1) College cyber-security clubs will spend less time dealing with bureaucracy in order to get 24/7 access to their facilities.
2) Someone will procuction-ize this and sell it to cops at 9001% markup. (I don't mean beat cops executing legit warrants here, I'm thinking more along the lines of drug units and "well your honor we didn't need a warrant because the accused failed to ensure his door latched behind him.")
3) This will go mostly ignored by everyone else.
I know this stuff existed before but this is a massive drop in barrier to entry so adoption will increase.
Petty theft will increase in resorts etc., but probably won't affect too many people. I imagine security services have had similar tools for years and if your threat model included hotel room break-ins, you would work to mitigate anyway.
This doesn't affect the biggest deterrent to petty crime: surveillance cameras.
Security forces have already been hacking hotel door locks for years. For example, Mossad agents were caught on camera in 2010 cracking the lock on Mahmoud Al-Mabhouh's room before assassinating him: https://en.wikipedia.org/wiki/Assassination_of_Mahmoud_Al-Ma...
I remember reading a related article (sorry, can't find the source now) about the assassination that claimed the agents had tools to break into a large variety of electronic lock companies, so it's unlikely that F-Secure's hack is a one-off discovery.
Unfortunately cops and their armories are not fitted by necessity, but by desire for the latest and greatest, and by vendors pushing product and offering personal incentives for purchasing from them.
a lot of the same stuff that happens with pharma companies happens in law enforcement, or any other industry in which corporations are asked to bid upon the right to fulfill a contract for pay.
I'm sure the work that F-Secure did was very technically impressive, but I don't think this demonstrates that "these electronic locks may not be very secure" as the article states.
I'd imagine that there are very few commercial technologies that couldn't be hacked if you can get research on a working copy and throw "several thousand total man hours" of highly qualified researchers at it, including building a custom device. And the hack has already been patched!
And then the end payout is that you can get into hotel rooms, which are regularly accessed by low-paid hotel employees and generally considered not a secure place to leave valuables—there's a reason for the safes in the closet of every hotel room.
Yep! My only point was that it apparently took a ton of work to find a way to hack into a place which is already considered fairly insecure. Basically I don't think there's any reason to panic or be surprised by this story, or for Assa Abloy to be terribly embarrassed.
With the equivalent of a budget of several hundred thousand dollars and custom hardware, any commercially available equipment can probably be hacked.
The top level sketch is bad. They are able to go from a low privilege card to a master key. Preventing that is a pretty obvious design criteria for any multikey lock system.
In a large hotel/resort, there are literally hundreds of people with access to your hotel room at any given time. There's a reason hotel room doors have deadbolts and chains in addition to the keycard - they've never been considered 'secure'...
Physical access dynamics area always interesting. I used to visit data centers with high security to work on some equipment. I almost always had more access to more areas than the local employees. I had the magic hand that could open all doors. Many server guys couldn't physically access the data center floor, but I could, and I didn't even work for the company.
The only guys who had more access than I did.... their $15 an hour security guys and ... the janitors. Every room had a garbage can somewhere, someone had to get it... funny how that works.
In college I worked as a janitor and I had access to every room in the building, including the off-limits President's room. It's no wonder that in TV and movies the good guys always infiltrate by dressing up as janitors.
I was the IT guy at a government intelligence agency in Canada as an intern one summer. I had access to darned near the entire building. I had secret level clearance, but I could get into rooms that required top secret.
And I was allowed to wear jeans to work because IT guys need to get down on the floor frequently!
At one company I worked at we had to take our garbage cans outside the room if we wanted them emptied because the janitor did not have access to our office.
until you work in a unionized shop that is over-serious about it. i made the mistake of moving the trashcan outside the door, and then had to sit through a union lecture about doing someone else's job. didn't work for that company any longer than it took to find a new job
I was on a flight recently (I think on United), and noticed that the trash can in one of the washrooms was full and, judging by the paper towels around, had been full for some time.
I told one of the attendants when I went to get a snack. She told me they couldn't empty the trash can. I didn't push, but it seemed strange that they were willing to leave a full trash can in one of a very limited number of washrooms on a full plane.
That's how it worked at my last position. Some of these basic issues are not that difficult to address, it's just that most companies don't care enough to bother with it.
In the early 00's we were looking for data centers to host our infrastructure and I remember a couple of the tours we took. On all the tours we saw the man-traps and the fancy hand scanning bio-metric locks as they touted how seriously they took the security of our servers...
...but as we were touring one of the facilities, a large back door was wide open to the outside directly into the main server room. As far as we could see it was unattended. To be fair, I'm sure there was someone around... somewhere... and that the door couldn't have been left open like that for long (forget about access controls, environmental controls were compromised by that one, too!)
At another facility during that same RFP, the sales guy was trying to get us into a room and the fancy hand scanner wasn't accepting his hand for entry. So in a fit of frustration he just opened the door... it actually wasn't locked at all.
ha, this reminds me of once I left my badge at home and snuck into my office from the mailroom entrance instead of the actual front-door entrance with badge scanners and security guards.
