DefCon 24Hacking hotel magnetic-stripe based key cards is easy

A keycard with a magnetic stripe // Source: wikipedia.org

If you travel a lot for business or pleasure, and stay at hotels at the places you visit, you may not like the information presented at the DefCon 24 event in Las Vegas.

Weston Hecker, Senior Security Engineer & Pentester at Rapid7, will tell the attendees that the magnetic-stripe based key cards guests are given to enter their rooms have major weaknesses which could allow an attacker to modify these cards to enter guests rooms.

eSecurity Planet reports that Hecker will also reveal flaws in the magnetic stripe approach used in Point of Sale systems as well.

Hecker notes that the issues are not limited to a specific hotel or key card vendor, but that the risks appear to be in the magstripes themselves.

“From field observations, the brute force susceptibility appears to affect most any property management system that uses magstripe key cards, so it’s multi vendor,” Hecker told eSecurity Planet. “Some cards are RFID, not magstripe, so those aren’t affected.”

Hecker noted that he had built his own device in order to attack the magstripe cards – and that the device could thus give him access to hotel rooms and potentially inject malicious code into a point of sale system.

“The vulnerability for both of the attacks is not feasible without the ability to inject using the device that I made,” Hecker said. “A lot of these vulnerabilities also stem from relying on security threw obscurity.”

He added that Rapid7 is coordinating with CERT for disclosure, but that at this time he has not heard anything in regards to a response from the vendors.

Hecker says that the main problem is that it is possible to make any magstripe data on the fly, which writes card data as opposed to just reading it.

Attacks which would have been unfeasible — or the ability to make hundreds of cards — are now possible, Hecker said. He collected information from re-issued hotel key card, and noted that securing multiple keys allows attackers to crack the encoding and variations of information.

“When a person obtains a second key to their hotel room, that key has encoding information on it that attackers can leverage to read numbers and key information in the clear,” Hecker said. “In my research, I used information on a room that I was checked out of and back in.”

He note that most hotels typically give privileged cards to managers, security personnel, and cleaning staff – cards which allow them to enter any room. These keys are effectively “skeleton keys,” and Hecker said they have static early folio numbers or just 99999999999 for the folio field.

Hecker also examined self-service check-in kiosks, and found that it was easy for attackers to get a check out date from a name, so they can then target which customer to go after.

The problem is serious, but fixing it is not complicated.

“To limit this attack on hotels, simple randomization of folio number would have fixed,” Hecker told eSecurity Planet. The fact that they are incremental leads to a small space to be brute forced.”