Hackers Created Master Hotel Room Key Cards ‘Out of Thin Air’

Apr 27, 2018

This post contains references to products from one or more of our advertisers. We may receive compensation when you click on links to those products. Terms apply to the offers listed on this page. For an explanation of our Advertising Policy, visit this page.

Cyber security researchers discovered that hackers could create a “master key” to any hotel room with an electronic lock in a study published Wednesday.

Finnish cyber security consultants discovered the problem last year and reported it to Assa Abloy, the lock manufacturer that creates many electronic hotel lock systems. Tomi Tuominen and Timo Hirvonen worked with the company to fix the problem and deployed a software update in February. The lock system, called Vision by VingCard, is used in more than 42,000 properties in 166 countries.

“We found out that by using any key card to a hotel … you can create a master key that can enter any room in the hotel. It doesn’t even have to be a valid card, it can be an expired one,” Hirvonen told Reuters.

Some hotels have updated their systems and it could take a couple more weeks before every property has, according to Assa Abloy. The researchers aren’t publishing the method of the fix so they aren’t worried about any new security concerns.

“I highly encourage the hotels to install those software fixes,” Hirvonen said. “But I think there is no immediate threat, since being able to develop this attack is going to take some time.”

ZDNet reports that a hotel’s central server needs to be updated with the patch, but each individual lock needs to be updated, too — and that requires “someone to be physically present at the lock.”

Data can be stolen off any card (whether or not it’s expired) wirelessly or through a magnetic strip. Hackers can then identify what property the key is associated with and produce an access token that can unlock any room in the building(s).

“The process mistake allowed us to exploit that vulnerability to actually get were we are… meaning [we were] able to create a master key out of thin air,” Tuominen said.

ZDNet said properties like the Waldorf Astoria in Berlin, the Grand Hyatt in San Francisco, and the Renaissance Downtown in Toronto have the locks in question. Reuters reports that Assa Abloy estimates that the system is “still being used in several hundred thousand hotel rooms worldwide.”

“I wouldn’t be surprised if other electronic lock systems have similar vulnerabilities,” Hirvonen said. “You cannot really know how secure the system is unless someone has really tried to break it.”

The pair began trying to figure out hotel lock’s vulnerabilities after a colleague’s laptop was stolen from a hotel room in 2003. It wasn’t until 2015 that they created a demo environment, and in 2017 they were actually able to create a master key that worked.

Hilton provided this statement to TPG:

Hilton is aware of the vulnerabilities identified in some Ving Vision key server control systems. The safety and security of our guests are of paramount importance. We are working closely with Ving to remediate impacted systems at a limited number of hotels.

We reached out to Assa Abloy, Hyatt and Marriott for comment but have not heard back from any by time of publication.

H/T: Reuters

This story was updated with a statement from Hilton.

Chase Sapphire Preferred® Card

WELCOME OFFER: 80,000 Points

TPG'S BONUS VALUATION*: $1,650

CARD HIGHLIGHTS: 2X points on all travel and dining, points transferrable to over a dozen travel partners

*Bonus value is an estimated value calculated by TPG and not the card issuer. View our latest valuations here.

Apply Now
More Things to Know
  • Earn 80,000 bonus points after you spend $4,000 on purchases in the first 3 months from account opening. That's $1,000 when you redeem through Chase Ultimate Rewards®. Plus earn up to $50 in statement credits towards grocery store purchases within your first year of account opening.
  • Earn 2X points on dining including eligible delivery services, takeout and dining out and travel. Plus, earn 1 point per dollar spent on all other purchases.
  • Get 25% more value when you redeem for airfare, hotels, car rentals and cruises through Chase Ultimate Rewards®. For example, 80,000 points are worth $1,000 toward travel.
  • With Pay Yourself Back℠, your points are worth 25% more during the current offer when you redeem them for statement credits against existing purchases in select, rotating categories.
  • Get unlimited deliveries with a $0 delivery fee and reduced service fees on eligible orders over $12 for a minimum of one year with DashPass, DoorDash's subscription service. Activate by 12/31/21.
  • Count on Trip Cancellation/Interruption Insurance, Auto Rental Collision Damage Waiver, Lost Luggage Insurance and more.
  • Get up to $60 back on an eligible Peloton Digital or All-Access Membership through 12/31/2021, and get full access to their workout library through the Peloton app, including cardio, running, strength, yoga, and more. Take classes using a phone, tablet, or TV. No fitness equipment is required.
Regular APR
15.99%-22.99% Variable
Annual Fee
$95
Balance Transfer Fee
Either $5 or 5% of the amount of each transfer, whichever is greater.
Recommended Credit
Excellent/Good

Editorial Disclaimer: Opinions expressed here are the author’s alone, not those of any bank, credit card issuer, airlines or hotel chain, and have not been reviewed, approved or otherwise endorsed by any of these entities.

Disclaimer: The responses below are not provided or commissioned by the bank advertiser. Responses have not been reviewed, approved or otherwise endorsed by the bank advertiser. It is not the bank advertiser’s responsibility to ensure all posts and/or questions are answered.