F-Secure researchers unlock a hotel door using their device in a YouTube video. Screengrab: YouTube

Tomi Tuominen and Timo Hirvonen, both researchers at cybersecurity firm F-Secure, have discovered a security flaw in the most popular manufacturer line of digital hotel locks.

Why it matters: Though they've worked with the manufacturers on a patch that has already been released, it is likely that not all the doors have been patched yet as 40 thousand hotels use the locks. The duo noted to Axios that manufacturer Assa Abloy's locks were very secure and the company was attentive to the problem. This is a prime example of a company doing everything right and still having vulnerabilities because no product is 100% secure.

F-secure researchers demonstrate their hotel door hacking device.

The details: "It started at a hacker conference in Berlin in 2003," said Tuominen. "We came back to our room and found that our friends laptop had been stolen. But the locks didn't show any signs of being broken into. The hotel didn't take us seriously because, I think, they thought we were hippies in black t-shirts."

  • Thus started a near 15-year side project where the duo researched how they could hack the locks. It took until last year to have a major breakthrough to digitally break the locks, during which time they learned "it's actually much easier to break the lock with a wire hanger."

How it works: They began by taking any key from a target hotel, even an expired one. That key gives them location specific information to be used in the attack.

  • The keys cards are embedded with one of an innumerable amount of potential passwords — too many to fire off possible passwords at a door until it opens. But Tuominen and Hirvonen figured out how to reduce the possible set of passwords for the master key to a set small enough for a device try all of them in just a few minutes.
  • Once the device discovers the master key, it works on any door.

The remediation: Assa Abloy worked with the researchers to release a patch for the doors earlier this year. They also discovered and helped patch a glitch that gave them access to the key database with access to certain business systems on a hotel network.

  • The patch requires each door to be updated individually, which could have slowed the patching process at some hotels. Tuominen and Hirvonen created an Android app that will test keys to see if doors have been patched.
  • They will present their project at the Infiltrate conference this week, but are leaving out key details to ensure that attackers don't victimize hotels that haven't fixed the issue yet.

Go deeper

Updated 19 mins ago - Politics & Policy

Coronavirus dashboard

Illustration: Sarah Grillo/Axios

  1. Global: Total confirmed cases as of 4 p.m. ET: 31,175,205 — Total deaths: 962,076— Total recoveries: 21,294,229Map.
  2. U.S.: Total confirmed cases as of 4 p.m. ET: 6,829,956 — Total deaths: 199,690 — Total recoveries: 2,590,695 — Total tests: 95,121,596Map.
  3. Health: CDC says it mistakenly published guidance about COVID-19 spreading through air.
  4. Media: Conservative blogger who spread COVID-19 misinformation worked for Fauci's agency.
  5. Politics: House Democrats file legislation to fund government through Dec. 11.
  6. World: "The Wake-Up Call" warns the West about the consequences of mishandling a pandemic.

McConnell: Senate has "more than sufficient time" to process Supreme Court nomination

Senate Majority Leader Mitch McConnell (R-Ky.) said in a floor speech Monday that the chamber has "more than sufficient time" to confirm a replacement for Supreme Court Justice Ruth Bader Ginsburg before the election, and accused Democrats of preparing "an even more appalling sequel" to the fight over Brett Kavanaugh's confirmation.

Why it matters: Senate Minority Leader Chuck Schumer (D-N.Y.) has said "nothing is off the table next year" if Republicans push ahead with the confirmation vote before November, vowing alongside Rep. Alexandria Ocasio-Cortez (D-N.Y.) to use "every procedural tool available to us to ensure that we buy ourselves the time necessary."

House Democrats file legislation to fund government through Dec. 11

House Speaker Nancy Pelosi (D-Calif.). Photo: Chip Somodevilla/Getty Images

House Democrats on Monday released their proposal for short-term legislation to fund the government through December 11.

Why it matters: This is Congress' chief legislative focus before the election. They must pass a continuing resolution (CR) before midnight on Oct. 1 to avoid a government shutdown — something both Hill leaders and the White House have claimed is off the table.