An electronic lock system used by several global hotel chains and hotels worldwide contained vulnerabilities that allowed cyber criminals to unlock any hotel room by exploiting a flaw in the lock system's software.
The security flaw in a popular electronic lock system sold by the world’s largest lock manufacturer Assa Abloy could place the security of government heads, world leaders, persecuted individuals in despotic nations and private citizens anywhere in the world at risk.
With nation states using all cyber means available to them to launch covert attacks on rival countries, dissidents, political groups, and citizens, the fact that hackers could unlock electronic lock systems at hotels could seriously undermine the security of such people.
"You can imagine what a malicious person could do with the power to enter any hotel room, with a master key created basically out of thin air. We don’t know of anyone else performing this particular attack in the wild right now," said Tomi Tuominen, Practice Leader at F-Secure Cyber Security Services who discovered the security flaw and immediately alerted Assa Abloy.
Even discarded electronic keys could help hackers build master keys
According to security researchers at F-Secure, they used ordinary electronic keys to target facilities and used information on such keys to create master keys with privileges to open any room in the building. This exploit could be carried out even if ordinary electronic keys were expired, discarded, or used to access spaces such as a garage or closet.
"We wanted to find out if it’s possible to bypass the electronic lock without leaving a trace. Building a secure access control system is very difficult because there are so many things you need to get right," said Timo Hirvonen, Senior Security Consultant at F-Secure.
"Only after we thoroughly understood how it was designed were we able to identify seemingly innocuous shortcomings. We creatively combined these shortcomings to come up with a method for creating master keys," he added. We cannot say for sure if F-Secure researchers were the first to identify the security flaw or if such electronic lock systems were the subject of targeted attacks by cyber criminals in the past.
Once alerted by the researchers, the R&D team at Assa Abloy cooperated with them and developed a fix for the vulnerability to ensure that the affected electronic lock system sold by the company had watertight security controls. Global hotel chains and hotels worldwide will now need to apply the update as soon as possible to ensure the security of their guests and their belongings.
The fact that connected devices across the world are vulnerable to hacks and infiltrations is a well-known factor and security experts and governments have been asking manufacturers of IoT devices to ensure that they incorporate cyber security by design instead of as an afterthought.
In November last year, the Deputy Information Commissioner asked parents to consider privacy and data security concerns before purchasing Internet-connected toys for their children during the Christmas shopping season, starting with Black Friday.
"You wouldn’t knowingly give a child a dangerous toy, so why risk buying them something that could be easily hacked into by strangers?," Steve Wood wrote.
"In the same way that safety standards are a primary consideration for shoppers buying toys, we want those buying connected items in the coming weeks to take a pause and think about both the child’s online safety, and also the potential threat to their own personal data such as bank details, if a toy, device or a supporting app is hacked into," he added.