A security researcher has devised a tool capable of compromising hotel room keys, giving attackers entry — and can also tamper with point-of-sale (PoS) systems to boot.
Rapid7 security researcher Weston Hacker revealed the tool at Black Hat USA, which can be made with off-the-shelf components and cost only $6 to build.
As reported by Forbes, the device can read and duplicate hotel keys, but if a cyberattacker is really keen on disrupting a hotel chain, the $6 tool can also be used to “brute force” attack every guest room in the building — by guessing the keys to each room.
To wreck havoc in a hotel, the attacker would take their own key which will often include an ID record of the room — the folio number output — the hotel room number and a checkout date.
These fields alone give an attacker a starting point to guess at possible combinations for different guest rooms. After being placed near a door’s card reader, Hecker’s device can make 48 guesses a minute and additional hardware antennas prevent the tiny device from overheating.
If a hotel has gone beyond what you typically find today in terms of room security and there are additional fields which require guesswork, the tool will take longer to work.
However, the hardware can also be used to compromise PoS systems, such as those used in retail outlets and hotel shops. If held close to the PoS system which uses a magstripe reader, Hecker says the tool can inject keystrokes — which could force the system to visit a malicious website and both download and execute malware such as financial Trojans, force the cash register to open or close the PoS system entirely.
“Hecker started tinkering with hotel key brute force attacks in April, though his techniques were somewhat slower, taking as long as 20 minutes to guess a key. He did, however, discover during that research he could use a cheap Chinese MP3 player to inject credit card numbers into an ATM machine for potential theft.” the publication noted.
This is not the first time a security specialist has highlighted the risks associated with PoS and credit cards. In 2015, Samy Kamkar created MagSpoof, a portable device which emulates a magnetic stripe by producing a magnetic field similar to that of a normal magnetic stripe, allowing users to emulate their own cards. While this was built with convenience in mind, the technology could, in theory, be used for more nefarious purposes.