This Master Hotel Key Could Have Unlocked ‘Millions of Doors’ Around the World

In 2003, Finnish security researchers Tomi Tuominen and Timo Hirvonen were at a security conference when one of their colleagues had their laptop swiped from their hotel room. The thief left no signs of how they had gotten in—there were no signs of forced entry and nothing in the hotel’s software logs. This lead Tuominen and Hirvoven to suspect that the burglar had figured out how to bypass the hotel’s security system entirely and gain access to the room without a key.

The event inspired the duo, who now work at the security company F-Secure, to begin researching hotel security systems as a side project. After 15 years of work, they managed to uncover a major vulnerability in a lock used by hotels around the world that would’ve effectively given the researchers a master key to “millions of doors.”

“You can imagine what a malicious person could do with the power to enter any hotel room with a master key created basically out of thin air,” Tuominen said in a statement.

All the hack requires is a hotel key for a target hotel that uses the Vision locks created by a company called VingCard—even a long expired key card will suffice. Using a Proxmark3, a RFID reader that only costs about $300, a hacker can read the key on the card and use the same device to create more keys of the same type. According to Tuominen and Hirvonen, this device is able to use custom software made by the researchers to generate the keys for any door in the hotel within minutes, and the device can then be used to gain access to any room in the hotel.

“We could not believe our eyes when our master key opened the first lock,” Tuominen told the Finnish news site Helsingin Sanomat. “This is not the method career criminals use to break into hotel rooms.”

Moreover, the vulnerability in the Vision software that made this hack possible could also be exploited to reveal customer data.

This hack was revealed to the lock company last year, and Tuominen and Hirvonen worked with the company to develop a patch that will protect the affected locks. It is then up to hotels to update the software by visiting every lock in the hotel and patching them individually. The researchers said they will not be publishing details of the attack to prevent its use at any hotels that may not have updated the lock software yet.

“Building a secure access control system is very difficult because there are so many things you need to get right,” Hirvonen said in a statement. “Only after we thoroughly understood how the whole system was designed were we able to identify seemingly innocuous shortcomings. We creatively combined these shortcomings to come up with a method for creating master keys.”