Hacking the hotel room key system can create a master key that can unlock all rooms

In many hotels electronic lock using card key is adopted as door key. However, the electronic lock is definitely a target of hacking because it is a digitally controlled terminal, and it is definitely true that the fact that "you can hack the hotel key of the world's largest electronic key maker" is announced by security experts It has been.

F-Secure Press Room | Global
https://press.f-secure.com/2018/04/25/f-secure-researchers-master-keys-to-hotels-can-be-created-out-of-thin-air/

F-Secure, a security consulting firm, revealed that the electronic locking system made by Assa Abloy, which is adopted in hotel chains around the world, is vulnerable and can be hacked. The successful unlocking is a card key that adopts the hotel lock management system called Vision, and it is possible to create a "master key" that can unlock any card key by striking a vulnerability in Vision Thing.


The fact that F - Secure was interested in the security aspect of the hotel room key is that theft of the company 's engineers triggered theft. A technician was stolen from a room by a hotel he stayed in to stay in a security conference, but the hotel side said, "The trace that the lock was released can not be confirmed on the system," the theft He seems to have dismissed the complaint of the damage. A technician succeeded in hunting Assa Abloy's Vision system by finding out a security hole for thousands of hours with the theme of "Can I unlock the room key that used the electronic key without leaving traces?" He said that he did.


F-Secure has already informed Assa Abloy of the security risk that lock will be unlocked by illegally creating a master key, and the vulnerability found has been addressed by system update. However, the vulnerability lurking in the hotel's electronic key management system is not limited to the one discovered this time, and it is not possible to deny the possibility that the electronic key is actually hacked. "It is important to ensure security from the design stage strictly, including not only the software aspects that can fix the security holes but also the hardware aspects that are difficult to correct afterwards," F-Securea says.

In addition, F - Secure has released a demonstration movie that invades the hotel database. For systems that transition from analog control to digital control, it seems that you should always assume the risk of cyber attack.

Hacking a Hotel Database - YouTube