LAS VEGAS. Guests in hotels around the world make use of magnetic stripe-based key cards to gain access to their rooms. According to Weston Hecker, senior security engineer and pentester at Rapid7, all of those cards pose a security risk as there are weaknesses that could enable an attacker to modify cards for malicious purposes.
Hecker is scheduled to talk about his research at the DEFCON security conference in a talk where he will also reveal flaws in the magnetic stripe approach used in point-of-sale (POS) systems. In an interview ahead of the talk, Hecker detailed some of his key findings and the widespread risks.
As opposed to the issues being limited to a specific hotel or key card vendor, the risks appear to be in the magstripes themselves.
“From field observations, the brute force susceptibility appears to affect most any property management system that uses magstripe key cards, so it’s multi vendor,” Hecker said. “Some cards are RFID, not magstripe, so those aren’t affected.”
That said, Hecker built his own device in order to attack the magstripe cards, which could give him access to hotel rooms and potentially allow injection of malicious code into a POS system.
“The vulnerability for both of the attacks is not feasible without the ability to inject using the device that I made,” Hecker said. ” A lot of these vulnerabilities also stem from relying on security through obscurity.”
Rapid7 is coordinating with CERT for disclosure; however at this time, he has not received a response from the vendors.
At the core of Hecker’s risk analysis is the fact that it is possible to make any magstripe data on the fly, which writes card data as opposed to just reading it.
Originally attacks that would have been unfeasible, or the ability to make several hundred cards, are now possible, Hecker said. As part of his research he collected information from re-issued hotel key cards. He noted that securing multiple keys allows attackers to crack the encoding and variations of information.
“When a person obtains a second key to their hotel room, that key has encoding information on it that attackers can leverage to read numbers and key information in the clear,” Hecker said. “In my research, I used information on a room that I was checked out of and back in. “
Most hotel key card systems also use privileged cards for managers, security and cleaning staff to enter any room. These keys are effectively “skeleton keys,” and Hecker said they have static early folio numbers or just 99999999999 for the folio field.
Hecker also looked at self-service check-in kiosks and explored how easily he could get his own checkout data from a name, and how attackers could then target which customer they were going after.
While the risks are real, the fix isn’t all that complicated.
“To limit this attack on hotels, a simple randomization of folio number would have fixed it,” Hecker said. “The fact that they are incremental leads to a small space to be brute forced.”
Sean Michael Kerner is a senior editor at eSecurityPlanet and InternetNews.com. Follow him on Twitter @TechJournalist