Tomi Tuominen, Practice Leader at
F-Secure Cyber Security Services
industry unlocked
T
New technologies are transforming the
way that most industries operate – and the
hospitality sector is no exception. Intelligent
CISO looks at one particular cyberthreat hotels
are facing while exploring a new partnership
which is aiming to future-proof the industry.
44
There are few industries which have been
untouched by advances in technology and, while
there have been countless benefits as a result
of this, there are, of course, new risk factors of
which organisations and businesses worldwide
now have to be aware. a master key created basically out of
thin air,” said Tomi Tuominen, Practice
Leader at F-Secure Cyber Security
Services. “We don’t know of anyone else
performing this particular attack in the
wild right now.”
One such industry which is embracing digital
transformation – and facing cybersecurity issues
– is hospitality. The researchers’ interest in hacking
hotel locks was sparked a decade ago
when a colleague’s laptop was stolen
from a hotel room during a security
conference. When the researchers
reported the theft, hotel staff dismissed
their complaint given that there was not
a single sign of forced entry and no
evidence of unauthorised access in the
room entry logs.
One such example of a challenge was highlighted
by researchers from F-Secure, a Finland-based
cybersecurity company, which found that hotels
worldwide are using an electronic lock system
that could be exploited by an attacker to gain
access to any room in the facility.
The design flaws discovered in the lock system’s
software, which is known as Vision by VingCard
and used to secure millions of hotel rooms
worldwide, have prompted the world’s largest
lock manufacturer, Assa Abloy, to issue software
updates with security fixes to mitigate the issue.
The researchers’ attack involved using any
ordinary electronic key to the target facility, even
one that’s long expired, discarded, or used to
access spaces such as a garage or closet.
Using information on the key, the researchers
were able to create a master key with privileges
to open any room in the building. The attack
could be performed without being noticed.
“You can imagine what a malicious person could
do with the power to enter any hotel room, with
The researchers decided to investigate
the issue further and chose to target
a brand of lock known for quality and
security. These security oversights were
not obvious holes. It took a thorough
understanding of the whole system’s
design to identify small flaws that, when
combined, produced the attack. The
research took several thousand hours
and was done on an on-and-off basis
and involved considerable amounts of
trial and error.
“We wanted to find out if it’s possible
to bypass the electronic lock without
leaving a trace,” said Timo Hirvonen,
Senior Security Consultant at F-Secure.
“Building a secure access control
system is very difficult because
Issue 03
|
www.intelligentciso.com