Intelligent CISO Issue 03 | Page 44

Tomi Tuominen, Practice Leader at F-Secure Cyber Security Services industry unlocked T New technologies are transforming the way that most industries operate – and the hospitality sector is no exception. Intelligent CISO looks at one particular cyberthreat hotels are facing while exploring a new partnership which is aiming to future-proof the industry. 44 There are few industries which have been untouched by advances in technology and, while there have been countless benefits as a result of this, there are, of course, new risk factors of which organisations and businesses worldwide now have to be aware. a master key created basically out of thin air,” said Tomi Tuominen, Practice Leader at F-Secure Cyber Security Services. “We don’t know of anyone else performing this particular attack in the wild right now.” One such industry which is embracing digital transformation – and facing cybersecurity issues – is hospitality. The researchers’ interest in hacking hotel locks was sparked a decade ago when a colleague’s laptop was stolen from a hotel room during a security conference. When the researchers reported the theft, hotel staff dismissed their complaint given that there was not a single sign of forced entry and no evidence of unauthorised access in the room entry logs. One such example of a challenge was highlighted by researchers from F-Secure, a Finland-based cybersecurity company, which found that hotels worldwide are using an electronic lock system that could be exploited by an attacker to gain access to any room in the facility. The design flaws discovered in the lock system’s software, which is known as Vision by VingCard and used to secure millions of hotel rooms worldwide, have prompted the world’s largest lock manufacturer, Assa Abloy, to issue software updates with security fixes to mitigate the issue. The researchers’ attack involved using any ordinary electronic key to the target facility, even one that’s long expired, discarded, or used to access spaces such as a garage or closet. Using information on the key, the researchers were able to create a master key with privileges to open any room in the building. The attack could be performed without being noticed. “You can imagine what a malicious person could do with the power to enter any hotel room, with The researchers decided to investigate the issue further and chose to target a brand of lock known for quality and security. These security oversights were not obvious holes. It took a thorough understanding of the whole system’s design to identify small flaws that, when combined, produced the attack. The research took several thousand hours and was done on an on-and-off basis and involved considerable amounts of trial and error. “We wanted to find out if it’s possible to bypass the electronic lock without leaving a trace,” said Timo Hirvonen, Senior Security Consultant at F-Secure. “Building a secure access control system is very difficult because Issue 03 | www.intelligentciso.com