EDIT: Thank you for all the questions! It's 7:05PM in Finland and we are off for the weekend :).

Some people play football. Some people play golf. We like to solve mysteries. This is Tomi Tuominen, Practice Leader at F-Secure Cyber Security Service, and Timo Hirvonen, Senior Security Consultant at F-Secure. About a decade ago we were at an infosec conference in Berlin. We learned that a laptop of a fellow researcher was stolen from a locked hotel room while they were out. There were no signs of forced entry, not a single indication of unauthorized room access -- nothing physical and nothing in the software logs. The hotel staff simply refused to believe it happened. But we never forgot. We figured that it might be possible to exploit the software system and create a master key basically out of thin air. It took a decade of countless hours of our own time but last month we finally revealed our research, after working with the manufacturer to fix the vulnerability.

Now, for the first time, we're here to answer all the questions we can without violating ethical agreements with manufacturers and customers about our day jobs hacking businesses for a living and our hobby of hacking hotels.

PROOF: https://twitter.com/tomituominen/status/991575587193020417 https://twitter.com/TimoHirvonen/status/991566438648434688

You can find out more about the hack and why it took so long on this podcast: https://business.f-secure.com/podcast-cyber-security-sauna-episode-7

Or just read this: https://safeandsavvy.f-secure.com/2018/04/25/researchers-find-way-to-generate-master-keys-to-hotels/

You can also find out more about ethical hacking by checking out this AMA by our colleague Tom:
https://www.reddit.com/r/IAmA/comments/7obnrg/im_an_ethical_hacker_hired_to_break_into/

Comments: 1384 • Responses: 40  • Date: 

GoodDogvvv2650 karma

Do you guys think there were a lot of master keys being made out there? Like were there quite a few people who would have figured out how to do it or just like one or two people who made them all?

Was the software hotels use the same or similar to other businesses that possibly had the same problem?

anagrambros2373 karma

It's certainly possible that somebody else has come up with the same hack but we don't really have visibility to that. After all, the attack is very stealthy and a lot of forensic experts wouldn't really know what to look for.

DrBoomkin629 karma

Then how was that laptop stolen all those years ago?

anagrambros1264 karma

The laptop theft was what inspired us to start this research. We will never know whether the method we discovered was used to steal the laptop.

2flippinwombats936 karma

A magic genie grants you one hack to bypass any security or access any electronic. What do you choose?

EDIT: spelling

anagrambros1688 karma

sudo access to the magic gene pool

mikkohypponen632 karma

What kind of door locks were used in the al-Bustan Rotana hotel in Dubai in 2010 when Mahmoud Al-Mabhouh stayed there?

anagrambros737 karma

According to the Wikipedia article https://en.wikipedia.org/wiki/Assassination_of_Mahmoud_Al-Mabhouh the locks were VingCard Vision, the same brand we did our research on.

Regibiel613 karma

Wouldn't it be possible to just walk with a RFID scanner past a cleaning lady and make a copy of her card?

anagrambros701 karma

Yes, you could easily read the card but creating a physical clone is trickier since the data on the card has a checksum that is tied to the RFID UID. If you want more details, we recommend watching our INFILTRATE presentation: https://vimeo.com/267613809

shif114 karma

isn't the signal in the end still repeatable? why would the RFID UID matter if you can replicate the signal without using a standard card?

anagrambros172 karma

The RFID UID does not matter if you use a device like Proxmark to simulate the card.

Nadarrah15552 karma

Am currently in a hotel. Can you bring more towels up please? Also, what are the chances of someone recreating a card key and breaking into the room?

anagrambros491 karma

Unfortunately we are out of towels at the moment. We apologize for the inconvenience.

aecht462 karma

Did Angelina Jolie inspire you to become hackers?

anagrambros706 karma

Let's just say we wouldn't be where we are today without her.

trogdors_arm289 karma

I hope this doesn't sound rude, but I'm curious about what seems like a disconnect. If you're correct, why was this hack available to someone 10 years ago, but took your team a decade to duplicate?

anagrambros323 karma

The laptop theft was what inspired us to start this research. We will never know whether the method we discovered was used to steal the laptop.

KILLERBUBBLES21231 karma

Hi, I was wondering if someone was interested in ethical hacking in high school going into college, what are somethings they could do to learn more about it? thanks!

