Security firm says key flaws allowed access to hotel rooms worldwide

April 25 (UPI) — A Finnish cybersecurity company said Wednesday it’s solved a vulnerability problem that allowed a master key to open thousands of hotel rooms worldwide.

The firm, F-Secure, said in a statement researchers worked for a year with Swedish lock manufacturer Assa Abloy to create a solution. The problem, it said, allowed an ordinary electronic key card to be converted to a master key.

The problem affects Vision by VingCard, a widely used hotel key system.

The firm said data scanned from used or expired key cards could be manipulated to gain entry to the rooms. Assa Abloy has issued software security updates to fix the problem.

The issue first arose over a decade ago, when a colleague of an F-Secure employee had his laptop stolen from a hotel room. Hotel staff dismissed the complaint, noting that there was no sign of forced entry and no recorded access to the room’s door.

After investigating, F-Secure said it was able to identify a number of flaws in the software that, when combined, could open any door.

“We wanted to find out if it’s possible to bypass the electronic lock without leaving a trace,” explained Timo Hirvonen of F-Secure. “Only after we thoroughly understood how it was designed were we able to identify seemingly innocuous shortcomings [and] come up with a method for creating master keys.”

The vulnerable cards are used worldwide by hotel chains that include Intercontinental, Radisson, Hyatt and Sheraton.

Tech officials said, though, they are working to mitigate the continued risk.

“Vision Software is a 20-year-old product, which has been compromised after 12 years and thousands of hours of intensive work by two employees at F-Secure,” an Assa Abloy spokesperson said. “These old locks represent only a small fraction [of those in use] and are being rapidly replaced with new technology.”