Security Vulnerabilities in VingCard Electronic Locks

Researchers have disclosed a massive vulnerability in the VingCard eletronic lock system, used in hotel rooms around the world:

With a $300 Proxmark RFID card reading and writing tool, any expired keycard pulled from the trash of a target hotel, and a set of cryptographic tricks developed over close to 15 years of on-and-off analysis of the codes Vingcard electronically writes to its keycards, they found a method to vastly narrow down a hotel's possible master key code. They can use that handheld Proxmark device to cycle through all the remaining possible codes on any lock at the hotel, identify the correct one in about 20 tries, and then write that master code to a card that gives the hacker free reign to roam any room in the building. The whole process takes about a minute.

[...]

The two researchers say that their attack works only on Vingcard's previous-generation Vision locks, not the company's newer Visionline product. But they estimate that it nonetheless affects 140,000 hotels in more than 160 countries around the world; the researchers say that Vingcard's Swedish parent company, Assa Abloy, admitted to them that the problem affects millions of locks in total. When WIRED reached out to Assa Abloy, however, the company put the total number of vulnerable locks somewhat lower, between 500,000 and a million.

Patching is a nightmare. It requires updating the firmware on every lock individually.

And the researchers speculate whether or not others knew of this hack:

The F-Secure researchers admit they don't know if their Vinguard attack has occurred in the real world. But the American firm LSI, which trains law enforcement agencies in bypassing locks, advertises Vingcard's products among those it promises to teach students to unlock. And the F-Secure researchers point to a 2010 assassination of a Palestinian Hamas official in a Dubai hotel, widely believed to have been carried out by the Israeli intelligence agency Mossad. The assassins in that case seemingly used a vulnerability in Vingcard locks to enter their target's room, albeit one that required re-programming the lock. "Most probably Mossad has a capability to do something like this," Tuominen says.

Slashdot post.

Posted on April 30, 2018 at 6:02 AM • 26 Comments

Comments

Scott LewisApril 30, 2018 7:35 AM

I have very little sympathy for the hotel operators, and very low expectations for quick patching by most of them. The lack of sympathy is coming from them having selected the solution in the first place. If ease of patch management wasn't enough of a consideration, they have to live with a painful process now.

JamesApril 30, 2018 8:40 AM

What "security" expectations do you have on a hotel room anyway ? Any hotel employee can enter the room at any time. Besides that almost every hotel tells you not to leave any valuables in the room. Some hotels have in room safes, but those are also BS. With this vulnerability besides the hotel employees so (almost) everyone else can enter the room. What's the difference ? You are only supposed to leave in your room unattended the stuff you afford to lose.

Some hotels employ different layers of security too, besides the locks (cameras, guards, etc), but it's still not your property. So what's the big deal with this vulnerability ?

TheInformedOneApril 30, 2018 9:34 AM

Seems like a lot of money, work, and risk with cameras everywhere these days. Fun concept to read about, but unlikely to result in widespread theft in practice. Most thieves would find it easier to simply clone/steal the maids or maintenance access card.

JordanApril 30, 2018 9:56 AM

The question is not whether the locks are perfectly secure, but whether they are *more secure* than conventional key locks. Note that given a few keys from the hotel you could do a similar analysis of possible master keys... and that's not counting simply picking the locks.

At worst, the question is whether they are more or less secure than the competition.

Also, when you're talking about significant criminal and national-security organizations... how much does it cost to simply buy a master key from somebody on the staff? "If you give us a key, we'll give you $10K... and you and your family get to wake up alive tomorrow morning!".

CallMeLateForSupperApril 30, 2018 10:15 AM

@James
"Any hotel employee can enter the room [....] almost every hotel tells you not to leave any valuables in the room."

Right. So forget the stealing stuff and consider the case where your wife or girlfriend is asleep in a room that is "protected" by a breachable VingCard lock. What could possibly go wrong?

VingCard's reply to the hack was more interesting to me than details of the hack. They poo-poo it, with some boilerplate and arm-waving. (If you can't convince 'em with facts, try fancy footwork.)

