Millions of hotel rooms are at risk of being unlocked with a “master key” hack.
Security researcher F-Secure revealed on Wednesday that hotel rooms in 166 countries and 40,000 locations are at risk of being unlocked and opened by hackers who have exploited software in electronic keys created by Assa Abloy, formerly known as VingCard. According to the researchers, whose claims were earlier reported on by Gizmodo, the software running on those keys, called Vision, has a vulnerability that allows criminals to create master keys and open any door in the facility.
In order to exploit the flaw, hackers need a single hotel room key. They then use an RFID reader to try several key combinations to decode the card. In most cases, according to the security researchers, about 20 key combinations are required before the code is determined and the master key is created for the hotel. Worse yet, the whole process takes only one minute to complete.
Breaking into hotel rooms is nothing new. But electronic key cards have taken the place of traditional locks and keys due in large part to the assumption of improved security. But with technology comes the possibility of software or hardware failing to provide enough security and causing problems. And according to F-Secure, that’s what happened with the hotel room keys it’s analyzed.
Get Data Sheet, Fortune’s technology newsletter
It’s unknown whether anyone has actually exploited the threat and F-Secure has not released its techniques. The researchers are, however, working with Assa Abloy to address the problem. In an interview with Gizmodo, the researchers said Assa Abloy has taken their findings “very seriously from the beginning.”
A software patch has been developed and hotels are now being urged to update their software. Once the patch is applied, their hotel rooms will no longer be susceptible to the hack.
Assa Aboly did not respond to a Fortune request for comment on the findings.
