Counterfeit hotel keys, how hackers could get in anywhere

According to F-Secure research, millions of electronic cards used in hotels could be tampered with by a hacker to gain entry to our rooms

The electronic card chip lock systems currently in use in most hotels is easily duplicated by a hacker. In practice, this flaw allows any malicious person to open any door.

The electronic locking system, known as Vision by VingCard and built by Swedish lock manufacturer Assa Abloy, is used in more than 42,000 properties in 166 different countries, totaling millions of hotel rooms. As well as garages, second homes and warehouses. These are temporary locking keys. Once guests leave the room, hoteliers can erase the key card and reset it for new vacationers who will occupy the same property. For years, they have been considered the safest and most convenient method of hotel security. But research carried out by cyber security company F-Secure has shown that this is not the case.

How hackers can exploit electronic cards

According to researchers F-Secure every electronic card, even if expired or demagnetized, retains a minimal amount of data that can be easily recovered by a hacker. Using a PC and wireless radio frequency identification (RFID) or a magnetic stripe, an attacker can trace back the initial information on an old hotel electronic card. This way the hacker traces it back to the hotel where the key is used and can reset it to gain access to every room and area of the hotel. 

Will hackers really use this system?

If you're already worried about your next trip, it's not time to panic just yet. F-Secure research started in 2003, and it wasn't until 2015 that the group's cyber security experts managed to reproduce a master key that could access several rooms without the hotel's permission. So a group of hackers would need a lot of time to be able to design their own system to steal the data inside the master keys. And manufacturer Assa Abloy, informed of the research by F-Secure, fixed in late 2017 the vulnerabilities that allowed tampering with the keys. The problem, however, is that not all hotels are aware of these security issues, and many hoteliers have not applied to receive the new electronic keys in a timely manner. If we don't want to run into theft or mishaps in our room F-Secure recommends asking the hotel before booking if they use a risky key system and if they have changed their electronic keys as a result of Assa Abloy's updates in 2017.