My German hotel had a conventional (key) lock with an impressive security feature that I have never seem in the U.S. You lock yourself in by turning the deadbolt knob 180 degrees. Housekeeping can unlock it with their physical key. But if you turn the deadbolt knob 180 degrees and keep turning another 180 degrees, the deadbolt cannot be unloocked with a key from the outside. That prevented e.g. housekeeping's inviting herself to my rubber ducky time. Really.

wumpusApril 30, 2018 10:32 AM

@james

I'll have to assume that nearly all the issues are on the Hotel side. Mostly there is the issue of dealing with thieves who now know that the employees will take the blame if anything is stolen.

@Scott Lewis

Assuming the lock system was chosen at the national chain level, I can understand the lack of sympathy. While I don't expect an owner/operator of a single motel to have a deep understanding of electronic security issues, I'm guessing that on the national level these were sold on the basis of how nice the round of golf supplied by the vendor was and not any deep checks of the product.

(required)April 30, 2018 10:48 AM

"The informed one" - a wonderful name choice, maybe just a little braggy.

Perhaps you didn't see it said above, but "The whole process takes about a minute." The vast majority of hotel hallways actually do NOT feature cameras or secured access, and the point seems to be missed on you that any working keycards can be used to find master keys in just a few tries. Once they have that accomplished it's done, off camera, and they have access to everything with a swipe. Then they could sell those cards to the low level mules who don't mind the top of their hat being video'd by lobby surveillance.

(*$300 is a lot of money? Lol?)

(required)April 30, 2018 10:54 AM

"how much does it cost to simply buy a master key from somebody on the staff?"

More than $300. Try it and find out.

ZaphodApril 30, 2018 2:35 PM

I recall Clive is an expert(*) on hotel locks and did some work on them in the past. He also elaborated on a simple but effective measure to secure the room from the inside....

Zaphod

(*) and most other subjects :-)

Jesse ThompsonApril 30, 2018 2:52 PM

@echo - until somebody leaves without taking their lock with them.

Oh, management can just use bolt cutters on it? Big deal, thieves have those too and inside of a room you've illegally entered is a great pretext for using such a thing undetected anyhow. :P

@CallMeLateForSupper - sounds like a great feature for when the guest locks themselves in and then requires medical assistance and can't get to the door. Or just if guests wander in there and then die, gotta disassemble the hinges before you even determine if there was still anybody present.

As for your wife/girlfriend, how safe are they at your house? I'm sure no matter how many dozen deadbolts you have on the front door, a car can enter through just about any wall in mere moments, so..

All security is about deterrence. How much money (or time multiplied by skill) are you willing to spend to force an attacker to spend still more money (or time multiplied by skill) to transgress against you.

This is complicated farther at a hotel where security ostensibly to protect, but also controlled by one-off guests has to strongly authenticate people to differentiate them from the unauthorized masses. Largely because the guests being authenticated have to be de-authenticated, and because whether other parties such as hotel staff should be authenticated vary over time (when guests check out), by circumstance (guest incapacitated, needs assistance), and even by personal taste (is maid presumed to be authorized or not? Did guest even voice such a preference?)

So, I'm basically with @James on this one. Too many guests lack either the skill or the desire to either pay for or to follow through with the discipline required for enough security at these locations to really outshine a tumbler lock that tens of millions of people know how to pick through in seconds with a 5 usd kit.

Bobo SmithApril 30, 2018 2:58 PM

@Jesse Thompson

My house is a former nuclear fallout shelter. Three foot concrete walls, with most of the house underground. A car won't breach it. A tank might get through the wall, but then they'd have to bring in a boring machine.

