Published Date: 2018-04-25
| Postmortem Analysis | |
|---|---|
| Timeline | 1. The software failure incident of hotel door locks being vulnerable to hack happened in April 2018. [70353, 70374, 70360] |
| System | 1. Vision by Vingcard system [70353, 70374, 70360, 70049] |
| Responsible Organization | 1. Assa Abloy - The software failure incident was caused by vulnerabilities found in the Vision by VingCard system, which is owned by Assa Abloy, the world's largest lock manufacturer [70353, 70374, 70360, 70049]. |
| Impacted Organization | 1. Hotel door locks worldwide, including major hotel chains like Intercontinental, Hyatt, Radisson, and Sheraton, were impacted by the software failure incident [70353, 70374, 70360, 70049]. |
| Software Causes | 1. Flaws in the Vision Software used in electronic door locks allowed the creation of "master keys" that could open rooms without leaving an activity log [70353]. 2. Design flaws in the lock system's software, specifically in the Vision by Vingcard system, were discovered, enabling the creation of master keys from any electronic key card [70374, 70360, 70049]. |
| Non-software Causes | 1. Lack of physical security measures in the electronic lock system, allowing for unauthorized access without leaving a trace [70353, 70374, 70360, 70049] 2. Design flaws in the lock system's hardware, specifically in how the locks were deployed and installed [70374, 70049] |
| Impacts | 1. Millions of electronic door locks fitted to hotel rooms worldwide were found to be vulnerable to a hack, allowing the creation of "master keys" that could open rooms without leaving an activity log [70353, 70374, 70360]. 2. The vulnerability in the lock system's software allowed attackers to create master keys out of any electronic key lying around, potentially granting access to any room in the building [70360, 70049]. 3. The incident raised concerns about the security of electronic lock systems in global hotel chains, highlighting the potential for thieves to exploit these systems and gain unauthorized access to rooms without leaving a trace [70049]. 4. The researchers' discovery served as a wake-up call for the lodging industry, prompting the need for software updates and fixes to address the security breach [70374, 70360]. 5. The hack could also be applied to access other areas of a hotel, such as sending a lift to a VIP floor, if protected by the same system, posing a broader security risk within the hotel premises [70353]. |
| Preventions | 1. Regular security audits and testing of the software could have potentially identified the vulnerabilities before they were exploited by hackers [70353, 70374, 70360, 70049]. 2. Implementing a more secure and robust encryption mechanism for the electronic key card system could have made it harder for attackers to create master keys [70353, 70374, 70360, 70049]. 3. Promptly applying software updates and patches provided by the manufacturer could have prevented the exploitation of the software flaws [70353, 70374, 70360, 70049]. 4. Enhancing access control measures and monitoring systems to detect any unauthorized access attempts could have mitigated the risk of unauthorized entry into hotel rooms [70353, 70374, 70360, 70049]. |
| Fixes | 1. The software fix created by F-Secure researchers and Assa Abloy to address the vulnerability in the Vision by VingCard system [70353, 70374]. 2. Software updates issued by Assa Abloy in response to the security breach, which have been made available to hotel chains [70360]. 3. Applying the software patch developed by Assa Abloy to correct the issue, as recommended by Marriott, which also uses Assa Abloy's locks [70360]. 4. Installing the software fixes and updates provided by Assa Abloy to affected properties, as urged by F-Secure [70049]. | References | 1. F-Secure [70353, 70374, 70360, 70049] 2. Assa Abloy [70353, 70374, 70360, 70049] 3. Tomi Tuominen [70374, 70049] 4. Timo Hirvonen [70353, 70374, 70049] |
| Category | Option | Rationale |
|---|---|---|
| Recurring | one_organization, multiple_organization | (a) The software failure incident related to vulnerable hotel door locks has happened again at the same organization. The incident involved a vulnerability in the Vision by VingCard system, which is owned by Assa Abloy, the world's largest lock manufacturer. The flaw allowed attackers to create master keys to unlock any room in a hotel without leaving a trace. Researchers from F-Secure, a Finnish cybersecurity firm, discovered the vulnerability and worked with Assa Abloy to create a fix for the issue [70353, 70374, 70360, 70049]. (b) The software failure incident related to vulnerable hotel door locks has also happened at multiple organizations. The affected lock system, Vision by VingCard, was used in millions of hotel rooms worldwide, including major hotel chains like Intercontinental, Hyatt, Radisson, and Sheraton. The vulnerability in the lock system's software allowed attackers to create master keys and gain access to any room in the building. Assa Abloy, the lock manufacturer, issued software updates in response to the security breach, indicating that the issue was not limited to a single organization [70353, 70374, 70360, 70049]. |
| Phase (Design/Operation) | design, operation | (a) The software failure incident related to the design phase was due to flaws in the lock system's software used to secure hotel rooms worldwide. Researchers discovered vulnerabilities in the Vision by Vingcard system, allowing them to create "master keys" that could open rooms without leaving an activity log [70353, 70374, 70360, 70049]. (b) The software failure incident related to the operation phase was highlighted by the fact that thieves could exploit the electronic lock systems to create master keys and break into hotel rooms without leaving a trace. The attack involved obtaining an electronic key card and using a small hardware device to derive keys to the hotel, ultimately generating a master key to the facility [70360, 70049]. |
