonen and Tuominen will not disclose in detail how they built the key reader device.
But how did they find the vulnerability?
It was far from easy, they concur.
“We had to do a lot of technical tricks while also bearing in mind the overall picture. If you look at our findings on paper, creating a master key should not be possible”, Timo Hirvonen says.
Tomi Tuominen continues:
“We could not believe our eyes when our master key opened the first lock.”
Tuominen reminds us that there are easier ways to break into a hotel room.
“This is not the method career criminals use to break into hotel rooms”, Tuominen says.
A metal tool will suffice – and that is why security professionals wrap a towel around the inside door handle in their hotel rooms. This prevents the most classical form of burglary. You can see how it could be done herehttps://www.youtube.com/watch?v=WAkJRpKeyYg.
If a master key has been created by exploiting the vulnerability discovered by Tuominen and Hirvonen, there is no way to protect yourself against burglary.
However, they are unwilling to speculate regarding how widespread the technique may be.
Christophe Suthttps://www.hs.fi/haku/?query=christophe+sut, Executive Vice President for Assa Abloy who manages the hospitality business, tells us that he first heard of the exploit approximately one year ago in April.
“We immediately flew to Finland to see what this was about. We have now stressed to our clients that they need to perform the required system updates”, Sut told Helsingin Sanomat in a telephone interview.
He wants to emphasise that hotels are constantly updating their locks and that the discovered vulnerability does not apply to the latest lock system.
He estimates that the old system is only used in a maximum of one million doors. The only way lock manufacturers can prepare for the future is to make their products even more complex.
“Continued product development is important, since security solutions are never everlasting”, Sut says.
