Hacking is “boring as hell,” he said. “It’s like watching paint dry, and there’s nothing sexy in it. So this took a lot of trial and error to get where we are at this point.”
Tomi and his F-Secure colleague Timo Hirvonen recently revealed a hack that allowed them to create master electronic keys for hotel rooms around the world took fifteen years. And it’s the kind of digital magic that makes headlines around the world. But it Tomi wants to make something clear: This wasn’t easy, even for two guys whose day job involves breaking into secured networks.
“To make it crystal clear, we have done each and every mistake possible on our way here.”
The pair first starting working on the hack in 2003, after a laptop was stolen from a hotel room during a hacker conference without a trace.
“Yeah, and we didn’t even start the research from the electronic locks,” Timo explained. “We started by first looking at the mechanical lock, whether it would be possible to somehow bypass that one. And we also did research into reprogramming the lock. So there were like at least two different tracks that we researched before we focused on creating these master keys.”
After a decade in a half, they cracked the case. And the results, as Timo explains, were pretty stunning.
“To start, you need any key to the hotel. It doesn’t need to be valid anymore. It can be a key to the hotel from your stay five years ago. Or it can be a key to the garage, or gym or anything. Then we read a piece of information from that card, and then we have our own device that we use. We show the device to the lock, and it does a couple of attempts, and at some point the lock will show you a green light, and then you know that you have the master key.”
Now, that’s cinematic. Even Tomi agreed.
“If you’ve ever seen the Terminator 2 movie, where the guy puts this device against a lock, it’s exactly like that. Stunt hacking,” he said. “So for once we have something that’s exactly like in the movies.”
All you have to do is watch two guys getting things wrong for 15 years to get that point. Even if you put that in 3-D, it’s probably not be very entertaining.
But that’s how hacking works.
[Image by Image courtesy Henri Lindberg / t2.fi infosec]
Twitter urged all 336 million of its members to change their passwords in early May…
May 21, 2018