Edit:Thanks everyone for the information, I definitely have a lot of reading to do. I don't usually post on Reddit just normally read though so it means a lot!

anagrambros250 karma

Here's a great article on getting started with ethical hacking: https://safeandsavvy.f-secure.com/2017/12/22/so-you-want-to-be-an-ethical-hacker-21-ways/

sonicboom21191 karma

How did you guys go about getting your CEH certification? Self study or through a training company?

anagrambros465 karma

We're pretty sure our certificates got lost in the mail ;-)

sleepyeyed158 karma

Reminds me of the movie Sneakers. You guys like that movie?

anagrambros125 karma

We both love the movie :)

jmann586101 karma

So you are currently ethical hackers. Did you ever think about being malicious and hacking to get personal gains or is that against your morals?

anagrambros205 karma

We gain enough by being paid to do stuff we love :)

Dalriata89 karma

I recently read a book, recommended to me by my sysadmin teacher called The Cuckoo's Egg, about a hacker from the 80s, more specifically the guy who tracked him down. It really got me interested in infosec. Is there any literature you would recommend for someone who's at least curious about the field?

anagrambros84 karma

Uranus77778 karma

How do you feel about Spectre and meltdown?
Will we see attacks based on these major vulnerabilities?

anagrambros126 karma

Both Spectre and Meltdown are ingenious vulnerabilities. However, very often there are easier ways for attackers to get what they want.

Vaasuuu73 karma

Cake or pie? and why?

anagrambros89 karma

Definitely cake

eganist60 karma

How would you rate speaking at Infiltrate Con vs other major shows? I know I have my own experiences and opinions about Blackhat / DEF CON / BSides LV but it's always neat hearing about the other cons outside the Vegas Trio.

(fwiw, I build security programs, so I'm down to trade ideas to bring product security forward in industries/verticals where people seem not to care... you know, like in the hospitality business)

anagrambros58 karma

We might be a bit biased but we think t2 (https://t2.fi/) blows everything else away :)

eganist17 karma

Interesting. What about it makes it special for you guys? I know I love the local cons around DC (especially charmsec, rvasec, shmoocon), but I'm always up for an excuse to travel.

anagrambros63 karma

We're biased because we organize it :). We cap the amount of attendees to 99 and that keeps it focused on the hacking.

XyberYogi52 karma

Hello! I am trying to transition to Cybersecurity --- I have worked as a field engineer (International News Channel) from 2006-2016 and I have a fair background in IT Support. I started my college education back in 2016 in the US (after being made redundant, losing my job) with focus on Cybersecurity (two year associate degree which I hope to complete by the end of this year) I'm 40 years old and concerned that I might be considered as someone passed his prime. Any advise for someone like me who is trying to get my foot in the industry (Cybersecurity)? Many of the organizations in the US require some kind of clearance (and citizenship) to work in the Cybersecurity field - is that the same case with EU countries and organization like F-Secure? I am a Filipino national, another reason why my options might seem limited in terms of work opportunity.

Thank you this IAmA segment. I appreciate any response or comments.

Have a good one!

anagrambros57 karma

It's never too late to start! If you're passionate about something and willing to put in the hours you're going to be good.

We have a lot of different nationalities, including Filipinos, at F-Secure. As far as we know, there are no laws restricting you from working in this field.

crypticgeek41 karma

Can you share some more information about how hotels and their technical vendors and partners can identify vulnerable systems? Vulnerable product names, software versions, firmware versions, etc? In your talk you very briefly mention that Vision is what you tested, but you did not test Visionline. Can you clarify if it's just untested against your attacks or if it's not similarly vulnerable? Are there CVEs? Do you know why the vendor is hiding this information in their support portal like it's the 90s?

anagrambros38 karma

The affected software is called Vision by VingCard. According to the information on the Assa Abloy website (https://www.assaabloyhospitality.com/en/aah/com/), "We have identified a potential vulnerability in Vision systems in combination with RFID locks of version 6.4.2 and below." We have not done research on Visionline.

gare_it33 karma

am I correct in assuming that if the hack was targeted to a specific room it would be much easier to generate a key (rather than making a master key that would work on any room)?

anagrambros38 karma

Targeting a specific room would be equally difficult.

Kamilny13 karma

Why is that? Is it because to target a specific room you're basically doing the same as just getting a master key?

anagrambros29 karma

Yes, targeting a specific room requires the same brute forcing step.

