So, About Those Millions of Hotel Key Cards That Were (Are?) Vulnerable To Hacking…

by SharonKurheg

You may have never heard of them, but a company named Assa Abloy is a global provider of electronic key and hotel locking systems, to the tune of 400,000 buildings in roughly 166 countries. And in early 2017, two employees of F-Secure, an international cybersecurity firm, unfortunately discovered that due to a design flaw in the company’s older software, called Vision, the electronic locks of all those millions of hotel rooms worldwide were vulnerable to hackers.

Of course, people have been hacking electronic keys for years, sometimes successfully, sometimes not so much. But this case was different.

The hack designed by the two F-Secure employees was exceptional because instead of taking time to get go through all the possible codes to get the right one, this technique could get all the information it needed in just a minute or two. Plus they were able to clone anyone’s key – i.e. a manager’s, housekeeping’s, or a guest’s – to devise a master key card that could potentially open virtually anything in the hotel. And the cloning process could be done in as quickly as an elevator ride.

Oh, great.

But wait…there’s more!

hotel

Photo via F-Secure

The hotel’s software could also potentially be exploited within the same network to get access to sensitive customer data. So in the wrong hands, someone could download guest data or create, delete, and modify guest entries, as per F-Secure. By unplugging the network cable from a hotel front desk computer, the F-Secure employees discovered they were able to get complete access to the server – that’s where all the content relevant to the keys is kept, including personal assignments of each key.

Awesomesauce.

Fortunately, F-Secure is not a malicious company; they told Assa Abloy about the software flaw and worked closely with them for a year in order to develop a solution that couldn’t be easily bypassed.

In a statement, F-Secure thanked Assa Abloy for helping them work out a solution to the problem. “Because of their diligence and willingness to address the problems identified by our research, the hospitality world is now a safer place,” said an F-Secure spokesman.

Unfortunately, since Vision doens’t update via the internet, it’s up to each individual hotel to install the patch. The firm is, of course, urging every hotel still using the older Vision system to deploy the patch to keep their guests, and their property, safe. Fingers crossed that the next time you stay in a hotel using this system, the patch has been installed!

Like this post? Please share it! We have plenty more just like it and would love if you decided to hang around and clicked the button on the top (if you’re on your computer) or the bottom (if you’re on your phone/tablet) of this page to follow our blog and get emailed notifications of when we post (it’s usually just two or three times a day). Or maybe you’d like to join our Facebook group, where we talk and ask questions about travel (including Disney parks), creative ways to earn frequent flyer miles and hotel points, how to save money on or for your trips, get access to travel  articles you may not see otherwise, etc. Whether you’ve read our posts before or this is the first time you’re stopping by, we’re really glad you’re here and hope you come back to visit again!

Leave a Comment