top of page

March's Most Interesting News: Can they hack your hotel door?



Cybercriminals do not deserve praise, but we should not underestimate their creativity. For example, the electronic door keycards that we use at hotels worldwide are now easy prey for attackers who can exploit a flaw in lock software.


But the bigger story here is that the flaw was discovered as far back as 2022, yet patching the 3 million or so locks has been tricky, and presumably, many hotels can't even afford the overhaul. This story underscores a vital cybersecurity principle: don't wait for things to go wrong. Continually maintaining security systems and making minor improvements is far more effective and less expensive.


Ditto for home routers, a major emerging trend in which criminals target old and consumer-grade routers that often lack sufficient security features and oversight. The digital security of hotel locks and home Wi-Fi might not be a priority for many people, but they are juicy targets for criminals.


Flaw leaves millions of hotel doors vulnerable


Using keycards to unlock hotel doors is convenient for visitors and logistically much simpler for the hospitality industry. But they also make it easier for criminals to access rooms. A security flaw in electronic locks enables anyone to forge a keycard that can unlock any door on a hotel property. While they need to use a keycard associated with a specific hotel, they can create the forgery with expired cards or even their room keycard. Dubbed 'Unsaflok', on a technical level, the flaw involves manipulating the encryption algorithms of the keys.


Though the flaw specifically targets one manufacturer's locks, it's widespread enough to affect over 13,000 locations in 131 countries. Patching is going slowly—every door's software must be updated, and hotels need to replace their keycards and car encoders. Consequently, millions of locks remain vulnerable, even though the flaw was first discovered in 2022.


A new attack targets thousands of routers


Cybercriminals are stepping up campaigns to target and infect routers, particularly home routers and end-of-life routers. Researchers at Lumen Technologies uncovered a botnet attack that infected 6,000 ASUS routers in less than three days. But that was just the tip of the iceberg: they estimate that around 40,000 routers had been infected between January and February. The attacks use a once-defunct botnet called The Moon to spread malware to unprotected and outdated routers.


Many of the hijacked devices appear to form part of a cybercriminal proxy service called Faceless, which helps criminals stay unnoticed and launch attacks. This event again raises the issue that home routers often have poor security controls.


HP laptops add protection against quantum attacks


People are very excited and concerned about quantum computers. This new class of computers can process exponentially more calculations, enabling it to breeze through workloads that could take standard computers months or even years. Hence the concern: a quantum computer could crack current encryption standards within seconds, sparking a movement to start future-proofing devices against quantum attacks before it's too late.


HP is one of the first vendors to introduce such measures: it announced a new line of laptops with firmware protection against quantum attacks. The vendor is upgrading the Endpoint Security Controller (ESC) chip in some models to thwart quantum attacks, though it's not released specifics on how these countermeasures work. Still, the arrival of such measures shows how quantum-related security research has progressed. Experts warn that quantum computers that can crack cryptography will likely be available by 2033, if not sooner.


Ethical hackers win big by spotting vulnerabilities


The best way to test the state of your security is to ask someone to break into your systems. Organisations often rely on ethical hackers to find security vulnerabilities, rewarding them lucratively if they uncover severe flaws and gaps. The recent Pwn2Own event gives a perfect example: white hat hackers earned a total of $732,000 for identifying 19 serious exploits.


This includes a $200,000 Tesla Model 3 given to a team who discovered a way to hack a Tesla car in just thirty seconds. Other examples are $50,000 for an Adobe Reader exploit that lets someone execute code on macOS devices, and $130,000 for a bug that lets people abuse VMWare virtual machines to access the host Windows operating system. The US Defense Department also runs a similar programme, and recently marked receiving its fifty thousandth vulnerability tip since 2016.

留言


bottom of page