Security Flaw Allows Hackers to Create Fake Master Key to Millions Of Hotel Rooms

A Finnish cybersecurity firm has discovered a flaw in the digital lock system used in hotels worldwide that would allow hackers to access millions of rooms with a faked master key.

Finnish firm F-Secure revealed that after "several thousand hours of work," its researchers engineered a master key that could unlock any hotel room using Vision by VingCard digital lock technology.

A man looks through a window in a hotel in Cancun, Mexico, on December 7, 2010, during the United Nations Framework Convention on Climate Change. Finnish firm F-Security discovered a security flaw that could allow hackers to create a fake master key and potentially enter any hotel room. Ronaldo Schemidt/AFP/Getty Images

The research began when a friend of F-Secure practice leader Tomi Tuominen had his laptop stolen during a security conference in Berlin in 2003, according to Wired. Staff at the Alexanderplatz Radisson reportedly dismissed the complaint because there was no sign of forced entry or evidence of unauthorized access. So Tuominen and his colleagues set out to solve the mysterious breach.

Researchers used the information on an electronic key, RFID or magstripe, from the targeted hotel to create a master key that could open any room at the hotel. "We wanted to find out if it's possible to bypass the electronic lock without leaving a trace," senior security consultant Timo Hirvonen said in a statement.

The flaw discovery prompted Assa Abloy, the world's largest lock manufacturer, to release a software update with security fixes, F-Secure said.

"You can imagine what a malicious person could do with the power to enter any hotel room, with a master key created basically out of thin air," Tuominen said. "We don't know of anyone else performing this particular attack in the wild right now."

F-Secure notified Assa Abloy a year ago and worked with the lock manufacturer to implement software fixes in February of this year.

Christophe Sut, Assa Abloy executive vice president and head of hospitality, told Wired UK that Vision by VingCard is a fairly old system that was developed 20 years ago. The hack F-Secure used does not apply to the company's more updated versions.

"It is not the system we promote any more or build our technology on [but] the challenge we have is we don't know necessarily if those systems are still up and running," Sut told Wired UK. Assa Abloy did not immediately respond to Newsweek's request for comment.