Security researchers create master key for electric Vingcard hotel room locks
Fifteen years ago two Finnish security researchers, Tomi Tuominen and Timo Hirvonen visited a hacker event in Berlin. On this trip a laptop was stolen from their hotel room. The incident was never resolved, but the pair kept an eye on hotel room security systems.
Hirvonen and Tuominen focused on the widely deployed Assa Abloy Vision by Vingcard. This is the same system was in use in the upper class Berlin hotel the two fell victim to theft. Eventually in 2017 they managed to create a device that allowed unlocking any door equipped with the Vingcard lock.
While it may have been the way the theft years earlier, the key observation was that all hotels and other facilities using the system were at risk. The programmable Proxmark3 RFID device to hack the locks is available to anyone in the free markets, and the exploit with any building that uses vulnerable locks.
Once the device has been programmed, exploiting vulnerability consists of three steps:
- Copy any key from the target building to the Proxmark3 device
- Take the device close to any lock in the target building and wait for it to scan different options
- When the correct universal code is found, the device works as a master key to all locks in that same series.
The researchers immediately contacted Assa Abloy to inform them about the law. Instead of changing all the physical locks, Timo Hirvonen came up with a modification that would fix the issue without physical changes. The security fixes have been available to Assa Abloy customers since January 2018.
While the remedy for this security flaw is available, it remains up to the hotels to update their software. So even today it is likely that there are hotels where Assa Abloy Vision by Vingcard locks that can be unlocked with the off-the-shelf Proxmark3 device.
See the attack in