At the recent Black Hat information security event in the US, researchers from the German Chaos Computer Club demonstrated their successful hacking of the mobile phone based door lock security used in some hotels.
Mobile Phone Hotel Lock Keys?
The latest trend in high end hotel room door lock security is known as the ‘Mobile Key’. Guests download an app to their phone, check-in using that app and then use their phone as the key to their room. Typically using Bluetooth Low Energy (BTLE) this means that locks can be fitted which don’t need to be hard wired back to any sort of infrastructure and use cryptography to ensure that only the current occupier can gain access. Or that is at least the idea.
The Hack
When the team from the Chaos Computer Club were able to demonstrate was that by ‘sniffing’ legitimate use of a mobile device as a key (simply by being in proximity to someone entering their room) they were able to reconstruct the data required to operate the lock. Just like with remote central locking for cars, vendors build in anti-replay technology which is designed to prevent people from doing just this – essentially recording the communication between the key and lock and replaying it. In this case however, the hackers we able to circumvent this protection by closely inspecting the traffic between the mobile device and lock.
Can This Ever Be Secure?
The principle of using a mobile device like this is sound. The cryptography and technology exists, security researcher Steve Gibson commented that getting this right is “crypto 101”. However vendors of the technology no doubt have to contend with a wide range of physical door locks, mobile platforms, the quality of the app itself and of course their requirement to make the system easy to use – no hotel wants to deploy a lock infrastructure which causes them technical problems.
Using encryption securely in this way is certainly possible. Locks could all operate autonomously and securely using their own secret key. Batteries could no doubt last years and maintenance would be low. Replay prevention can be deployed in such a way that hackers could sniff the traffic from thousands of uses of the lock and still not be able to gain unauthorized access.
Conclusion
As with all internet connected devices, this story underlines the importance of being able to patch devices once deployed. The potentially vulnerable locks are installed in an un-named European hotel who no doubt now face the challenge of how to get them all updated.
