Hotel Access Control Article

Posted by | Uncategorized | 0 |

News Fusion and other news agencies have been creating headlines to scare you — "…could have given hackers access to any (hotel) room in the world." The articles refer to a problem with ONE particular technology, Vision by VingCard, not all hotel access control systems. While the VingCard system is a market leader, it not the only system and we would argue it is threatened by newer technologies. The systems that Accurate Security Engineering ( recommends, by Salto, are NOT susceptible to this particular hack. For example, the Four Seasons in Washington DC is featured in a recent case study on Salto’s website, If you know much about Washington, DC and the Four Seasons, you will know that it is a facility that needs to be secure given the profile of some of the guests. So the decision to use Salto would not have been taken lightly.
But lets also remember that any system can be hacked. We are more fearful of electronic hacks because the hacks occur in an intangible realm. This intangible realm I am referring to this the realm of software and the media for the storage of digital information. The VingCard systems out there are old and vulnerable because they are so old. Upgrading to a Salto system makes sense from both a cost, convenience AND security standpoint.
Below is the article that is making the rounds.

"The electronic lock systems found in thousands of hotels around the world could have left holidaymakers and business travellers at risk of attack, according to new research from F-Secure.

The company’s security researchers have found a flaw in the lock system’s software, known as Vision by VingCard, which could have been exploited by hackers to gain access to any room in a hotel, anywhere in the world.

In particular, the flaw meant researchers could use any ordinary electronic key, even those that have expired, discarded, to get access to the system. Using information on the key, the researchers were able to create a master key with privileges to open any room in the building. What’s more, the attack can be performed without being noticed.

See related
Orion Span to open “affordable” space hotel in 2022
FBI warns travellers to beware attacks via hotel Wi-Fi
Hotel tech: a room with a futuristic view
The flaw is so significant, it has since prompted the world’s largest lock manufacturer, Assa Abloy, to issue software updates with security fixes to shut down the problem.

“You can imagine what a malicious person could do with the power to enter any hotel room, with a master key created basically out of thin air,” said Tomi Tuominen, practice leader at F-Secure Cyber Security Services. “We don’t know of anyone else performing this particular attack in the wild right now.”

The researchers’ interest in hacking hotel locks was sparked a decade ago when a colleague’s laptop was stolen from a hotel room during a security conference. When the researchers reported the theft, hotel staff dismissed their complaint, given that there was not a single sign of forced entry and no evidence of unauthorised access in the room entry logs.

The researchers decided to investigate the issue further by targeting a brand of lock known for quality and security. The flaw wasn’t obvious, and took what the team called "a thorough understanding of the whole system’s design to identify small flaws that, when combined, produced the attack".

“We wanted to find out if it’s possible to bypass the electronic lock without leaving a trace,” added Timo Hirvonen, senior security consultant at F-Secure. “Building a secure access control system is very difficult because there are so many things you need to get right. Only after we thoroughly understood how it was designed were we able to identify seemingly innocuous shortcomings. We creatively combined these shortcomings to come up with a method for creating master keys.”

F-Secure notified Assa Abloy of the findings and has collaborated with the lock maker over the past year to implement software fixes. Updates have also been made available to affected properties. "