Hackers Created Master Hotel Room Key Cards ‘Out of Thin Air’
This post contains references to products from one or more of our advertisers. We may receive compensation when you click on links to those products. Terms apply to the offers listed on this page. For an explanation of our Advertising Policy, visit this page.
Cyber security researchers discovered that hackers could create a “master key” to any hotel room with an electronic lock in a study published Wednesday.
Finnish cyber security consultants discovered the problem last year and reported it to Assa Abloy, the lock manufacturer that creates many electronic hotel lock systems. Tomi Tuominen and Timo Hirvonen worked with the company to fix the problem and deployed a software update in February. The lock system, called Vision by VingCard, is used in more than 42,000 properties in 166 countries.
“We found out that by using any key card to a hotel … you can create a master key that can enter any room in the hotel. It doesn’t even have to be a valid card, it can be an expired one,” Hirvonen told Reuters.
Some hotels have updated their systems and it could take a couple more weeks before every property has, according to Assa Abloy. The researchers aren’t publishing the method of the fix so they aren’t worried about any new security concerns.
“I highly encourage the hotels to install those software fixes,” Hirvonen said. “But I think there is no immediate threat, since being able to develop this attack is going to take some time.”
ZDNet reports that a hotel’s central server needs to be updated with the patch, but each individual lock needs to be updated, too — and that requires “someone to be physically present at the lock.”
Data can be stolen off any card (whether or not it’s expired) wirelessly or through a magnetic strip. Hackers can then identify what property the key is associated with and produce an access token that can unlock any room in the building(s).
“The process mistake allowed us to exploit that vulnerability to actually get were we are… meaning [we were] able to create a master key out of thin air,” Tuominen said.
ZDNet said properties like the Waldorf Astoria in Berlin, the Grand Hyatt in San Francisco, and the Renaissance Downtown in Toronto have the locks in question. Reuters reports that Assa Abloy estimates that the system is “still being used in several hundred thousand hotel rooms worldwide.”
“I wouldn’t be surprised if other electronic lock systems have similar vulnerabilities,” Hirvonen said. “You cannot really know how secure the system is unless someone has really tried to break it.”
The pair began trying to figure out hotel lock’s vulnerabilities after a colleague’s laptop was stolen from a hotel room in 2003. It wasn’t until 2015 that they created a demo environment, and in 2017 they were actually able to create a master key that worked.
Hilton provided this statement to TPG:
Hilton is aware of the vulnerabilities identified in some Ving Vision key server control systems. The safety and security of our guests are of paramount importance. We are working closely with Ving to remediate impacted systems at a limited number of hotels.
We reached out to Assa Abloy, Hyatt and Marriott for comment but have not heard back from any by time of publication.
This story was updated with a statement from Hilton.
Welcome to The Points Guy!
Earn 90,000 bonus miles and 10,000 Medallion® Qualification Miles (MQMs) after you spend $3,000 in purchases on your new card in the first three months of card membership. Offer ends 11/10/2021.
With Status Boost™, earn 10,000 Medallion Qualification Miles (MQMs) after you spend $25,000 in purchases on your Card in a calendar year, up to two times per year getting you closer to Medallion Status. Earn 3X Miles on Delta purchases and purchases made directly with hotels, 2X Miles at restaurants and at U.S. supermarkets and earn 1X Mile on all other eligible purchases. Terms Apply.
- Limited Time Offer: Earn 90,000 Bonus Miles and 10,000 Medallion® Qualification Miles (MQMs) after you spend $3,000 in purchases on your new Card in your first 3 months. Offer expires 11/10/2021.
- Earn up to 20,000 Medallion® Qualification Miles (MQMs) with Status Boost® per year. After you spend $25,000 in purchases on your Card in a calendar year, you can earn 10,000 MQMs two times per year, getting you closer to Medallion® Status. MQMs are used to determine Medallion® Status and are different than miles you earn toward flights.
- Earn 3X Miles on Delta purchases and purchases made directly with hotels.
- Earn 2X Miles at restaurants worldwide, including takeout and delivery and at U.S. supermarkets.
- Earn 1X Miles on all other eligible purchases.
- Receive a Domestic Main Cabin round-trip companion certificate each year upon renewal of your Card. *Payment of the government imposed taxes and fees of no more than $75 for roundtrip domestic flights (for itineraries with up to four flight segments) is required. Baggage charges and other restrictions apply. See terms and conditions for details.
- Enjoy your first checked bag free on Delta flights.
- Fee Credit for Global Entry or TSA Pre✓®.
- Enjoy an exclusive rate of $39 per person per visit to enter the Delta Sky Club® for you and up to two guests when traveling on a Delta flight.
- No Foreign Transaction Fees.
- $250 Annual Fee.
- Terms Apply.
- See Rates & Fees