Security company finds method to find out master key for hotel locks
Security firm F-Secure has found a way to open hotel locks from VingCard Vision. The researchers have been working on the exploit for years. They don’t disclose details to prevent break-ins.
Parent company Assa Abloy has released a patch for VingCard Vision that hotels must implement to protect themselves from the attack, F-Secure said. Hotels with the newer Visionline system are not vulnerable, Wired reports. It is unknown how many hotels are now vulnerable. It would be at least 500,000 hotel locks, but the number can also run into the millions. The key system is in use worldwide.
The attack works with a Proxmark and software made by F-Secure. With reverse engineering, the researchers have found a method to limit the number of possible master keys if they have a card that was once used at a hotel. The Proxmark can then try to try the master key at a door with a lock in the hotel. This usually succeeds within twenty attempts.
In addition, it turned out to be possible to read out the database of current guests with a bug in the software for Vision locks. It also turned out to be possible to add guests, edit data and delete data.
F-Secure has been working on finding the exploit since 2003, after an employee’s laptop mysteriously disappeared from a hotel room. The security firm notified Assa Abloy of the leak a year ago.