Hacked Hotel Keys - Current and Historical
According to the release, someone stole a laptop belonging to an F-Secure employee from a locked hotel room many years ago. Since there were no signs of physically forced entry, the hotel declined to investigate the matter. From a security researcher’s perspective, unauthorized entry into a locked hotel room immediately implies that the lock might have been circumvented.
After a large investigation was undertaken by F-Secure researchers, they were able to identify several interacting vulnerabilities within the lock that ultimately allowed them to bypass its security. The details of the attack are publicly unknown and F-Secure states that it will not release them. The only factoid provided is that an access key card belonging to the same hotel is required for the attack. This indicates some sort of cryptographic key or fingerprint being stored on the cards.
Assa Abloy has worked with F-Secure to mitigate the vulnerability.
What does this mean?
There are many interesting aspects to this story. Let’s look at them one by one.
Both F-Secure and Assa Abloy acted reasonably and responsibly in this matter. While F-Secure’s step of not releasing attack details or tools to the public is friendlier than common in the information security research community, it is not unheard of. Informing the affected vendor upon the vulnerability’s discovery is standard practice. A quick and cooperative response from vendors to mitigate the issue and keep customers secure is becoming more and more common.
Overall, this incident is a great example of how vulnerability disclosure should work.
Since both F-Secure and Assa Abloy are known for high standards in their respective industries, this is not surprising.
Proof of Attack
As we have pointed out in previous briefings, proof of attack is a critical step in responding to an information security incident. The transactional nature of hotel room locks shines a spotlight on just how difficult this may be. If no vulnerability in a specific lock is publicly known, hotel staff and policy may - as in this case - refuse to investigate further even if something was obviously stolen from the victim’s perspective.
Few individuals will have the skills and resources to start their own investigations from that point. As more and more aspects of our everyday lives become influenced or controlled by technology, similar scenarios are likely to increase. We predict that at the same time, a desire to avoid such risks will slowly incentivize non-tech individuals to acquaint themselves with basic information security concepts. While this process is culturally important, it is also likely to take decades.
Hotel Lock Security has Advanced
The attack performed by F-Secure took thousands of hours of research and a key belonging to the hotel to extract some sort of information. In contrast, only around decade ago much weaker locks were standard. Magnet stripe hotel keys often relied on the relative inaccessibility of the magnetic data as their sole line of defense. Since most private citizens don’t have the ability to read and write magnetic stripe cards, the security of the underlying mechanism is assumed to not matter. Appropriate readers however are surprisingly cheap. Even a fully decked device doesn’t break $500, thus putting it well within the reach of criminals.
The vast majority of hotel lock systems 10 years ago - and some to this day - merely stored the room number, some random data and a sequence number on the cards.
If the room number matched and the checkout date hadn’t yet passed, the lock would check if the random data matched that stored on the device and open the door. The sequence number was used to replace keys in case of loss. Hotel staff could issue new key cards with a higher sequence number and new random data. If a new card was inserted, the lock would overwrite the old random data and invalidate the lost key.
While this process is brilliant in its simplicity, it also means that attackers could simply write keys with a desired room number and a very high sequence number to invalidate the real keys and gain access to arbitrary rooms.
The fact that attacks now take thousands of hours in preparation and much more specialized hardware is a sign that information security has taken leaps forward in the past decade.