FAQ  •  My feedback  •  Feedback
UKLockpickers.co.uk Lockpicking supplies such as Lockpicks, tools, and more! COMMANDOLOCK.COM Military grade padlock systems lockpickshop.com A source for lockpicking supplies such as lockpicks, locksmith tools, and more!

In the news today “master key” hack for hotel room card key

<<

Joe Momma

User avatar

Familiar Face

Posts: 96

Joined: Wed Jun 06, 2012 5:40 am

Location: near the Rubicon trail - U.S.A.

Post Mon Apr 30, 2018 1:21 pm

In the news today “master key” hack for hotel room card key

Researchers say a “master key” hack could put millions of hotel rooms at risk of being unlocked.

Researchers at F-Secure, a Finnish cyber security company, said hotel rooms in over 160 countries and at 40,000 locations are at risk of being opened by hackers who have gained access to an electronic key company’s software.
Advertisement

Fortune reports Swedish lock manufacturer Assa Abloy uses a software that has a vulnerability. According to Gizmodo, the vulnerability in the Vision software allows criminals to create master keys and open any door in the building. All the hackers need is a single hotel key and a radio-frequency identification card.

The RFID card uses electromagnetic fields to unlock the combination placed on a hotel room’s key card reader. Security experts told Fortune, the process can take only one minute to complete.

Fortune reports there are no known cases of hackers exploiting the flaw in the software. However, a software patch has reportedly been developed, and affected hotels are being urged to update the software for their key card readers, Fortune reports.

http://www.kcra.com/article/master-key-hack-could-put-millions-of-hotel-rooms-at-risk-report-says/20074195
<<

Patrick Star

User avatar

Active Member

Posts: 282

Joined: Sun Apr 10, 2016 9:40 pm

Location: Sweden

Post Mon Apr 30, 2018 8:36 pm

Re: In the news today “master key” hack for hotel room card

I wonder if this attack applies to Aperio as well? Then a lot of sites far more sensitive than your average hotel are in a looot of trouble.

This (as well as the plurality of attacks on online access control systems) is why I always tell people to always combine electronic locking systems with mechanical locks for sensitive stuff. Not that anyone ever listens... sigh.
<<

Jaakko Fagerlund

Active Member

Posts: 344

Joined: Mon Jan 06, 2014 3:55 pm

Location: Finland

Post Wed May 02, 2018 1:15 pm

Re: In the news today “master key” hack for hotel room card

And once again good example why SECURITY SOFTWARE SHOULD BE OPEN SOURCE. More eyes, more patchers, more testers.
<<

Patrick Star

User avatar

Active Member

Posts: 282

Joined: Sun Apr 10, 2016 9:40 pm

Location: Sweden

Post Wed May 02, 2018 2:22 pm

Re: In the news today “master key” hack for hotel room card

And can you give me a single example of an electronic locking / access control system that's open source? And certified by the relevant organizations (VdS, UL, SBSC/SFF, FG, etc). Insurance requirements and all that...
:-(
<<

TylerJThomas

Familiar Face

Posts: 24

Joined: Sun Jul 09, 2017 1:23 am

Location: Atlanta, GA, USA

Post Wed May 02, 2018 8:11 pm

Re: In the news today “master key” hack for hotel room card

Jaakko Fagerlund wrote:And once again good example why SECURITY SOFTWARE SHOULD BE OPEN SOURCE. More eyes, more patchers, more testers.


