Electronic lock system used by global hotel chains vulnerable to hackers

Electronic lock system used by global hotel chains vulnerable to hackers

Electronic lock system used by global hotel chains vulnerable to hackers

An electronic lock system used by several global hotel chains and hotels worldwide contained vulnerabilities that allowed cyber criminals to unlock any hotel room by exploiting a flaw in the lock system's software.

The security flaw in a popular electronic lock system sold by the world’s largest lock manufacturer Assa Abloy could place the security of government heads, world leaders, persecuted individuals in despotic nations and private citizens anywhere in the world at risk.

With nation states using all cyber means available to them to launch covert attacks on rival countries, dissidents, political groups, and citizens, the fact that hackers could unlock electronic lock systems at hotels could seriously undermine the security of such people.

"You can imagine what a malicious person could do with the power to enter any hotel room, with a master key created basically out of thin air. We don’t know of anyone else performing this particular attack in the wild right now," said Tomi Tuominen, Practice Leader at F-Secure Cyber Security Services who discovered the security flaw and immediately alerted Assa Abloy.

Even discarded electronic keys could help hackers build master keys

According to security researchers at F-Secure, they used ordinary electronic keys to target facilities and used information on such keys to create master keys with privileges to open any room in the building. This exploit could be carried out even if ordinary electronic keys were expired, discarded, or used to access spaces such as a garage or closet.

"We wanted to find out if it’s possible to bypass the electronic lock without leaving a trace. Building a secure access control system is very difficult because there are so many things you need to get right," said Timo Hirvonen, Senior Security Consultant at F-Secure.

"Only after we thoroughly understood how it was designed were we able to identify seemingly innocuous shortcomings. We creatively combined these shortcomings to come up with a method for creating master keys," he added. We cannot say for sure if F-Secure researchers were the first to identify the security flaw or if such electronic lock systems were the subject of targeted attacks by cyber criminals in the past.

Once alerted by the researchers, the R&D team at Assa Abloy cooperated with them and developed a fix for the vulnerability to ensure that the affected electronic lock system sold by the company had watertight security controls. Global hotel chains and hotels worldwide will now need to apply the update as soon as possible to ensure the security of their guests and their belongings.

The fact that connected devices across the world are vulnerable to hacks and infiltrations is a well-known factor and security experts and governments have been asking manufacturers of IoT devices to ensure that they incorporate cyber security by design instead of as an afterthought.

In November last year, the Deputy Information Commissioner asked parents to consider privacy and data security concerns before purchasing Internet-connected toys for their children during the Christmas shopping season, starting with Black Friday.

"You wouldn’t knowingly give a child a dangerous toy, so why risk buying them something that could be easily hacked into by strangers?," Steve Wood wrote.

"In the same way that safety standards are a primary consideration for shoppers buying toys, we want those buying connected items in the coming weeks to take a pause and think about both the child’s online safety, and also the potential threat to their own personal data such as bank details, if a toy, device or a supporting app is hacked into," he added.

Copyright Lyonsdown Limited 2021

Top Articles

WhatsApp's New Privacy Policy Deadline Has Arrived

At the start of 2021, WhatsApp announced its privacy policy updates, sparking outrage and backlash from its consumers as WhatsApp will share personal information with its parent company, Facebook.

Overcoming the security challenge in remote working environments

The pandemic has changed the way we work. Remote working is no longer a nice-to-have for organisations, but a necessity especially if they want to attract the best talent.

President Biden pens Executive Order to boost US cybersecurity

US President Joe Biden signed an Executive Order this week to boost the cyber security of federal government systems and data.

Related Articles