Jul 262012
 

Hotel keycards – convenient, if the stripe doesn’t get demagnetized. But secure? Possibly not.

Remember the good old days when a hotel would give you an actual key to your hotel room door?

Actually, I prefer the keycards – they are easier to keep in a wallet, and they can be a fun thing to collect as souvenirs of hotels stayed at, as well.  Now if only hotels would pay a bit more for the keycards and their associated reader/writer devices that store their magnetic details more ‘strongly’ on their stripes…..

There are good reasons for hotels to use the electronic lock systems.  The system keeps a record of every time and card used to access every lock, and if a ‘master keycard’ is lost or stolen, the system can electronically void the master keycard.  Back when hotels had regular keys, the loss of a masterkey would (at least in theory) require all the hotel’s locks to be re-cut, a huge cost.

Plus, each different guest gets their own unique keycard to their room’s door – there’s never a concern about a previous guest using their old keycard to access the room, whereas physical keys were always at risk of being duplicated or simply kept and misused in the future.

So, in lots of ways, the upfront greater cost of an electronic key system is generally quickly repaid in the form of better operational and security benefits, and our occasional hassle of demagnetized keycards has been accepted by all as a small price to pay.

But – oooops.  This article points out how a hacker has exposed a vulnerability affecting one of the major brands of keycard door locks, making it possible for a hacker with only a very small investment in electronic components to open locks belonging to that manufacturer.  Indeed, the hacker has sold his discovery to a locksmithing school, where, for all he knows (and for all he cares) the school is now teaching its students not only how to use regular lock picks to open regular locked doors, but how to use this new vulnerability to open electronic door locks too.

What to Do About Your Insecure Hotel Room Door

What should you do?  Two things, maybe even three.

First, check to see if the door on your hotel rooms uses this type of electronic lock or not (feel for the power port on its underside).  If it does, complain to the hotel management.

Second, be sure to always use the chain on your door while you are in your room.  Even a safety chain is little deterrence to a skilled burglar, but it might slow him down or cause him to move to an easier target room.

Third, you might want to consider some sort of door alarm.  I particularly like this type of device, which is inexpensive and easy to use.  It doesn’t work all the time (depends if there is an electrical connection between the outer and inner door handles) but you can test it yourself of course to see if it works at each hotel, and if it does, be sure to use it.  Other types of alarms rely on vibrations or on pins slipping out as the door opens, and are also reasonably functional and inexpensive.

Of course, these precautions only apply to when you’re in the room – they don’t help while you’re out of the room, which is why you should complain to the hotel management as well.

  2 Responses to “Security Flaw in 4+ Million Hotel Keycard Locks”

  1. […] has been two months and I have not heard any news from hotels on the massive key card security flaw exposed in July. Perhaps the best defense is sticking gum in the DC […]

  2. the electronic keycards allow dynamic updating of algorithms so it is almost next to impossible to be able to pick a lock and duplicate it for the future.
    Yes for magnetic stripe keycards to clone a current key is very easy but mind you the moment this guest checks out the key will no longer work. A new key is generated each time a new guest checks in and hence the possibility of a security breach is minimised.
    Yes the house keeping staff uses master keys and these allow universal access. So if one could clone that key then certainly you would have unlimited access to all rooms.

Leave a Reply