In 60 seconds, security researchers can clone the master hotel-room keys for 140,000 hotels in 160 countries

The Vingcard Vision locks are RFID-based hotel locks; at this week's Infiltrate conference in Miami, Tomi Tuominen and Timo Hirvonen from F-Secure will present a method for combining a $300 Proxmark RFID tool with any discarded key from a given hotel to derive the master keys that allow them to unlock every room in the hotel, a process that takes less than 60 seconds.


The researchers are exploiting longstanding defects in the Vingcard cryptographic implementations, defects that are even present on the magstripe-based Vingcard keys that predate the RFID keys (Vingcard has a new version that fixes the crypto, but there is a large base of legacy keycards in hotels all over the world).

The researchers informed the manufacturer about their work a year ago, and it has published updates for its customers, but the locks are not connected to the internet and can't update themselves, so it's up to hoteliers to see the notification, download the patch, and hire technicians to manually apply it to each lock in their hotels, one at a time.

The researchers have not released full details of their exploit in a bid to forestall thieves from using it to raid hotels.


Finally, they say, they were tipped off to one final method of narrowing down the possible master key codes in Vingcard Vision locks by a clue on the company's Assa Abloy University website for training hotel staff. Though they won't elaborate further, the researchers note that the trick somehow involves a correlation between the location of a door in a hotel and its RFID enciphered code. The system means that beyond creating a master key to open any door in a hotel, they could also spoof specific "floor" and "section" keys that open only a subset of doors in a building—all the better to impersonate the sort of less-powerful keys that hotel housekeeping staff hold, for instance.

The F-Secure researchers admit they don't know if their Vinguard attack has occurred in the real world. But the American firm LSI, which trains law enforcement agencies in bypassing locks, advertises Vingcard's products among those it promises to teach students to unlock. And the F-Secure researchers point to a 2010 assassination of a Palestinian Hamas official in a Dubai hotel, widely believed to have been carried out by the Israeli intelligence agency Mossad. The assassins in that case seemingly used a vulnerability in Vingcard locks to enter their target's room, albeit one that required re-programming the lock. "Most probably Mossad has a capability to do something like this," Tuominen says.

A One-Minute Attack Let Hackers Spoof Hotel Master Keys [Andy Greenberg/Wired]