Nothing gets the creative juices flowing quite like a good mystery. Consider the following: In 2003, a Finnish security researcher named Tomi Tuominen was in Berlin with a friend of his to attend a conference. During the day, his friend's laptop mysteriously disappeared from one of their hotel rooms — even though no one had entered the room aside from hotel staff.
Was this simply a case of a malicious staff member taking something expensive from a room? Possibly, but the researchers had been staying at an upscale chain hotel with no reputation for anything along those lines.
Tuominen found the possibility of an unauthorized electronic entry troubling, but gripping. For the last 15 years, he's been attempting to find a way to reprogram a hotel key to allow entry to any room, and he's finally succeeded.
This information comes from Safe & Savvy, (opens in new tab) a blog run by Helsinki-based security firm F-Secure. Tuominen teamed up with Timo Hirvonen, a fellow F-Secure researcher, to see whether a sophisticated hacker could compromise an entire hotel. The target: VisionLine/VingCard, a software system that manages hotel locks, owned and run by the Swedish lock maker Assa Abloy. (The same company owns the Medeco and Yale brands in the U.S., as well as the HID company that may keep your office locked.)
Without going into the gory details of how Tuominen and Hirvonen got the job done, they did eventually succeed in their task. They discovered that any hotel key would work, not just staff keys, and that fishing an expired card out of a trash can or simply staying in a hotel for one night and keeping the card would be enough to get started.
The researchers then needed access to card-writing hardware, but that is available for a few hundred dollars online. A reprogrammed card, ready in less than a minute, could theoretically open any room in the entire hotel.
Understandably, Tuominen and Hirvonen were much less open to discussing the software they created, since it would create an enormous security risk for any hotels using Assa Abloy technology. (In a comment to Wired, Assa Abloy estimated there were between 500,000 and 1 million vulnerable locks; the number could be much higher, though.)
The one hint the researchers gave was that a door's keycode was based on its physical location in the hotel, allowing them to match values and reverse-engineer data for specific floors and sections of a hotel.
There is some good news: The two researchers notified Assa Abloy of the flaw back in 2017, and the company worked quickly to develop a patch.
However, Assa Abloy's locks don't run on a network. Installing patches means going to each lock, wiring it up to a laptop and running a manual update. In a hotel with hundreds of rooms, it's easy to understand why managers might not devote a ton of resources to an esoteric project like this.
All in all, there are more factors against a hotel-room hacking entry than for one. The issue has been patched, first and foremost — and even if it hadn't, it took two researchers more than a decade to come up with the technology to replicate it.
Still, electronically breaking into hotel rooms is not unheard-of. In 2010, Israeli assassins leveraged a VingCard vulnerability to take out a Palestinian official in a Dubai hotel. A vulnerability in a hotel-lock brand called Onity, unearthed by a hacker and publicized in the tech press but ignored by many hotels, led to a thief taking advantage of the flaw to burglarize dozens of U.S. hotel rooms in 2012 and 2013.
Keeping yourself safe from electronic keycard hackers, then, involves largely the same precautions you'd use to keep yourself safe from any would-be hotel intruder. Lock your deadbolt when you're in the room, and put your valuables in the safe when you're out of it (although some hotel-room safes have their own security flaws). This has the added advantage of also keeping your valuables safe from thieves of the more traditional variety.