VInnyGApril 30, 2018 3:03 PM

If I am the operator of a hotel with these locks, I might patch, or not, depending on the cost. Whether or not I patched, I would immediately begin billing a 100USD deposit for each key card issued at check-in the the credit card of the guest, to be refunded when the card is returned to the desk for immediate shredding. This would be described to guests both actual ad prospective as a policy instituted to protect privacy and security. I would also instruct staff, particularly of the custodial bent, to search room trash cans for discarded cards and to return those to the desk as well. Cards issued vs returned would be reported and reviewed, and one manager per shift would be made accountable for compliance with the process. It would become a cause for immediate dismissal for any employee to handle a key card in any way other than that prescribed by policy. Give the guest a financial incentive to return the card, and motivate staff to catch the low-hanging fruit from non-compliers, and I suspect 90-95% of future key cards could be accounted for.

echoApril 30, 2018 3:50 PM

@Jesse Thompson

Solutions are really quite easy if you're not being akward or lazy. Like any field security is as much about attitude as process. Good management at check in and check out can easily cover an integrated lock. (Open door, swivel, flip or whatever the supplied lock and snap in your own lock into the correct place.) All it needs is to be toughened to withstand a drill for an hour or somesuch. In any case there can be insurance or a surchargeto to mitgate management costs.

Facepalm@VInnyGMay 1, 2018 1:55 AM

Once the master key has been derived there is no longer any need for the card itself. Severely penalizing guests for losing cards will do nothing for security.

The only method to fix this issue is to upgrade the firmware on the locks and to hope that the updated software doesn't have any glaring vulnerabilities as well.

JamesMay 1, 2018 4:54 AM

@CallMeLateForSupper
You have a good point, and you also answered your own question: good old fashion deadbolt when you are in the room.
If someone really wants to enter the room can do it without a key anyway: drill the lock , kick down the door, etc ...
If you are really concerned there are also inexpensive covert security cameras, motion activated and all ...
And if you are concerned for your own physical security, you can buy a gun, hire bodyguards etc, not trusting a stupid lock in a room that you do not own or rent.

@Jesse Thompson
In case of a real emergency, the door can be opened via brute force methods.

I don't see those locks as a security feature, but as a convenience one.

My point is that you should not expect too much security in a hotel room anyway. Those locks are there for deterrence, if someone wants in will get in.

VinnyGMay 1, 2018 6:52 AM

@facepalm I saw no inference in the article that all hotels in the real world that use this system(or even most or *any* beyond the test site) have had a sufficient number of cards expropriated that their master code has been compromised. Moreover, I see nothing in the description of the system to indicate that the master code cannot be reset centrally without actually replacing the lock firmware. Absent such evidence, I think that a policy instituting one-for-one card control is at least a partial solution, and might suffice indefinitely in some cases. Frankly, that should have been policy from day one, unfortunately, like many others, the hospitality industry tends to operate on very short-sighted criteria.

JamesMay 1, 2018 7:06 AM

@VinnyG well the vulnerability and therefore the problem IS real. But the implications, not so much.

user164398May 1, 2018 12:54 PM

Security at hotels, malls or any other public place has never been about the safety of you or your property. It is to protect the establishment feom lianility, with the added bonus of making sure their employees aren't perpetrating "time theft".

No matter hoe broken their methods are, you can count on them finding 100 ways to blame the patron in the event of a lawsuit.

VinnyGMay 1, 2018 2:17 PM

@James re: real - Agree that the vulnerability is real. However, according to my reading, there is a minimum number of cards that must be in the hands of the bad guys to make it feasible to identify the master code. If the number of cards collected for a given master code domain is less than the number required to create an exploit (the problem) at the time that effective card control procedures are implemented, the problem is possibly avoided; at worst, postponed. Not all mitigations require elimination of a technical flaw by technical means, although, all else equal, that is the preferable tactic. Risk mitigation is also sensitive to the risk environment - a similar flaw that affected hundreds of thousands of individual PC users could never be mitigated by a non-technical work-around, no matter how effective, for a variety of reasons (e.g., the "herding cats" problem.) But how many major hotel chains are there? A dozen? Nearly all of which have "top down" chains of command where mandates can be enforced by threats of employment termination.

Clive RobinsonMay 1, 2018 8:43 PM

@ Bruce, All,

    "Most probably Mossad has a capability to do something like this," Tuominen says.

I'm realy supprised Tuominen has any doubts on this. To my knowledge it has been "open knowledge" since the early 1980's.

As I've mentioned on this blog before I've not just caught Mossad out at this, I made it very clear to them that I knew who they actually worked for (not IBM as they pretended).