In fairness, they're probably more worried about competition sniping their ideas/work than they are about vulnerabilities. Sad state of affairs but it is what it is.
<<

madsamurai

User avatar

Familiar Face

Posts: 235

Joined: Wed Jan 04, 2017 4:13 am

Location: Germantown, Ohio

Post Wed May 02, 2018 8:42 pm

Re: In the news today “master key” hack for hotel room card

Open source means the bad guys can read the code, too. The problem, really, is that there's more money to be had in breaking security than there is in hardening it. The hackers are currently way ahead of the developers, and advancements in AI and GPU processing is working much more in their favor than ours. Public belief in computer security in general is pretty ludicrous, if you ask me. All these new bluetooth locks give me the shivers. I'll take the "inconvenience" of a mechanical lock and key/combination any day over anything accessible by another computer, thank you very much.
<<

Patrick Star

User avatar

Active Member

Posts: 282

Joined: Sun Apr 10, 2016 9:40 pm

Location: Sweden

Post Wed May 02, 2018 8:55 pm

Re: In the news today “master key” hack for hotel room card

If anything, mechanical locks tend to fail a lot more gradually. It's not like suddenly discovered bypasses taking a couple of seconds are common when it comes to higher-security ones.
<<

TylerJThomas

Familiar Face

Posts: 24

Joined: Sun Jul 09, 2017 1:23 am

Location: Atlanta, GA, USA

Post Thu May 03, 2018 12:12 pm

Re: In the news today “master key” hack for hotel room card

madsamurai wrote:I'll take the "inconvenience" of a mechanical lock and key/combination any day over anything accessible by another computer, thank you very much.


You are not alone in that sentiment, sir, not in the least.

Patrick Star wrote:If anything, mechanical locks tend to fail a lot more gradually. It's not like suddenly discovered bypasses taking a couple of seconds are common when it comes to higher-security ones.


Also, I would posit that most vulnerabilities for higher-security locks generally require much more investment for the tool(s) and skills required. Case in point: Any project of Hux.
<<

Jaakko Fagerlund

Active Member

Posts: 344

Joined: Mon Jan 06, 2014 3:55 pm

Location: Finland

Post Thu May 03, 2018 1:03 pm

Re: In the news today “master key” hack for hotel room card

Patrick Star wrote:And can you give me a single example of an electronic locking / access control system that's open source? And certified by the relevant organizations (VdS, UL, SBSC/SFF, FG, etc). Insurance requirements and all that...
:-(

Nope, as I haven't come across one single product that I could trust in electronic locks. Impossible to lay any trust in locks that you can't in any way ascertain to yourself how it actually works and if there is or isn't any backdoors. Nor can one verify the codes authenticity because you can't compile from a clean source and compare.

madsamurai wrote:Open source means the bad guys can read the code, too

The beaty of cryptography is that the only secret that has to be kept is the key itself. The algorithms/implementation doesn't matter as long as they are what are now known as cryptographically secure.

Mechanical locks are practically open source products, but fixing problems in them almost always means "buy a new one". Electronics however can be updated and the corrections easily spread over the world without any physical product to be done/replaced.
<<

Josephus

Active Member

Posts: 264

Joined: Sun Feb 10, 2013 11:30 pm

Location: Michigan

Post Thu May 03, 2018 4:58 pm

Re: In the news today “master key” hack for hotel room card

No. Some algorithms do not need to keep keys secret, such as hashed temporal key systems, perfect forward security being of that nature. But implementation is a permanent problem. Most cryptographic systems are compromised in implementation problems. Some algorithms have been depreciated because, though they are mathematically perfect, adequate implementation on current hardware is impossible. To call an implementation "cryptographically secure" is a bit odd. It's like calling a mortise lock metallurgically secure. It might be, it might not, its a conditional tautology, and although locks require metallurgy, that is not sufficient to call them secure nor does a mechanical design fall under the purview of metallurgy. Even if that was taken as true, some algorithms are better than others with various features or mitigating risks of various attacks. It's a big deal and why there are so many competing standards.

Cryptography and open source systems that have security components are not equivalent. The former is a matter of mathematics and computer science, the latter is engineering. Open source has potential for more eyes finding problems, for good and bad. Popular open source systems are typically but not necessarily more secure than proprietary systems. Unpopular open source systems are less secure than proprietary systems.

