$6 device can break into hotel rooms and infect PoS systems

At DEF CON, a researcher will unveil a small $6 device which can be used to duplicate every keycard in a hotel, so an attacker could break into every room, as well as to infect point-of-sale systems.

magnetic card spoof point-of-sale hotel
This device can generate electromagnetic fields to send keyboard commands through credit card readers. Credit: Weston Hecker/Rapid7

If a hacker wants into your hotel room, it’s a done deal.

Previously, Cody Brocious showed how to pick a hotel door lock in 200 millisecondsless time than it takes to blink; inspired by that, other researchers developed devices to pick Onity keycard-protected hotel locks; the smallest was disguised as a dry erase marker.

Last year, Samy Kamkar showed off MagSpoof, which can wirelessly read the data stored on a card’s magnetic stripe, be that a credit card or a hotel keycard. Well now, with just $6 of hardware, there’s a way to brute force every keycard for a hotel in a relatively short period of time.

Weston Hecker, a senior security engineer at Rapid7, was inspired by Kamkar’s MagSpoof. Not only can his creation snag the data off one hotel keycard, it also can be used to duplicate every hotel keycard and open every door.

IDG’s Lucian Constantin reported:

Hecker estimates that brute forcing a typical room lock in a hotel with 50 to 100 rooms would take around 18 minutes. Brute forcing a special key, like those used by housekeeping and other staff, would take around a half an hour.

Hecker’s device, which is about the size of a deck of cards, can make 48 guesses per minute. It brute forces possible number combinations stored on a hotel keycard’s magnetic stripe. That data is usually unencrypted and the identification number was sequentially assigned.

Forbes explained:

If malicious, a hacker would take information from their own hotel room key. This would typically include the encoded output of their folio number (essentially an ID record that’s supposed to be unique but isn’t), the hotel room number and checkout date. They would then know what data fields needed to be guessed for a key copy to be found. The hacker could then walk up to a hotel room, hold Hecker’s tool close to the card reader, and it would run through every possible combination of those details, before spewing out the encoded data (i.e. the key).

If an attacker chose to, he could leave the device working and be notified via his smartphone when the right combination was found.

The problem is a design flaw in the magstripes. Hecker said, “The brute force susceptibility appears to affect most any property management system that uses magstripe key cards, so it's multi vendor.” It could be rectified by adding more data stored on the keycard stripe, by assigning the numbers randomly and by using encryption.

Hecker told The Hill, “For now, there’s not a whole lot consumers can do around this. Stay alert, use a hotel safe, maybe even put a chair against the door.”

Same device can be used to hack and infect point-of-sale systems

Hecker’s device is not limited to breaking into hotel rooms; it can also potentially inject malicious code to compromise point-of-sale (PoS) systems and “pop open cash registers.”

6 device can unlock hotel room doors and infect pos systems Weston Hecker/Rapid7

An attacker armed with such a device could hold it close to the PoS system with a magstripe reader and start injecting malicious keystrokes. While it might seem like someone would notice the device, it is small enough to be hidden under an attacker’s sleeve, left in an empty phone case, etc.

An attacker could, for example, leave the hidden device near a PoS system – near as in really close, like no more than four-and-a-half inches from the reader, and then “remotely open a command prompt on the system and then use it to download and install memory scraping malware through the necessary keyboard commands.”

Unfortunately, such an attack would work on most Windows-based PoS systems that are designed to work with a keyboard. It would also work on systems that accept reward program points. Rapid7 disclosed the vulnerabilities to US-CERT.

Hecker, who also made cash spit out of an ATM during a Black Hat presentation, will present “Hacking Hotel Keys and Point of Sale Systems: Attacking Systems Using Magnetic Secure Transmission” at DEF CON on August 7.

The march toward exascale computers
View Comments
Join the discussion
Be the first to comment on this article. Our Commenting Policies