Security company F-Secure has found a way to open Hotel locks from VingCard Vision. The researchers worked for years on the exploit. They do not disclose details to prevent burglaries.

Parent company Assa Abloy has released a patch for VingCard Vision that the hotel must implement to protect itself against the attack, says F-Secure . Hotels with the newer Visionline system are not vulnerable, reports Wired . It is unknown how many hotels are now vulnerable. It would be a minimum of 500,000 hotels, but the number can also run into the millions. The key system is in use worldwide.

The attack works with a Proxmark and software made by F-Secure. With reverse engineering, the researchers have found a method to limit the number of possible masterkeys when they have access to a pass that has ever been used at a hotel. The Proxmark can then attempt to try the master key at a door with lock in the hotel. That often works within twenty attempts.

In addition, it turned out to be possible with a bug in the software for Vision locks to read the database with current guests. It also turned out to be possible to add guests, edit data and delete data.

F-Secure has been busy locating the exploit since 2003, after a laptop of an employee mysteriously disappeared from a hotel room. The security company told Assa Abloy about the leak a year ago.