Hotel door locks could have been easily hacked by fake master keys

Hotel door locks can be compromised by simple tweaks to their in-built security software, according to research from one of the world's biggest cybersecurity firms.

A team from F-Secure found that a software system used in hotels around the world, including many well-known chains, can be hacked to possibly grant criminals entries to multiple rooms.

F-Secure's researchers studied card keys from a wide range of hotels, and found that using hardware costing only a few hundred euros, they could create a tool allowing them to create so-called "master keys" that could bypass the protection offered by Assa Abloy's door locks.

The card key did not even need to be one currently in use, the team said, with some as much as five years old still allowing access.

Open

The hardware kit used to clone keys involved scanning the RFID tag or mag stripe included in a card key, which is then copied by a small device which is then able to generate a huge number of extra keys in a matter of minutes

The researchers notified Assa Abloy of their findings in April 2017, and since then have been working with the company's R&D team to fix the flaws, with Assa Abloy recently issuing a software update to the affected hotels.

“Because of Assa Abloy’s diligence and willingness to address the problems identified by our research, the hospitality world is now a safer place,” says Tomi Tuominen, practice leader at F-Secure Cyber Security Services. “We urge any establishment using this software to apply the update as soon as possible.”