AllisonHP20 karma

[deleted]

anagrambros37 karma

The owner of the laptop was working on some pretty valuable security research so whoever stole it was probably after the data not the hardware.

bergler2814 karma

Is that ethical? I mean the master key for hotel rooms? Seems like that could create some bad situations..

anagrambros10 karma

In order to protect innocent hotel guests, we are not disclosing all the technical details of the attack to the public. Once we identified the security issues, we immediately contacted Assa Abloy and we worked together with them to address the issues.

blakhal09 karma

Was there consideration that someone used an under the door tool or some other physical bypass method to open the door instead of an attack on the lock?

anagrambros8 karma

It's certainly possible

jb_the_meme_dealer9 karma

It's creepy thinking about this getting in the wrong hands, is there any possible update that can stop the master key?

anagrambros10 karma

We worked together with Assa Abloy to address the issues and a fix has been available since early 2018

akashcodes4 karma

How do you guys persist?

anagrambros11 karma

If you're not smart you have to be persistent

eminemappears4 karma

In the article you write ...

Only after we thoroughly understood how the whole system was designed were we able to identify seemingly innocuous shortcomings.

Do you think these shortcomings of the system, without the benefit of your hindsight, could have been identified by Assa Abloy internally (by people who thoroughly understood how their product worked)? Or is the hack so complex that it couldn’t have been estimated?

Edit: I changed some text to clarify.

anagrambros14 karma

Attacks never get worse, they only get better. Developers are too busy building things to learn how to break them. For us, ethical hacking is a lifestyle.

oh_my_jesus3 karma

What is your favorite thing about Windows, OSX, and Linux?

anagrambros38 karma

Tomi's favorite thing about Windows is that Timo uses it and as an avid OSX user Tomi thinks it gives him the right to make fun of Timo.

CuntZillah3 karma

I enjoyed the read, and saved the podcast for later. Can you recommend some fun ethical hacking related activities please?

anagrambros5 karma

CTFs are a great place to start. Timo recommends https://microcorruption.com

BurgerPleaseYT2 karma

What's your favorite burger joint?

anagrambros14 karma

Wthermans2 karma

Serious question. Do you believe physical locks are better than software based systems?

I see the argument on both sides and am personally in favor of the physical, but that brings me to a second question.

If software based door locks are not safe, could the same be said for software based locks on the hotel safes?

anagrambros2 karma

It really depends on your use case.

For homes or small businesses we would definitely recommend physical locks but for bigger facilities the management of physical keys becomes a challenge.

In the end, it is the implementation that matters.

PlayboyJoe6191 karma

Hi,

would it be possible to copy a Keycard from said hotel chain with an RFID reader? I think the attack could have been performed with something like that. Also does cleaning personnel not usually have something like a master key? Then I'd just wait for the cleaning lady and try to either copy her card or just let her open my desired room for me telling her that I forgot me card inside. Doesn't the hotel keep logs of who gained entry to which room at what time and can this be ruled out as a possibility?

Also as I'm working in IT and we use a Lenel Badge for access to our building, do you know if this system is potentially vulnerable to this kind of attack? Maybe if you could share some links on RFID Security in general that would be appreciated as we're trying to implement more of those systems in the future.

anagrambros2 karma

Yes, you can easily read a key card but creating a physical clone is trickier since the data on the card has a checksum that is tied to the RFID UID. If you want more details, we recommend watching our INFILTRATE presentation: https://vimeo.com/267613809

The locks are offline - they are not connected to any network or computer. In order to check the lock event log you need to go physically to the lock and manually read out the log.

We haven't done any research on the Lenel Badge.

v1prX1 karma

ThinkPad or MacBook?

anagrambros3 karma

IBM or Lenovo ThinkPad?

v1prX1 karma

I've only ever used the Lenovo ones (the X1 Carbon I bought in 2012 comes to mind), although I've heard the IBM ones were top of their class back then. I guess Lenovo, since Centrino is pretty much dead.

anagrambros1 karma

Our final answer is: MacBook (Pro)

spockspeare1 karma

How long did it take them to defeat your hack?

anagrambros3 karma

If you are referring to Assa Abloy fixing the issue, we worked together for over a year to address the issues.

Beretot1 karma

Tips for getting into the area? I'm a software engineer and I'm very interested in security, but my computer engineering degree was unfortunately very lacking in cybersec. What makes for a good prospective employee in your company?

anagrambros2 karma

Here's a great article on getting started with ethical hacking: https://safeandsavvy.f-secure.com/2017/12/22/so-you-want-to-be-an-ethical-hacker-21-ways/