Recently, a pair of researchers (Tomi Tuominen and Timo Hirvonen of F-Secure) released information about a new hack they had discovered. It takes advantage of a critical security flaw in the magnetic VingCard locking systems used in hotel chains around the world.
This particular system produced by Assa Abloy is deployed in more than 42,000 facilities around the world. So in terms of scope and scale, this flaw impacts literally millions of doors.
The security flaw is about as bad as it gets, too. The duo found a way that hackers could turn an old, dead RFID key card into a master key that could be used to unlock any VingCard door. Although the software they used to create the master key card is proprietary, any hacker worth his salt and with a couple hundred dollars to spare for equipment could reproduce the hack on their own, if given time.
Fortunately, long before the pair announced their discovery of the hack, they contacted Assa Abloy privately. They have been working with the company’s R&D department to develop a fix for the security flaw. That fix has now been deployed, and the researchers stress that so far, there is no evidence that the exploit has ever been used in the wild.
Of course, that doesn’t mean that it couldn’t be used, and just because Assa Abloy has released a fix for the flaw doesn’t mean that everyone will promptly install it. So, the risk is still very real. If you’re a frequent traveler, take extra precautions and don’t leave your valuables in plain sight in your room. They may be more vulnerable than you realize.