The data on room access cards are not encrypted and consist of a record ID generated by the hotel when a guest checks in, the room number and the check-out date.
The date can be determined or guessed easily because a hotel stay is usually limited to a few days, and the record ID, or folio number, can be brute-forced using Hecker's device because it's typically short and is increased sequentially with each new guest. This means that an attacker can have a pretty good idea about the range of numbers to test by reading data of another card -- for example, his own.
Hecker estimates that brute forcing a typical room lock in a hotel with 50 to 100 rooms would take around 18 minutes. Brute forcing a special key, like those used by maids and staff, would take around a half an hour.
The nice part, for the attacker, is that he can even leave the device working on the door and be notified on his mobile phone when the correct data combination has been found.
This is another design flaw that seems to affect many vendors, Hecker said. The best fix would be for folio numbers to be made larger and to be assigned randomly to new guests. Adding encryption to the process would be better, but would almost certainly require replacing the existing system with new encryption-capable locks, he said.
Sign up for Computerworld eNewsletters.