The primary problem with securing electronic physical locks is that selection of them change a skill challenge into a knowledge challenge. All knowledge challenges in the real world are smart cow problems. It only takes one smart cow to open a gate, the rest walk through. The same is true for electronic locks. All it takes is one person coming up with an exploit and all anyone has to do is use it. Much easier and faster than each person needing to build skills for every new type of mechanical lock.
<<

Patrick Star

User avatar

Active Member

Posts: 282

Joined: Sun Apr 10, 2016 9:40 pm

Location: Sweden

Post Thu May 03, 2018 8:42 pm

Re: In the news today “master key” hack for hotel room card

TylerJThomas wrote:Also, I would posit that most vulnerabilities for higher-security locks generally require much more investment for the tool(s) and skills required. Case in point: Any project of Hux.

Yes - that goes into my reasoning about gradual failure as well.
Even for potentially very serious compromises (eg. happens in short enough time to defeat the assumptions of your layered security), the required tools and skills are a lot harder and slower to transfer than just sending someone an exploit. So it might very well be extremely unlikely that one of the potential attackers will actually show up at your door simply because the pool of potential attackers is a lot smaller.

Josephus wrote:Some algorithms do not need to keep keys secret, such as hashed temporal key systems, perfect forward security being of that nature.

Perfect forward secrecy eg via a DH exchange does need to keep the DH secret keys of the parties, as well as the agreed shared secret, well, secret. Just that you can discard them as soon as you're done.
Plus you probably want to combine it with a signature for MITM protection, and then you need to keep the secret keys used for that secret on a longer time period as well, although this obviously won't break the PFS itself (or even future sessions without an active attack).

A big disadvantage of electronic locking systems, as Jaakko has hinted, is that you can't easily inspect them for backdoors. This includes backdoors not only at the manufacturer level but also - if your installation is sensitive enough - things added during shipping/distribution. Mechanical locks you can just take apart and see if things look the way they are supposed to.

By the way, there are scenarios where an electronic attack can be applied to a purely mechanical system as well. Think someone having the entire keying systems on a networked (or otherwise accessible) computer. Hell, certain lock manufacturers (*cough* ASSA *cough*) want you to keep your system in their online database!
<<

Josephus

Active Member

Posts: 264

Joined: Sun Feb 10, 2013 11:30 pm

Location: Michigan

Post Thu May 03, 2018 10:03 pm

Re: In the news today “master key” hack for hotel room card

The point, on secret keys, is that there are many ways in which the necessity of retaining a secret key is eliminated, due to constraints which remove the ability for an attacker to use them. DH might be considered one, though that is more a problem of transit and storage. I was thinking more TOTP, DHE, ECDHE, DRA, geofencing and so on. All methods to mitigate against consequences of cryptographic key discovery on session or message basis. Often used on conjunction with less process intensive methods for longer usage during an initial exchange.

All risk management is probablistic. There is always residual risk. Cryptography isn't a silver bullet. Algorithm and implementation selection matters.

Electronic locks are tested using the same techniques as SCADA, ICS, and blackbox code analysis. Fuzzing, decompiling, static/dynamic code analysis, stress testing, and the usual physical stuff. Teenagers 30 years ago were dumping roms and analyzing binary blobs. The same process is done opensource or not on red teams.

There's a deluge of CVE's showing no meaningful advantages to obfuscation or open source, while less-tread open projects often don't get fixed. Even large projects which come with no legal support requirements have long-term vulnerabilities present. I had to deal with freezing services, micromanaging multi-repository installs with portables and extra IDS rules as an enhanced defence on debian systems last year because of a few ssh versioning and systemd problems that were intentionally flagged as not going to be fixed yet sill live risk on fully patched systems. Messy.

Return to Random Banter

Who is online

Users browsing this forum: No registered users

Don't forget to visit our sponsors for all of your lockpicking needs!
Powered by phpBB © 2000, 2002, 2005, 2007 phpBB Grop
"CA Black" theme designed by stsoftware