The inspiration for the device came in 2003 when a laptop belonging to a colleague of the researchers, who was attending a hacker conference in Berlin, was stolen from his hotel room. Because there was no sign of forced entry and no unauthorized access recorded in the entry logs, nothing much was done.
The ability to create such a device is certainly worrisome, but there is some good news. It took the researchers quite a long time to develop the device, years in fact, and the F-Secure team says it’s not aware of any such devices being used maliciously in the real world. “We don’t know of anyone else performing this particular attack in the wild right now,” Tuominen said in a statement.
The locks the F-Secure team targeted were developed by VingCard, now owned by Assa Abloy, a company that has acquired a number of other major lock companies such as Yale and August Home and is now the largest lock manufacturer in the world. The VingCard system they targeted is reportedly used in over 42,000 properties in 166 countries. F-Secure says it notified Assa Abloy of its findings and over the past year, the two groups have worked together to develop a fix for the vulnerabilities exploited by the master key device. Affected properties have received updates. “Because of their diligence and willingness to address the problems identified by our research, the hospitality world is now a safer place,” said Tuominen. “We urge any establishment using this software to apply the update as soon as possible.”
Hotels have been targets of malicious actors in a number of ways over the years, with attacks including credit card info-swiping malware, keyloggers installed on publicly available hotel computers and exploits of hotel WiFi. And others have made devices that crack key card locks as well.