Assa Abloy is one of the largest manufacturers of security products in the world. So, you can imagine how the company might have felt when security research firm F-Secure let them know that it had found a way to get past their VingCard electronic lock systems – the type employed by about 40,000 hotels around the world.
F-Secure figured out that it could use some very basic, over-the-counter hardware to create a device capable of reading hotel key cards – even older, expired cards, or those used to access non-guest room areas like supply closets – and turn them into master access key cards for the entire hotel.
The device they created could even read room card data through clothing. Once any active or disabled card attached to a certain hotel had been scanned, a new card could be created that provided access to any VingCard-secured room in that hotel.
Assa Abloy took the news pretty well. They actually began working with F-Secure to design new software that addressed the problem, which is now available as a patch to all using the VingCard platform.
The concept of the hack was inspired by an F-Secure engineer who had a computer stolen out of his hotel room while attending, ironically enough, a security conference. Hotel officials dismissed the complaint because there were no signs of forced entry and no evidence of unauthorized access.
F-Secure doesn’t believe anyone is currently using their strategy to break into hotel rooms but applauded Assa Abloy for taking a proactive approach to addressing the breach.