Businessinsurance.com reported that security consultants at F-Secure (a Finnish data security company) discovered about a year ago that by “getting hold of a widely used hotel key card, an attacker could create a master key to unlock any room in the building without leaving a trace,…”. The April 25, 2018 article entitled “Hotel key cards, even invalid ones, help hackers break into rooms” included these comments:
While the researchers have fixed the flaw together with Assa Abloy, the world’s largest lock manufacturer which owns the system in question, the case serves as a wake-up call for the lodging industry to a problem that went undetected for years.
The researchers helped Assa fix the software for an update made available to hotel chains in February. Assa said some hotels have updated it but that it would take a couple more weeks to fully resolve the issue.
Timo Hirvonen (one of the F-Secure consultants) made the following comment in an interview:
We found out that by using any key card to a hotel … you can create a master key that can enter any room in the hotel. It doesn’t even have to be a valid card, it can be an expired one,…
Given the number of plastic Hotel keys used around the world this very alarming news!