Stay up to date with notifications from The Independent

Notifications can be managed in browser preferences.

Hackers create hotel master keys that can access millions of rooms

Security researchers say it takes an average of 60 seconds to gain access to any hotel room using the hacking technique

Anthony Cuthbertson

Wednesday 25 April 2018 18:10 BST

The technique works on key cards made by Assa Abloy, which counts some of the world's largest hotel chains among its customers. (REUTERS)

Millions of hotel rooms are vulnerable to hackers after researchers found a technique to create master keys that can open rooms.

Researchers from the cybersecurity firm F-Secure discovered the flaw with key cards used by some of the world’s biggest hotel chains, including Intercontinental, Radisson and Sheraton Hotels and Resorts.

Tomi Tuominen and Timo Hirvonen from F-Secure began investigating the vulnerability 15 years ago after a laptop belonging to one of their colleagues mysteriously went missing from a hotel room.

Gadget and tech news: In pictures

Show all 25

1/25Gadget and tech news: In pictures

Gadget and tech news: In pictures

Gun-toting humanoid robot sent into space

Russia has launched a humanoid robot into space on a rocket bound for the International Space Station (ISS). The robot Fedor will spend 10 days aboard the ISS practising skills such as using tools to fix issues onboard. Russia's deputy prime minister Dmitry Rogozin has previously shared videos of Fedor handling and shooting guns at a firing range with deadly accuracy.

Dmitry Rogozin/Twitter

Gadget and tech news: In pictures

Google turns 21

Google celebrates its 21st birthday on September 27. The The search engine was founded in September 1998 by two PhD students, Larry Page and Sergey Brin, in their dormitories at California’s Stanford University. Page and Brin chose the name google as it recalled the mathematic term 'googol', meaning 10 raised to the power of 100

Google

Gadget and tech news: In pictures

Hexa drone lifts off

Chief engineer of LIFT aircraft Balazs Kerulo demonstrates the company's "Hexa" personal drone craft in Lago Vista, Texas on June 3 2019

Reuters

Gadget and tech news: In pictures

Project Scarlett to succeed Xbox One

Microsoft announced Project Scarlett, the successor to the Xbox One, at E3 2019. The company said that the new console will be 4 times as powerful as the Xbox One and is slated for a release date of Christmas 2020

Getty

Gadget and tech news: In pictures

First new iPod in four years

Apple has announced the new iPod Touch, the first new iPod in four years. The device will have the option of adding more storage, up to 256GB

Apple

Gadget and tech news: In pictures

Folding phone may flop

Samsung will cancel orders of its Galaxy Fold phone at the end of May if the phone is not then ready for sale. The $2000 folding phone has been found to break easily with review copies being recalled after backlash

PA

Gadget and tech news: In pictures

Charging mat non-starter

Apple has cancelled its AirPower wireless charging mat, which was slated as a way to charge numerous apple products at once

AFP/Getty

Gadget and tech news: In pictures

"Super league" India shoots down satellite

India has claimed status as part of a "super league" of nations after shooting down a live satellite in a test of new missile technology

EPA

Gadget and tech news: In pictures

5G incoming

5G wireless internet is expected to launch in 2019, with the potential to reach speeds of 50mb/s

Getty

Gadget and tech news: In pictures

Uber halts driverless testing after death

Uber has halted testing of driverless vehicles after a woman was killed by one of their cars in Tempe, Arizona. March 19 2018

Getty

Gadget and tech news: In pictures

A humanoid robot gestures during a demo at a stall in the Indian Machine Tools Expo, IMTEX/Tooltech 2017 held in Bangalore

Getty

Gadget and tech news: In pictures

A humanoid robot gestures during a demo at a stall in the Indian Machine Tools Expo, IMTEX/Tooltech 2017 held in Bangalore

Getty

Gadget and tech news: In pictures

Engineers test a four-metre-tall humanoid manned robot dubbed Method-2 in a lab of the Hankook Mirae Technology in Gunpo, south of Seoul, South Korea

Jung Yeon-Je/AFP/Getty

Gadget and tech news: In pictures

Engineers test a four-metre-tall humanoid manned robot dubbed Method-2 in a lab of the Hankook Mirae Technology in Gunpo, south of Seoul, South Korea

Jung Yeon-Je/AFP/Getty

Gadget and tech news: In pictures

The giant human-like robot bears a striking resemblance to the military robots starring in the movie 'Avatar' and is claimed as a world first by its creators from a South Korean robotic company

Jung Yeon-Je/AFP/Getty

Gadget and tech news: In pictures

Engineers test a four-metre-tall humanoid manned robot dubbed Method-2 in a lab of the Hankook Mirae Technology in Gunpo, south of Seoul, South Korea

Jung Yeon-Je/AFP/Getty

Gadget and tech news: In pictures

Waseda University's saxophonist robot WAS-5, developed by professor Atsuo Takanishi

Rex

Gadget and tech news: In pictures

Waseda University's saxophonist robot WAS-5, developed by professor Atsuo Takanishi and Kaptain Rock playing one string light saber guitar perform jam session

Rex

Gadget and tech news: In pictures

A test line of a new energy suspension railway resembling the giant panda is seen in Chengdu, Sichuan Province, China

Reuters

Gadget and tech news: In pictures

A test line of a new energy suspension railway, resembling a giant panda, is seen in Chengdu, Sichuan Province, China

Reuters

Gadget and tech news: In pictures

A concept car by Trumpchi from GAC Group is shown at the International Automobile Exhibition in Guangzhou, China

Rex

Gadget and tech news: In pictures

A Mirai fuel cell vehicle by Toyota is displayed at the International Automobile Exhibition in Guangzhou, China

Reuters

Gadget and tech news: In pictures

A visitor tries a Nissan VR experience at the International Automobile Exhibition in Guangzhou, China

Reuters

Gadget and tech news: In pictures

A man looks at an exhibit entitled 'Mimus' a giant industrial robot which has been reprogrammed to interact with humans during a photocall at the new Design Museum in South Kensington, London

Getty

Gadget and tech news: In pictures

A new Israeli Da-Vinci unmanned aerial vehicle manufactured by Elbit Systems is displayed during the 4th International conference on Home Land Security and Cyber in the Israeli coastal city of Tel Aviv

Getty

The flaws they discovered with key cards made by the world’s largest lock manufacturer, Assa Abloy, allowed them to create a master key using any key card from a hotel, even one that was long-since expired.

“The hack consists of three steps,” Mr Tuominen explains to The Independent. “Firstly, get access to a key card, it doesn’t matter which. Secondly, use a relatively-cheap piece of hardware, combined with our custom software, to read the card and search for the master key code.

“Thirdly, write the master key onto the key card, or any other key card, to gain access to any room in the facility.”

F-Secure researcher Timo Hirvonen shows a device that is able to create a master key out of a single hotel key card in Helsinki, Finland April 19, 2018. (Reuters)

Mr Tuominen and Mr Hirvonen say that it takes an average of 60 seconds to gain access to a room using this technique.

The researchers, who are set to present their findings at the Infiltrate conference later this week, informed Assa Abloy of the vulnerability and offered a patch to fix it. It is expected to take a long time to roll out the fix across all hotels affected.

“We appreciate F-Secure’s ethical approach in bringing these issues to our attention,” a spokesperson for Assa Abloy said.

“We strive for the utmost security and quality in our products, so we are glad to have the opportunity to ensure our products pass the most rigorous evaluations. With these updates, we have elevated hospitality security to the next level.”

Join our commenting forum

Join thought-provoking conversations, follow other Independent readers and see their replies