It’s no secret hotel rooms can be hacked into. One security researcher has now created a cheap, discrete device the size of a card deck that can open guest rooms at a rapid speed. But it’s more than a one-trick pony: it can carry out attacks on point-of-sale systems too, even popping open cash registers.
Just last year, hacker hero Samy Kamkar created MagSpoof, which could wirelessly read magstripes from cards, whether they were of the credit variety or for hotels. He even laid out all the hardware and firmware required for such a tool. MagSpoof worked by quickly switching the polarization of an electromagnet to produce a magnetic field like that of a normal mag stripe when being swiped. It would then store the card data for re-use.
Now, Weston Hecker, a security researcher with Rapid7, has taken Kamkar’s model and given it a turbo boost with just $6 of hardware. On the one hand, it can just read and duplicate keys directly. But, for hotel-wide hacking, Hecker’s tool can “brute force” its way to guessing every room’s key.
If malicious, a hacker would take information from their own hotel room key. This would typically include the encoded output of their folio number (essentially an ID record that’s supposed to be unique but isn’t), the hotel room number and checkout date. They would then know what data fields needed to be guessed for a key copy to be found. The hacker could then walk up to a hotel room, hold Hecker’s tool close to the card reader, and it would run through every possible combination of those details, before spewing out the encoded data (i.e. the key).
Hecker’s device is able to make 48 guesses at a key in a minute, making it extremely speedy. It can do it that fast as he threw a few more antennas on the board to prevent overheating. “Think of it as load balancing,” he told FORBES. “When one overheats, it moves over to the next one.”
Where hotels have added in more unique data to create the key, Hecker’s toy may take much longer to break into rooms.
The mini computer goes further, however. Hold it close to a point-of-sale (PoS) system with a magstripe reader and it can start injecting keystrokes. It can do that all via the magstripe reader, which will accept any data emitted from the tool, as long as it is within range – i.e. very close, as seen in the image below.
Anyone who can get that close can cause some serious trouble. The F8 key, for instance, opens the cash register on many PoS systems. Most also run a version of Windows and connect to the web; a keystroke injector could in theory force a device to go to a website where PoS malware would be downloaded. Alternatively, the system could simply be shut down.
Hecker started tinkering with hotel key brute force attacks in April, though his techniques were somewhat slower, taking as long as 20 minutes to guess a key. He did, however, discover during that research he could use a cheap Chinese MP3 player to inject credit card numbers into an ATM machine for potential theft.
He will demonstrate his hacks at the DEF CON conference in Las Vegas this week.