A loophole in Assa Abloy's electronic locks could allow hackers to access guest rooms and other safe places Secured researchers have discovered.
Software updates were released to correct the flaw in smart locks, called "Vision by VingCard", after F-Secure had notified and worked with Assa Abloy over the past year.
The researchers had found a way to create a master key using information from a key card for any room – including closets and garages, and even keys expired from long time. The method would have allowed hackers to perform an attack without being noticed.
Perseverance pays off
The researchers began to look into the problem after an incident in 2003 in which a colleague's laptop had been stolen at a security conference. Hotel staff would not have taken the stolen flight seriously, stating that there was no sign of forced entry or unauthorized access to bedroom.
Over the years, researchers have spent thousands of hours investigating the incident. They finally took possession of a lock known for its safety and quality.
"It was only after fully understanding how the system was designed that we were able to identify seemingly innocuous gaps," said Timo Hirvonen, Senior Security Consultant at F-Secure. "We have creatively combined these weaknesses to find a way to create master keys."
No hotel rooms were compromised during the search, according to the company.
The vulnerability only applies to the Vision by VingCard product, Hirvonen told the E-Commerce Times, adding that F-Secure was in agreement with Assa Abloy to retain the mechanism of the vulnerability.
There are several factors that affect the effectiveness of electronic locks, he said, noting that encryption is used to protect the confidentiality of keycard data.
"Encryption raises the bar to start analyzing the system," said Hirvonen. "However, encryption is not a quick fix – the encryption key must be generated and stored securely."
Marriott International confirmed that Assa Abloy had informed the hotel chain of the vulnerability of a version of the company's closure system.
"We are currently working with the vendor to understand the impact on our hotels," spokesman Hunter Hardinge said.
The company had received a patch of software from Assa Abloy and was working to deploy the patch as quickly as possible, she added.
The hacking is based on the cryptographic weaknesses of the old-generation door locks, said Andrew Howard, chief technology officer at Kudelski Security, based on reports he's read.
The vulnerability allows hacker tools to scroll through potential access codes to the doors until the good is found, he told the E-Commerce Times.
This report recalls the vulnerability of remote locks, particularly at a time when companies are increasingly selling smart lock devices controlled by mobile applications, said Brian Martin, vice president of intelligence vulnerability to
Security based on risk.
"All of this is a serious warning that these systems must undergo rigorous testing before being put on the market," he told the E-Commerce Times.
Last year, New York Attorney General Eric Schneiderman entered into an agreement with Safetech Products regarding allegations that his Bluetooth locks and his wireless door locks were not included. were not secure.
Researchers had discovered that the company had transmitted lock password information to mobile phones without the encryption needed to hide the data from hackers. Default passwords on locks were easily identified using brute force attacks.
In 2016, researchers from the University of Michigan, working with Microsoft, discovered a vulnerability in Samsung's SmartThings IoT systems. It allowed them to access PIN codes on electronic locks and operate a SmartApp in order to create a spare key. The team informed Samsung and worked with the company to remedy the flaws.