Hotel key cards, even invalid ones, help hackers break into rooms

F-Secure researcher Timo Hirvonen shows a device that is able to create a master key out of a single hotel key card in Helsinki, Finland April 19, 2018. Picture taken April 19, 2018. REUTERS/Attila

By Jussi Rosendahl and Attila Cser

HELSINKI (Reuters) – By getting hold of a widely used hotel key card, an attacker could create a master key to unlock any room in the building without leaving a trace, Finnish security researchers said in a study published on Wednesday, solving a 14-year-old mystery.

While the researchers have fixed the flaw together with Assa Abloy, the world’s largest lock manufacturer which owns the system in question, the case serves as a wake-up call for the lodging industry to a problem that went undetected for years.

Tomi Tuominen, 45, and Timo Hirvonen, 32, security consultants for Finnish data security company F-Secure, say they discovered the vulnerability about a year ago, and reported it to Assa.

“We found out that by using any key card to a hotel … you can create a master key that can enter any room in the hotel. It doesn’t even have to be a valid card, it can be an expired one,” Hirvonen said in an interview.

The researchers helped Assa fix the software for an update made available to hotel chains in February. Assa said some hotels have updated it but that it would take a couple more weeks to fully resolve the issue.

“I highly encourage the hotels to install those software fixes,” Hirvonen said. “But I think there is no immediate threat, since being able to develop this attack is going to take some time.”

Any fresh security risk remains low since the researchers’ tools and method will not be published, Assa noted.

The radio-frequency ID key card system in question, Vision by Vingcard, has been replaced by many hotels with new technology, but its current owner Assa Abloy estimated that the system is still being used in several hundred thousand hotel rooms worldwide.

Tuominen said the breakthrough was to figure out a weakness in how the locks are deployed and installed, together with a seemingly minor technical design flaw.

COLD CASE FILES

Sitting at F-Secure’s glass-and-steel-on-stilts headquarters by the Baltic Sea, the researchers show off a small hardware device which they have made able to write a master key out of the information of any card in the Vingcard system.

Clues date back to 2003 when a laptop disappeared from a computer security expert’s room at a high-class hotel in Berlin.

The thief left no traces in the room or within the electric lock system, hotel personnel said. The stolen laptop, which never turned up, belonged to a guest who had presented his research at a security conference.

Hearing of the theft at the conference, Tuominen and Hirvonen – then youthful computer guys in hacker-style black hoodies – asked themselves: Could one hack the locking system without leaving a trace?

For years, the two worked off and on to solve the mystery of the plastic cards, which guests often neglect to return. First it was purely a hobby, later a professional mission.

“These issues alone are not a problem, but once you combine those two things, it becomes exploitable,” Hirvonen said.

“I wouldn’t be surprised if other electronic lock systems have similar vulnerabilities. You cannot really know how secure the system is unless someone has really tried to break it.”

The researchers say they have no evidence whether the vulnerabities they found have been put to work by criminals.

Assa Abloy stresses that its newer offerings are based on different technologies, including a system that allows hotel guests to open door locks with their smartphones.

“The challenge of the security business is that it is a moving target. What is secure at a point of time, is not 20 years later,” Christophe Sut, an executive at Assa Abloy Hospitality, said in a phone interview.

The researchers asked for no money from Assa for their work or discovery, saying they were only driven by the challenge.

“Some people play football, some people go sailing, some do photography. This is our hobby,” Tuominen said.

(Reporting by Jussi Rosendahl and Attila Cser, editing by Eric Auchard and Adrian Croft)

Russia threatens retaliation over U.S. ‘break-in’ at San Francisco consulate

FILE PHOTO: The Consulate General of Russia is seen in San Francisco, California, U.S. on September 2, 2017. REUTERS/Stephen Lam/File Photo

MOSCOW (Reuters) – U.S. officials broke into residences at Russia’s consulate in San Francisco, the foreign ministry in Moscow said, threatening retaliation over what it called a hostile and illegal act.

Russian staff had left the consulate last month, after Washington ordered Moscow to vacate some of its diplomatic properties, part of a series of tit-for-tat actions during a thorny phase in bilateral relations.

Since then, U.S. officials had occupied administrative parts of the compound but on Monday they entered residential areas that the departing staff had locked, the ministry said in a statement late on Monday.

“Despite our warnings, the U.S. authorities did not listen to reason and did not give up their illegal intentions,” it said.

“…We reserve the right to respond. The principle of reciprocity has always been and remains the cornerstone of diplomacy.”

Footage aired repeatedly on Russian state television showed

what the broadcaster said were U.S. officials breaking locks that had sealed off parts of the compound and entering the buildings.

The “intruders” had taken over the whole premises including the consul general’s residence, the ministry said.

“Therefore, we understand that Americans, breaking into our diplomatic buildings, have de facto agreed that their missions in Russia may be treated likewise.”

Russian President Vladimir Putin last month accused Washington of “boorish” treatment of Russia’s diplomatic premises on U.S. soil, ordering the foreign ministry to take legal action over alleged violations of Russia’s property rights.

The tit-for-tat began late last year when former U.S. president Barack Obama expelled 35 Russian diplomats in retaliation for alleged Russian meddling in the election that took Donald Trump to the White House.

Trump took office in January, saying he wanted to improve ties with Russia, while Putin also spoke favorably of Trump.

But the allegations of interference in the vote, which Moscow has denied, have persisted as an investigation by U.S. authorities has widened.

In July, Moscow ordered the United States to cut the number of its diplomatic and technical staff working in Russia by around 60 percent, to 455.

(This story has been refiled to fix typographical error in headline)

(Reporting by Dmitry Solovyov; editing by John Stonestreet)