
F-Secure Hack Can Unlock Millions of Hotel Rooms with Handheld Device - artsandsci
https://www.extremetech.com/internet/268263-f-secure-hack-unlocks-millions-of-hotel-rooms-with-handheld-device
======
djrogers
In a large hotel/resort, there are literally hundreds of people with access to
your hotel room at any given time. There's a reason hotel room doors have
deadbolts and chains in addition to the keycard - they've never been
considered 'secure'...

~~~
duxup
Physical access dynamics area always interesting. I used to visit data centers
with high security to work on some equipment. I almost always had more access
to more areas than the local employees. I had the magic hand that could open
all doors. Many server guys couldn't physically access the data center floor,
but I could, and I didn't even work for the company.

The only guys who had more access than I did.... their $15 an hour security
guys and ... the janitors. Every room had a garbage can somewhere, someone had
to get it... funny how that works.

~~~
jschwartzi
At one company I worked at we had to take our garbage cans outside the room if
we wanted them emptied because the janitor did not have access to our office.

~~~
duxup
That seems like a better thought out policy.

~~~
dylan604
until you work in a unionized shop that is over-serious about it. i made the
mistake of moving the trashcan outside the door, and then had to sit through a
union lecture about doing someone else's job. didn't work for that company any
longer than it took to find a new job

~~~
rahimnathwani
I was on a flight recently (I think on United), and noticed that the trash can
in one of the washrooms was full and, judging by the paper towels around, had
been full for some time.

I told one of the attendants when I went to get a snack. She told me they
couldn't empty the trash can. I didn't push, but it seemed strange that they
were willing to leave a full trash can in one of a very limited number of
washrooms on a full plane.

------
Rotdhizon
My main problem with publications like this is that they are often
sensationalized. This type of technology has been around for years and years,
same with Casino machine hacks. People who figured this out and developed the
devices for it often only use them lowkey, because that's the smart thing to
do. Then you have someone who finds out and pushes a news story about it,
spinning it to be some massive breakthrough in the hacking world and we're all
no longer safe behind hotel keycard locks. There was a documentary I watched a
few years ago, maybe it was on netflix but I don't think so, but it was about
a guy who figured out how to hack certain Hotel door locks and he abused that
to his advantage for upwards of a decade. Why was he able to do this for so
long? Because he didn't go running to the press when he figured it out, and to
a larger extent because its extremely costly to replace the technology in an
entire hotel(same as why companies get hit with malware that exploit bugs that
should've been patch months/years prior).

That's not to discredit this team, I'm sure they are full of great people
doing honest work.

~~~
gabriel34
So you advocate for stealth exploitation instead of disclosure?

~~~
Rotdhizon
Entirely missed my point, but other comments here summarize it way better than
I did. The point is that this is nothing new, these types of attack vectors
have been actively exploited for a very long time. If you are a thief,
undercover agent, assassin, etc, you aren't going to disclose your methods.
The people who know how, and do hack security measures like this keep it under
wraps. I'm all for responsible disclosure, but that term only exists in the
realm of ethical security. People who use these methods for malicious reasons
are under no obligation to disclose what they do. So in turn, while the
article makes it out to seem like this one company has hit a groundbreaking
discovery, it's really not. Props to the guys at F-secure, but they are late
to the game compared to the unethical realm of physical security hacking.

------
GavinB
I'm sure the work that F-Secure did was very technically impressive, but I
don't think this demonstrates that "these electronic locks may not be very
secure" as the article states.

I'd imagine that there are very few commercial technologies that couldn't be
hacked if you can get research on a working copy and throw "several thousand
total man hours" of highly qualified researchers at it, including building a
custom device. And the hack has already been patched!

And then the end payout is that you can get into hotel rooms, which are
regularly accessed by low-paid hotel employees and generally considered not a
secure place to leave valuables—there's a reason for the safes in the closet
of every hotel room.

~~~
mschuster91
> there's a reason for the safes.

... which all have backdoors by neccessity.

~~~
GavinB
Yep! My only point was that it apparently took a ton of work to find a way to
hack into a place which is already considered fairly insecure. Basically I
don't think there's any reason to panic or be surprised by this story, or for
Assa Abloy to be terribly embarrassed.

With the equivalent of a budget of several hundred thousand dollars and custom
hardware, any commercially available equipment can probably be hacked.

------
jccc
_> The team began this investigation more than a decade ago, when an F-Secure
employee had a laptop stolen from a hotel room. Some of the staff began to
wonder how easy it would be to hack the keycard locks_

This seems like a very breezy assumption they're making about how that laptop
got stolen.

People who run conference events (and who manage hotels) know that things like
this are the deeds of hotel staff, not masked bandits picking the lock on your
door.

~~~
stordoff
I read that as being the motivation, not necessarily that they thought that's
how the laptop was stolen.

------
imglorp
They disclosed to the vendor, but they're not releasing the hack details to
the public.

After getting lots of good PR about their prowess, does all that PR really
mean the tech is "for sale to the right buyers?"

------
dsfyu404ed
My predictions:

1) College cyber-security clubs will spend less time dealing with bureaucracy
in order to get 24/7 access to their facilities.

2) Someone will procuction-ize this and sell it to cops at 9001% markup. (I
don't mean beat cops executing legit warrants here, I'm thinking more along
the lines of drug units and "well your honor we didn't need a warrant because
the accused failed to ensure his door latched behind him.")

3) This will go mostly ignored by everyone else.

I know this stuff existed before but this is a massive drop in barrier to
entry so adoption will increase.

~~~
joosters
Security forces have already been hacking hotel door locks for years. For
example, Mossad agents were caught on camera in 2010 cracking the lock on
Mahmoud Al-Mabhouh's room before assassinating him:
[https://en.wikipedia.org/wiki/Assassination_of_Mahmoud_Al-
Ma...](https://en.wikipedia.org/wiki/Assassination_of_Mahmoud_Al-Mabhouh)

I remember reading a related article (sorry, can't find the source now) about
the assassination that claimed the agents had tools to break into a large
variety of electronic lock companies, so it's unlikely that F-Secure's hack is
a one-off discovery.

~~~
Relys
[https://en.wikipedia.org/wiki/Black_bag_operation](https://en.wikipedia.org/wiki/Black_bag_operation)

------
kup0
I think one of the main worries from a security perspective, as the article
mentions, is the fact that despite a patch being released, one has to rely on
the hotels to be aware of the issue AND to decide to patch the devices. Would
not be surprised if that happens at a glacial pace.

