In 2003, researchers from F-Secure were attending a security conference in Berlin — specifically, the ph-neutral hacker conference — when a laptop was stolen from a locked hotel room. They reported the theft to the hotel staff, but felt they weren’t taken too seriously because, dressed in typical hacker gear, “We kinda looked like a bunch of hippies.”
More to the point, however, there was no sign of the door being forced, nor any indication from the electronic locking system’s logs that anyone had entered the room in their absence.
The locking system was Assa Abloy’s Vision by VingCard — a state-of-the-art system from one of the world’s most trusted and widely-used facilities security firms. In short, the laptop was stolen by a ghost that could pass through locked doors and leave no trace.
Vision by VingCard is deployed in 166 different countries, 40,000 facilities, and millions of doors.
F-Secure researchers told SecurityWeek, “Our guy was working on some really interesting and specific stuff; and, yes, it would absolutely have been of interest to any 3, 4 or 5 letter agency in many different nation-states.” Without naming their victim researcher, they added, “This was not some Joe-average researcher, and we have always been 100% sure that the laptop was stolen.”
With this background it is not surprising that the researchers started to investigate the locking system. Specifically, they were looking for a Vision by VingCard vulnerability that could be exploited without trace — and eventually they found one. It took thousands of hours work over the last 15 years examining the system and looking for the tiniest errors of logic.
“We wanted to find out if it’s possible to bypass the electronic lock without leaving a trace,” said Timo Hirvonen, senior security consultant at F-Secure. “Building a secure access control system is very difficult because there are so many things you need to get right. Only after we thoroughly understood how it was designed were we able to identify seemingly innocuous shortcomings. We creatively combined these shortcomings to come up with a method for creating master keys.”
In summary, with any existing, old or expired keycard to any room on the system, it is possible to generate a master key that can be used to gain entry to any of the hotel rooms without leaving a trace on the system. An attacker could book a room and then use that keycard as the source; or could even read the data remotely by standing close to someone who has a card in a pocket — in a hotel elevator, for example.
“You can imagine what a malicious person could do with the power to enter any hotel room, with a master key created basically out of thin air,” commented Tomi Tuominen, practice leader at F-Secure Cyber Security Services. Property, such as F-Secure’s laptop, could be physically removed; or an evil maid attack on any discovered laptop could deliver malware or perhaps prepare the device for remote control by usurping the Intel Management Engine BIOS Extension (MEBx).
Hirvonen explained the process of developing a master card to access a room. The first requirement is to obtain any keycard, current or expired, to any door in the target facility. A custom-tailored device (actually a Proxmark RFID token reader/writer) is then held close to the target lock. The device tries different keys, and in an average of less than one minute, locates the master key and unlocks the door. “The final step is that you either use the device as the master key, or you write the master key back to your keycard. This only has to be done once. You have found the master key and you can access any room in the hotel.”
The basic Proxmark can be bought online for around 300 euros; but, added Hirvonen, “It is our custom software that does the work. It emulates different keys, and one of those will be the master key.” He explained further. “On paper, it looks as if the keyspace is too big to crack so quickly using brute force. But we were able to combine small technical design flaws with a process vulnerability that allowed us to reduce the keyspace from a gazillion to something that could be brute forced in an average of 20 tries.”
The capacity of the card is 64 bytes; and of those some 48 bytes are usable. It includes multiple different data fields on the card. “Once we identified the eleven different data fields,” continued Hirvonen, “we realized that what remained could feasibly be attacked.”
F-Secure reported its findings to Assa Abloy in April 2017, and for the last year the two firms have worked on a solution. At first, Assa Abloy thought the solution would simply be to increase the keyspace on the cards — a theoretical solution that F-Secure repeatedly demonstrated didn’t work in practice. The real solution has included effective randomization of the whole keyspace; and Assa Abloy has now released an update for its systems.
“Because of Assa Abloy’s diligence and willingness to address the problems identified by our research,” says Tuominen in an associated blog published today, “the hospitality world is now a safer place. We urge any establishment using this software to apply the update as soon as possible.”
Full technical details of the attack will not be released by F-Secure, and Tuominen and Hirvonen have stressed that they are unaware of this exploit ever being used in the wild. But then, how would you detect the phantom use of a forged master keycard that leaves no trace on the system logs?