It's not just Mossad but other domestic and foreign intelligence agencies and even law enforcment agencies that collect up information on both mechanical and electronic locks. Of the two the electronic locks are in effect the least secure from what is in effect an "insider attack".

The old mechanical locks need sometimes hard to get key blanks that then need to be cut. This process takes not just time but also "obvious equipment" that you can not hide in your pocket. In the past I've had to first cut blanks from "bar/shim stock" using a small milling machine. Then cut the blank I'd made with the pin profile.

Electronic cards are very very cheap just pennies each (which is why hotels love then). They are also often "standard" such as ABA Mag Stripe cards or more modern smart/NFC cards, thus readily available in bulk. Further there are many makes and models of often very small card writers that can be easily "reboxed" etc to look like something else that plug into a USB port etc.

As for the security of what happens on these cards it's usually very very low. In fact little more than "security by obscurity". The reason is they tend to be "data rich" to support significant multitudes of options. Some older systems used as little as 12bits for establishment identification, with the obvious all zeros or all ones being used to designate manufacturing master programming keys.

That is the lock installer would make a "Maintenance Master Key" at the "front desk unit" when they installed a lock they would "dip and test" with the manufacturing master key, then "dip and prog" by putting the manufacturing key in then without turning the handle they would put in the maintenance master to programe in the establishment ID. It was then upto the hotel maintanence staff to make room ID cards at the front desk unit and use the maintenance master key to program in the room number and door type into the lock.

The thing is there are so many "features bits/nums" that there is little or no bits left over for security. Atleast one lock manufacturer when doing a security update squeased in a four or five bits at the front of the data that was used as a repeating XOR to "stream cipher" the data.

As quite a few here know, this is not security because if the bits are in fixed positions and you know that you can "flip bit X" to make your guest card a Maintenance card you can just flip the bit irrespective of what value it has on the "guest key"...

This sort of attack works on many basic data structures that use bit states to set a hierarchy. Because often when you set a very high hierarchical bit, all the other bits get ignored in the software or have irrelevant to use meanings...

This state of affairs started back in atleast the 1980's and remains for "backwards compatability" or if you prefere due to "known to work code reuse". Any security additions are usually "after thoughts" at a much later date that just puts a new overly simple layer on top that looks clever to those who don't know any better, and pleases managment because the cost is minimal...

Another lock I know of had a four wire "emergancy port" this was their incase the lock battery failed. The "security unit" issued to the hotels had a complicated procedure involving a serial protocol as well as powering up the lock. The protocol had a sting in it's tail, those who designed the lock used the same port for doing software testing and the protocol could would jump to either a specified address in the ROM code, or to an address in a lookup table. This feature was considered so usefull it was retained to be used to do "factory testing" via ATE.

However there was a further sting in the tail, that I found. The lock used a solenoid actuator. Being an inductive component it had "back EMF" protection not just by a simple snubber network but also to power rail diodes. For some reason one of these was a zenner diode... For those that do not know a zenner is actually a normal diode with small voltage drop in one direction and in effect a reverse biased low breakdown voltage diode in the normal opperating direction. Placed where it was in the circuit, simply connecting the power the wrong way around on the test port would put current through the solenoid, thus opening the lock without any fuss what so ever. My faith in Underwriters Laboratories (UL) was somewhat shaken on seeing this because they had certified the lock... I decided at the time that the best thing to say was nothing and just tuck it away in my memory as a "usefull fact". Yes I did build a little box to take advantage of it as I occasionaly "got dicked" on "call outs" around London when the usual staff were away doing major installs etc. What supprised me is people saw me using my little box, but nobody ever asked any questions...

Clive RobinsonMay 1, 2018 10:10 PM

I can tell that most people commenting here do not know very much about the hospitality industry.

Firstly electronic locks are more expensive than mechanical locks, but the cost of cutting replacment keys for mechanical locks is actually quite high. In the past larger hotels had maintainance staff who were trained lock smiths as employees, to offset the cost of guests taking keys home and having rooms forced to vacant. Also front desk staff used to have an extra person just for key handling. Thus electronic locks with throwaway keys that cost pennies paid for themselves very very quickly on those fronts alone. But a guest key can and often is more than just their room key, it's used with minibars, lifts, gyms, swiming pools, paying for items and all maner of extra services such as for conferences etc.

