Millions of electronic locks in hotels around the world are at risk of being hacked by a master key.
Researchers at cybersecurity company F-Secure uncovered a design flaw in VingCard's Vision electronic lock software that, if exploited, could enable attackers to gain access to any room in a targeted hotel and commit what's known as evil maid attacks. The researchers found a technique to build a master key in a way that takes under a minute to create.
Assa Abloy, the Swedish parent company of VingCard, issued a software update that will prevent the keycard vulnerability from being exploited, but because the locks cannot connect to the internet, they also need a firmware update for the software patch to work. This means the 42,000 properties across 166 countries all need to be updated in person, according to the researchers.
F-Secure's researchers, Tomi Tuominen and Timo Hirvonen, worked for years to uncover this vulnerability in the hotel keycard software. They haven't released specific details of the exploit in an attempt to prevent attackers from taking advantage of it, but they have said all an attacker needs to start is any keycard that works in the targeted hotel. This would include old or expired keycards that were tossed in the trash.
With a keycard, attackers would need a handheld radio frequency ID (RFID) card reading and writing tool and the right cryptographic methods to narrow down what the master key code could be. The RFID reader could then cycle through all the possibilities and find the correct one in approximately 20 attempts. The tool would then write that code on a card, which would be able to unlock any door the attackers wanted. According to Tuominen and Hirvonen, the whole process takes about one minute.
The keycard vulnerability is only in older models of VingCard's Vision locks, but that still amounts to millions of rooms.
Tuominen and Hirvonen reported their findings to Assa Abloy a year ago and worked with the company to fix the keycard vulnerability. Assa Abloy released the software update in February, and Tuominen and Hirvonen said intrusions because of the keycard vulnerability may be minimal, but hotels still need to update the locks. To their knowledge, this has not been exploited in the wild yet.
In other news:
- The International Organization for Standardization rejected two new encryption algorithms developed by the National Security Agency over concerns about backdoors. The NSA created the "Simon" and "Speck" algorithms to become the global standard for internet-of-things devices, but ISO was concerned they contained backdoors that would enable American spies to break the encryption. One member of ISO, Tomer Ashur, claimed on Twitter that the NSA was "adversarial" when questioned about the algorithms, and that was a contributing factor to their rejection. The ISO member claimed the NSA acted as bullies during the three-year process to examine the algorithms, though ISO meetings are closed and classified, so there is no official record of the interactions.
- Cisco patched a vulnerability in the Security Assertion Markup Language implementation late last week. The vulnerability affected single sign-on authentication for the Cisco AnyConnect Secure Mobility Client for Desktop Platforms, Adaptive Security Appliance Software and Firepower Threat Defense software. The flaw could enable a remote, unauthenticated attacker to access AnyConnect through a device running either of the vulnerable software via a third party. "The vulnerability exists because there is no mechanism for the ASA or FTD Software to detect that the authentication request originates from the AnyConnect client directly," the Cisco advisory Cisco has released upgrades that patch the vulnerability and suggested user update immediately.
- The Securities and Exchange Commission (SEC) is fining Altaba -- the company that holds what remains of Yahoo after it was acquired by Verizon -- $35 million for not informing users of the 2013 and 2014 data breaches quickly enough. Russian hackers were able to steal all 3 billion Yahoo user accounts and personal information and then another 400 million accounts a year later. Yahoo didn't disclose the breaches until 2016 either publicly or to the SEC in its reports, and the SEC ruled this misled investors. "Although information relating to the breach was reported to members of Yahoo's senior management and legal department, Yahoo failed to properly investigate the circumstances of the breach and to adequately consider whether the breach needed to be disclosed to investors," the SEC said in a statement. "The fact of the breach was not disclosed to the investing public until more than two years later, when in 2016 Yahoo was in the process of closing the acquisition of its operating business by Verizon Communications, Inc."