In 2003, Finnish security researcher Tomi Tuominen was attending a security conference in Berlin when a friend's laptop, containing sensitive data, was stolen from his hotel room. The theft was a mystery: The staff of the upscale Alexanderplatz Radisson had no clues to offer, the door showed no signs of forced entry, and the electronic log of the door's keycard lock—a common RFID card reader sold by Vingcard—had recorded no entries other than the hotel staff.
The disappearing laptop was never explained. But Tuominen and his colleague at F-Secure, Timo Hirvonen, couldn't let go of the possibility that Vingcard's locks contained a vulnerability that would let someone slip past a hotel room's electronically secured bolt. And they'd spend roughly the next decade and a half proving it.
At the Infiltrate conference in Miami later this week, Tuominen and Hirvonen plan to present a technique they've found to not simply clone the keycard RFID codes used by Vingcard's Vision locks, but to create a master key that can open any room in a hotel.
With a $300 Proxmark RFID card reading and writing tool, any expired keycard pulled from the trash of a target hotel, and a set of cryptographic tricks developed over close to 15 years of on-and-off analysis of the codes Vingcard electronically writes to its keycards, they found a method to vastly narrow down a hotel's possible master key code. They can use that handheld Proxmark device to cycle through all the remaining possible codes on any lock at the hotel, identify the correct one in about 20 tries, and then write that master code to a card that gives the hacker free reign to roam any room in the building. The whole process takes about a minute.
"Basically it blinks red a few