Secondly is the problem of "patching" hotel locks used not to be networked or connected together in anyway for various reasons and many still are not. Likewise changing the firmware was an energy intensive process that would knock months of the expected battery life. There was also the risk of compleatly scrambling the lock such that it would have to go back to the factory or even be scrapped.

If people look back on this site one of the biggest moans about firmware parching for motherboards and peripherals is the lack of security. People have talked about having jumpers on the boards such that you have to open the case make the link do the patch open the link and put the case back together again. Imagine if you will what would happen to hotel security if the "patch port" was made easily accessible? It would take little or no time for some one to steal a lock, find out which pins the patch port was connected to and identity the MCU chip and look it's number up or if specialy numbered by tracing out the circuit and probing various pins with a JTAG tester identify the actuall chip and in many cases of older very lowpower MCUs actually download the code out of the chip. Then come up with their own patch or make up "magic boxes" etc to sell. We've seen this with cable and satellite TV, vehicles with electronic locks and many other systems like USB memory sticks where the old very cheap ones are reprogramed to look like their much more expensive and newer big brothers. Not a week goes by without somebody reverse engineering a FMCE or equivalent and using the information to make money.

If patching a hotel lock was made low cost, that would mean making it quick and easy to the point somebody just walked down the corridor, plugged in a lead to the lock, pressed a button on a box and watched a couple of LEDs for thirty seconds then unplug and go to the next lock. That would be just as quick for an attacker to do...

Thus making the patch convenient for the hotel staff makes it just as convenient for an attacker of all sorts to do.

As was noted the Mossad hit team that murdered the Palestinian did something similar to reprograming the lock on his room to get access.

Security is about making life difficult or to resource expensive for an attacker or detecting and delaying them long enough for a human reaponse to arive and deal with them. Reducing any of that reduces the security of the system, thus attack way way more likely.

AngrymausMay 2, 2018 4:23 AM

"I can tell that most people commenting here do not know very much about the hospitality industry."

It is exactly the point.

What if maximized low-cost / idiot-friendliness were not the singularly expressed objectives?

How many drunks would lock themselves to death in their rooms per hour, do you think? Exactly.

Because that is what we're talking about, the lowest common functional security denominator.

They only give you free shampoo and soap because hiring people to interact with you, the product, costs more.

JohnMay 2, 2018 6:31 AM

"If patching a hotel lock was made low cost"

I'm currently writing an iOS app to talk to a nrf52 chip via bluetooth. These chips are cheap, powerful, easy to integrate in all kinds of hardware, and given a smart engineer, make it very easy to meet the requirements for low cost and secure patching that can only be done by hotel management. Hell, just a bit more thinking on this will get you a lock with a master key that can be easily protected as well. Since I'm in no way here to promote nordic or their chips, I'm sure regulars here can come up with a long list of cheap chipsets that'll - in the hands of competent engineers and product managers - will meet the specifications of the hospitality industry in a much more secure way than the current set of "locks".

Which means we currently have either 1) no competent engineers and product managers assigned to this problem, or 2) an unwillingness to get this done right. As with most iOT devices, of course. See the other thread of a metric ton of similar unwillingness to do the right thing.

echoMay 2, 2018 10:37 AM

@Clive

Lots of good thoughts on the hotel industry and what problem they are trying to solve and the practicalities of achieving this and difficulties of creating good secure solutions. The concepts are easy to understand even if this can become very technical and slide into unfamiliar territories. Lots of food for thought!

My experiences with these kinds of things is very limited and coming from very different angles.

Leave a comment

Allowed HTML: <a href="URL"> • <em> <cite> <i> • <strong> <b> • <sub> <sup> • <ul> <ol> <li> • <blockquote> <pre>

Photo of Bruce Schneier by Per Ervland.

Schneier on Security is a personal website. Opinions expressed are not necessarily those of IBM Resilient.