Deadbolts and chains don't help if you're not in the room, since you can't lock those on the way out. I suppose this is why many rooms have safes as well, although I'm sure those are riddled with security defects too, like everything else.
Many of them don’t have a back or the back slides out the only thing you need is to unscrew a few screws often wood screws since hotels love screwing them to a shelf in the closet.
It's the same story when people get high quality locks for their house. If a thief wants to get in, they'll just break the window.
I've also seen it before with high grade padlocks on a chain link fence, often with razor wire on top. Bolt cutters may not be able to cut the lock, but they could cut the chain link like butter.
Security is only as strong as its weakest link. This is why social engineering has always been such an effective method of hacking.
I think the better reasoning behind using high-end locks in your home is that you have a much better chance of knowing your house has been broken in to.
With standard locks, a thief can quickly and easily gain access without the homeowner knowing.
> With standard locks, a thief can quickly and easily gain access without the homeowner knowing.
Too true. Especially cheap ones with tumblers only on one side. In [more than] one of my old apartments I remember having to sit at the mailbox picking the lock so I could open it and replace it because the previous tenants left with all of the mail keys.
It was funny to have people walk in and just say hello as if nothing was happening. "It could have been your mailbox. I just entered mine with my girlfriends bobby pin while you were standing there. Somehow yours is never vulnerable." Of course I wouldn't say that— but oh that I would... ;P
I think the psychology here is that if you behave as if what you're doing is ok and not suspicious, most people will accept that. Same thing for instance when I've gone and picked up my wife's locked bike at her job and put in the car. Most people assume that if I'm doing it publicly, I'm not doing anything shady.
When I did IT stuff as a student job, at one point I needed to pull a computer in for repair and it had been quite securely tied to the desk it was on- I needed a pair of bolt cutters to remove the cable. Of course nobody in the computer lab said anything as I walked in, pair of bolt cutters over one shoulder, and walked out, carrying bolt cutters and iMac.
One of my student jobs involved the 12am-4am shift in the library's 24-hour computer lab (essentially, be a theft deterrent and babysit the printers).
Part of my training involved being told to call a central number to confirm if someone tries to take a computer without any official email being sent to us ahead of time. The year before, someone walked in, placed out of order signs on a whole row of Mac Pros, and carted out 10-15 top end Mac Pro towers without anyone saying anything.
... It took over a month before someone who knew better happened to walk through and noticed the missing Macs.
Also turns out there were no security cameras either, as the University library and IT department had a years-long fight over which department needed to foot the bill for cameras on that floor (after the theft, they quietly split the cost and put cameras in immediately).
"I left my key in my room as well as my wallet, so I don't have ID" is so effective when they do ask for it. Social Engineering has always been an effective method for getting around security.
My main problem with publications like this is that they are often sensationalized. This type of technology has been around for years and years, same with Casino machine hacks. People who figured this out and developed the devices for it often only use them lowkey, because that's the smart thing to do. Then you have someone who finds out and pushes a news story about it, spinning it to be some massive breakthrough in the hacking world and we're all no longer safe behind hotel keycard locks. There was a documentary I watched a few years ago, maybe it was on netflix but I don't think so, but it was about a guy who figured out how to hack certain Hotel door locks and he abused that to his advantage for upwards of a decade. Why was he able to do this for so long? Because he didn't go running to the press when he figured it out, and to a larger extent because its extremely costly to replace the technology in an entire hotel(same as why companies get hit with malware that exploit bugs that should've been patch months/years prior).
That's not to discredit this team, I'm sure they are full of great people doing honest work.
Entirely missed my point, but other comments here summarize it way better than I did. The point is that this is nothing new, these types of attack vectors have been actively exploited for a very long time. If you are a thief, undercover agent, assassin, etc, you aren't going to disclose your methods. The people who know how, and do hack security measures like this keep it under wraps. I'm all for responsible disclosure, but that term only exists in the realm of ethical security. People who use these methods for malicious reasons are under no obligation to disclose what they do. So in turn, while the article makes it out to seem like this one company has hit a groundbreaking discovery, it's really not. Props to the guys at F-secure, but they are late to the game compared to the unethical realm of physical security hacking.
> The team began this investigation more than a decade ago, when an F-Secure employee had a laptop stolen from a hotel room. Some of the staff began to wonder how easy it would be to hack the keycard locks
This seems like a very breezy assumption they're making about how that laptop got stolen.
People who run conference events (and who manage hotels) know that things like this are the deeds of hotel staff, not masked bandits picking the lock on your door.
Most likely, yes. The target value should be directly related to the strength of the security measures though. The information on the laptop might be worth enough for a targeted specialized attack
I think one of the main worries from a security perspective, as the article mentions, is the fact that despite a patch being released, one has to rely on the hotels to be aware of the issue AND to decide to patch the devices. Would not be surprised if that happens at a glacial pace.
everyone! i really want to appreciate SPYHACKER444(gmail com) OR TEXT HER ON +1(318)987-8459 for the assistance this great lady offered me in hacking my husbands phone,working with her has been amazing. she is very reliable and understandable , i recommend her to you guys
53 comments
[ 2.8 ms ] story [ 96.3 ms ] thread1) College cyber-security clubs will spend less time dealing with bureaucracy in order to get 24/7 access to their facilities.
