Hotel, motel, Holiday Inn? Doesn't matter – they may need to update their room key software Infosec outfit F-Secure has uncovered security vulnerabilities in hotel keycard systems that can be exploited by miscreants to break into rooms across the globe. Exploitable flaws were discovered in lock system software Vision by VingCard, which F-Secure said is used to secure millions of hotel rooms worldwide. Their findings …
Got back to find the door lock on the room had completely failed. You could just open it as if there was no lock there. Reason: low batteries...
There are two possible failure modes for this case, and neither is ideal.
The lock can fail to an unlocked state, which defeats it as a security measure. Or it can fail to a locked state, which could prevent an emergency responder from gaining access, or a parent from returning to a room with children in it, and so on.
You can debate the relative merits, but it's not clear that one is necessarily the better choice.
The researchers' interest in hacking hotel locks was sparked a decade ago when a colleague's laptop was stolen from a hotel room during a security conference......When the theft was reported, hotel staff dismissed their complaint given that there was not a single sign of forced entry, and no evidence of unauthorized access in the room entry logs.....They then decided to investigate the issue further, and chose to target a brand of lock known for quality and security. Their probing of the technology took several thousand hours on an on-and-off basis, and involved considerable trial and error.
Yes, but after all this, did the hotel admit it was possible someone else could have taken it?
If the vendor no longer develops the software, seems likely the fix would be to upgrade the system, I find it unlikely most hotels would be willing to spend the $$ to upgrade so many systems for such a vulnerability, unless it starting being widely exploited.
The article is not clear but I think the good news may be that the vulnerability only affects systems that use NFC-like technology to authenticate the lock and not systems that use mag stripes(which I've read have their own issues).
In my hotel traveling experience in recent years maybe I can count on one hand the number of hotels I've stayed at that wireless key cards, one hotel in particular I stay at regularly upgraded to wireless key cards, their previous key card system looked as if it was at least 15-20 years old(had never seen a lock design like it at any other hotel I stayed at anyway).
Electronic security doors would need to be connected to the system and log all openings, then the software would be in/on a central server and be upgradeable. You would have to log in at the desk whenever you came in or went out, even to use the pool, bar or restaurant.
It would be very expensive to have to replace door locks every 6 months, when someone electronically hacks them and if the lock prevented staff access and from making up your guests rooms while they were out you might consider a different system.
What do you want from a lock, peace of mind, impregnability ? Door keys were not that secure either.
It's not about cloning an existing skeleton key though: it's about converting a regular room key into a skeleton key.
If the locks use some form of public key cryptography where the key card stores the access granted along with a digital signature covering that access made with a private key. It isn't immediately obvious how you'd change the access permissions on a card without knowing the private key.
So you're probably looking at a non trivial vulnerability. Maybe they discovered a way to get the lock to accept an unsigned access grant. Maybe they discovered a way to produce hash collisions to reuse the signature from the normal key. Maybe they discovered a buffer overflow vulnerability in the lock's software that turns bad signatures into good ones.
In certain northern cities, guests steal the mattresses, let alone bolted down TV's. "No, I was on duty and alert all night and didn't see a thing." 7ft" painting straight out of the front door. I could go on ad infinitum. #crimenumbersilvousplait
The Register 
Biting the hand that feeds IT
Copyright. All rights reserved © 1998–2024
