Millions of Hotel Rooms Are at Risk of ‘Master Key’ Hack

April 25, 2018, 5:00 PM UTC
A key hangs in the lock at room 333, one of the most haunted rooms of the Gadsden Hotel in Douglas
A key hangs in the lock at room 333, one of the most haunted rooms of the Gadsden Hotel in Douglas, Arizona, October 29, 2012. While many hotels in the United States claim ghosts, staff and guests at the Gadsden have recorded scores of supernatural encounters from the top floor right down to the maze-like basement - not just at Halloween, but year round. Picture taken October 29, 2012. REUTERS/Samantha Sais (UNITED STATES - Tags: SOCIETY ENTERTAINMENT) - RTR39TBL
Photograph by Samantha Sais — Reuters

Millions of hotel rooms are at risk of being unlocked with a “master key” hack.

Security researcher F-Secure revealed on Wednesday that hotel rooms in 166 countries and 40,000 locations are at risk of being unlocked and opened by hackers who have exploited software in electronic keys created by Assa Abloy, formerly known as VingCard. According to the researchers, whose claims were earlier reported on by Gizmodo, the software running on those keys, called Vision, has a vulnerability that allows criminals to create master keys and open any door in the facility.

In order to exploit the flaw, hackers need a single hotel room key. They then use an RFID reader to try several key combinations to decode the card. In most cases, according to the security researchers, about 20 key combinations are required before the code is determined and the master key is created for the hotel. Worse yet, the whole process takes only one minute to complete.

Breaking into hotel rooms is nothing new. But electronic key cards have taken the place of traditional locks and keys due in large part to the assumption of improved security. But with technology comes the possibility of software or hardware failing to provide enough security and causing problems. And according to F-Secure, that’s what happened with the hotel room keys it’s analyzed.

Get Data Sheet, Fortune’s technology newsletter

It’s unknown whether anyone has actually exploited the threat and F-Secure has not released its techniques. The researchers are, however, working with Assa Abloy to address the problem. In an interview with Gizmodo, the researchers said Assa Abloy has taken their findings “very seriously from the beginning.”

A software patch has been developed and hotels are now being urged to update their software. Once the patch is applied, their hotel rooms will no longer be susceptible to the hack.

Assa Aboly did not respond to a Fortune request for comment on the findings.

Read More

Artificial IntelligenceCryptocurrencyMetaverseCybersecurityTech Forward