Internet of Things security flaw – key card locks vulnerable

Cameron Abbott, Warwick Andersen, Rob Pulham and Georgia Mills

It is a technology so innocuous that it hardly gets a second thought: electronic hotel key cards have been replacing the humble lock and key for over two decades. A recent study by Finnish security researchers has revealed a vulnerability in the technology. The discovery came as a result of the researchers’ obsession over many years to solve a mystery of how a laptop was stolen from a hotel room without leaving a trace. (Small consolation that it cannot have been easy to do given how long it took!)

Using a single hotel key card, even an expired one, the researchers were able to create a master key that could enter any room in the hotel without leaving a trace. The researchers discovered a weakness in how the locks are deployed and installed, together with a technical design flaw.

The technology is now outdated, but the manufacturer estimates it is still in use in hundreds of thousands of hotels worldwide.

Many of our team love this type of technology and want to have them in their homes. Consistently we have observed that Internet of Things have less security history and experience to rely on than mainstream software and systems, but their role is just as important.