2) Someone will procuction-ize this and sell it to cops at 9001% markup. (I don't mean beat cops executing legit warrants here, I'm thinking more along the lines of drug units and "well your honor we didn't need a warrant because the accused failed to ensure his door latched behind him.")
3) This will go mostly ignored by everyone else.
I know this stuff existed before but this is a massive drop in barrier to entry so adoption will increase.
This doesn't affect the biggest deterrent to petty crime: surveillance cameras.
I remember reading a related article (sorry, can't find the source now) about the assassination that claimed the agents had tools to break into a large variety of electronic lock companies, so it's unlikely that F-Secure's hack is a one-off discovery.
a lot of the same stuff that happens with pharma companies happens in law enforcement, or any other industry in which corporations are asked to bid upon the right to fulfill a contract for pay.
I'd imagine that there are very few commercial technologies that couldn't be hacked if you can get research on a working copy and throw "several thousand total man hours" of highly qualified researchers at it, including building a custom device. And the hack has already been patched!
And then the end payout is that you can get into hotel rooms, which are regularly accessed by low-paid hotel employees and generally considered not a secure place to leave valuables—there's a reason for the safes in the closet of every hotel room.
... which all have backdoors by neccessity.
With the equivalent of a budget of several hundred thousand dollars and custom hardware, any commercially available equipment can probably be hacked.
The only guys who had more access than I did.... their $15 an hour security guys and ... the janitors. Every room had a garbage can somewhere, someone had to get it... funny how that works.
And I was allowed to wear jeans to work because IT guys need to get down on the floor frequently!
I told one of the attendants when I went to get a snack. She told me they couldn't empty the trash can. I didn't push, but it seemed strange that they were willing to leave a full trash can in one of a very limited number of washrooms on a full plane.
In the early 00's we were looking for data centers to host our infrastructure and I remember a couple of the tours we took. On all the tours we saw the man-traps and the fancy hand scanning bio-metric locks as they touted how seriously they took the security of our servers...
...but as we were touring one of the facilities, a large back door was wide open to the outside directly into the main server room. As far as we could see it was unattended. To be fair, I'm sure there was someone around... somewhere... and that the door couldn't have been left open like that for long (forget about access controls, environmental controls were compromised by that one, too!)
At another facility during that same RFP, the sales guy was trying to get us into a room and the fancy hand scanner wasn't accepting his hand for entry. So in a fit of frustration he just opened the door... it actually wasn't locked at all.
Ah... good times...
The invisible work force!
https://twitter.com/sehnaoui/status/978339459208007686?lang=...
Master passkeys also work on most safes.
https://gizmodo.com/5837561/can-000000-secretly-open-your-ho...
https://www.independent.co.uk/travel/news-and-advice/hotel-r...
I've also seen it before with high grade padlocks on a chain link fence, often with razor wire on top. Bolt cutters may not be able to cut the lock, but they could cut the chain link like butter.
Security is only as strong as its weakest link. This is why social engineering has always been such an effective method of hacking.
With standard locks, a thief can quickly and easily gain access without the homeowner knowing.
(I agree with the gist of your post though.)
Too true. Especially cheap ones with tumblers only on one side. In [more than] one of my old apartments I remember having to sit at the mailbox picking the lock so I could open it and replace it because the previous tenants left with all of the mail keys.
It was funny to have people walk in and just say hello as if nothing was happening. "It could have been your mailbox. I just entered mine with my girlfriends bobby pin while you were standing there. Somehow yours is never vulnerable." Of course I wouldn't say that— but oh that I would... ;P
I think the psychology here is that if you behave as if what you're doing is ok and not suspicious, most people will accept that. Same thing for instance when I've gone and picked up my wife's locked bike at her job and put in the car. Most people assume that if I'm doing it publicly, I'm not doing anything shady.
You’ll probably appreciate this then:
https://youtu.be/8d-bM-Whsmk
Part of my training involved being told to call a central number to confirm if someone tries to take a computer without any official email being sent to us ahead of time. The year before, someone walked in, placed out of order signs on a whole row of Mac Pros, and carted out 10-15 top end Mac Pro towers without anyone saying anything.
... It took over a month before someone who knew better happened to walk through and noticed the missing Macs.
Also turns out there were no security cameras either, as the University library and IT department had a years-long fight over which department needed to foot the bill for cameras on that floor (after the theft, they quietly split the cost and put cameras in immediately).
https://en.wikipedia.org/wiki/Assassination_of_Mahmoud_Al-Ma...
That's not to discredit this team, I'm sure they are full of great people doing honest work.
This seems like a very breezy assumption they're making about how that laptop got stolen.
People who run conference events (and who manage hotels) know that things like this are the deeds of hotel staff, not masked bandits picking the lock on your door.
After getting lots of good PR about their prowess, does all that PR really mean the tech is "for sale to the right buyers?"