Smart door is not spare nowadays as flaw in electronic hotel door locks from Assa Abloy could allow hackers to access guest rooms and other secure locations at millions of assets around the world, F-Secure one of the leading Cyber Security Solutions for home and business researchers have discovered.
Software patch were issued to fix the flaw in the smart locks, called “the Vision by VingCard,” after F-Secure notified and worked with Assa Abloy over the past year.
The researchers had constituted a way to make a master key using information from a key card for any room — including closets and garages, and even long-expired or discarded keys. The techniques would have allowed hackers to carry out an attack without being noticed.
Incident precedence
Historically, the precedence of incident took place in 2003 in which a colleague’s laptop was stolen during a security conference. The hotel staff reportedly had not taken the reported theft seriously, saying there were no signs of forced entry or unauthorized room access.
Over the years, the researchers spent thousands of hours on and off, investigating the incident. They eventually homed in on a lock known for having strong security and high quality.
“Only after we thoroughly understood how the system was designed were we able to identify seemingly innocuous shortcomings,” said Timo Hirvonen, senior security consultant for F-Secure. “We creatively combined these shortcomings to come up with a method of creating master keys.”
The vulnerability applies only to the Vision by VingCard product, Hirvonen told the E-Commerce Times, adding that F-Secure agreed with Assa Abloy to withhold the mechanism of the vulnerability.
Multiple reason impact the effectiveness of electronic door locks, he pointed out, noting that encryption is used to protect the confidentiality of the data on the key card.
“Encryption raises the bar to start analyzing the system,” Hirvonen said. “However, encryption is not a silver bullet — the encryption key has to be securely generated and stored.”
Other views of the same hotel industry like Marriott International confirmed that Assa Abloy alerted the hotel chain about the vulnerability in a variant of the company’s locking system.
“We are currently working with the vendor to understand the impact to our hotels,” said spokesperson Hunter Hardinge.
The company had been issued a software update by Assa Abloy and was working to deploy the patch as fast as possible, she added.
“The hack is based on cryptographic weaknesses of older-generation door locks, said Andrew Howard, chief technology officer at Kudelski Security, based on reports he has read.”
The vulnerability allows the hackers tools to cycle through potential door access codes until the right one is found, he told the E-Commerce Times.
The same hotel industry are now conscious of its weaknesses and made sure that system system are well equipt with the known patches.