Tomi and Timo Hirvonen, F-Secure Senior Security Consultant, spent more than a decade of their spare time trying to figure out what happened to a laptop that was stolen out of a hotel room, without a physical or digital trace, at a infosec conference in Berlin. Eventually, after endless experimentation, they figured out a way to make a master key that could slip them into hotels around the world in just seconds.
“We could ride an elevator with a guest, if the guest had a key in their pocket we could read the key through the pocket with our device. Then we’d just walk up to any of the doors and typically in less than a minute we can find the master key.”
The duo disclosed their findings to the lock’s manufacturer, which began updating the vulnerability early this year, and now their “hobby” has now made countless hotel rooms safer, while making news around the globe with stories in the BBC, Reuters, Gizmodo, WIRED, ZDNet, CNBC, PC Mag, Newsweek and hundreds of other publications.
Here’s their talk revealing their work at the Infiltrate conference:
When most people heard about this hack, a simple question often came up: Is my hotel room safe?
“I highly encourage the hotels to install those software fixes,” Timo told Reuters. “But I think there is no immediate threat, since being able to develop this attack is going to take some time.”
The chances that you’ll be targeted by a hacker who knows about this vulnerability, finds you in a room with the exact right lock and manages to use the same attack Tomi and Timo came up with are not great. Especially since these two guys are the only two people who have ever pulled off this sort of attack in the wild and they are not releasing their attack tools.
But that’s the just the first question they’re generally hearing.
People want to know what it was like when they realized the hack worked, the tools that were used and what it’s like to hack businesses for a living, as these two do in their day job.
That’s why Tomi and Timo have decided to do their first reddit “Ask Me Anything” session. Like F-Secure fellows Mikko, Erka and Tom before them, they take on as many questions they can ethically answer.
Get ready for it by listening to their visit to our #CyberSauna podcast.
Follow them both on Twitter and check back here on the 11th of May when we’ll post the link. So start thinking about what you want to ask.
[Cover photo of Mikko Hypponen’s hotel keycard collection.]
Twitter urged all 336 million of its members to change their passwords in early May…
May 21, 2018