| Boundary (Internal/External) | within_system, outside_system | (a) within_system: The software failure incident of hotel door locks being vulnerable to a hack was primarily due to contributing factors originating from within the system. Researchers discovered flaws in the equipment's software that allowed them to create "master keys" without leaving an activity log [70353]. The vulnerability was found in the lock system's software, which was used to secure millions of hotel rooms worldwide [70360]. The researchers worked with the lock manufacturer to create a fix for the identified weaknesses in the system [70353]. The flaw was related to how the locks were deployed and installed, along with a technical design flaw [70374]. (b) outside_system: The software failure incident was also influenced by contributing factors originating from outside the system. The vulnerability was discovered by security researchers from F-Secure, a Finnish cyber-security firm, who found that electronic key cards from hotels could be used to create master keys to unlock any room in the building [70374]. The incident served as a wake-up call for the lodging industry to a problem that had gone undetected for years [70374]. The researchers' interest in hacking hotel locks was sparked by an incident a decade ago when a laptop was stolen from a hotel room during a security conference, leading them to investigate further [70049]. |
| Nature (Human/Non-human) | non-human_actions, human_actions | (a) The software failure incident occurring due to non-human actions: - The software failure incident in the articles was due to a vulnerability in the electronic door lock system's software, allowing researchers to create "master keys" that could open hotel rooms without leaving an activity log [70353, 70374, 70360]. - The flaw in the lock system's software was discovered by Finnish security researchers, who found a weakness in how the locks were deployed and installed, along with a technical design flaw [70374]. - The vulnerability allowed attackers to create master keys out of any electronic key card, even if it was expired or used for other purposes within the hotel [70360]. - The hack involved using a small hardware device to read the information on an electronic key card and produce multiple keys to the hotel, ultimately generating a master key that could open any door in the building [70049]. (b) The software failure incident occurring due to human actions: - The researchers who discovered the vulnerability in the electronic lock system were security consultants for Finnish data security company F-Secure [70374]. - The researchers reported the vulnerability to Assa Abloy, the lock manufacturer, and collaborated with them over the past year to implement software fixes and updates [70049]. - The researchers spent several thousand hours investigating and understanding the design flaws in the lock system's software to identify shortcomings that could be creatively combined to create master keys [70049]. - Assa Abloy, the lock manufacturer, issued software updates in response to the security breach, and hotels were encouraged to install these software fixes to address the issue [70360]. |
| Dimension (Hardware/Software) | hardware, software | (a) The articles report a software failure incident related to hardware in the case of hotel door locks being vulnerable to a hack. The vulnerability was due to flaws found in the equipment's software, allowing researchers to create "master keys" that could open rooms without leaving an activity log [70353, 70374, 70360, 70049]. (b) The software failure incident was also directly related to software flaws in the lock system's software, which allowed for the creation of master keys out of thin air and the bypassing of electronic locks without leaving a trace [70353, 70374, 70360, 70049]. |
| Objective (Malicious/Non-malicious) | malicious, non-malicious | (a) The software failure incident in the articles is malicious in nature. The incident involved a vulnerability in the Vision by VingCard system used in hotel door locks, which allowed researchers to create "master keys" that could open hotel rooms without leaving an activity log [70353, 70374, 70360]. The researchers discovered this vulnerability and were able to exploit it to gain unauthorized access to hotel rooms, highlighting a serious security flaw that could be exploited by malicious individuals. (b) The software failure incident is also non-malicious in the sense that the researchers who discovered the vulnerability did so with the intention of improving security and raising awareness about the issue. They worked with the lock manufacturer, Assa Abloy, to create a fix for the vulnerability and notified affected properties to apply the necessary updates [70374, 70049]. The incident served as a wake-up call for the lodging industry to address a long-standing security flaw that went undetected for years, emphasizing the importance of proactive security measures in software systems. |
| Intent (Poor/Accidental Decisions) | poor_decisions | (a) The intent of the software failure incident related to poor_decisions: - The software failure incident of hotel door locks being vulnerable to a hack was due to poor decisions made in the design and implementation of the lock system's software [70353, 70374, 70360]. - The flaws in the software allowed for the creation of "master keys" that could open rooms without leaving an activity log, indicating a lack of proper security measures in the software design [70353]. - The researchers discovered weaknesses in how the locks were deployed and installed, along with technical design flaws, which contributed to the vulnerability of the system [70374]. - The incident highlighted the need for the lodging industry to address a problem that had gone undetected for years, indicating a lack of proactive measures in ensuring the security of the lock system [70374]. - The researchers spent several thousand hours working on the hack, indicating that the software vulnerability was a result of poor decisions made during the initial design and development phases [70360]. (b) The intent of the software failure incident related to accidental_decisions: - The software failure incident was not a result of accidental decisions but rather deliberate actions taken by the researchers to identify vulnerabilities in the lock system's software [70353, 70374, 70360]. - The researchers intentionally investigated the vulnerability of the lock system after a colleague's laptop was stolen from a hotel room without any sign of unauthorized access, leading to the discovery of the hack [70353]. - The researchers' interest in hacking hotel locks was sparked a decade ago when a colleague's laptop was stolen, prompting them to investigate the security of electronic lock systems [70360]. - The researchers deliberately targeted a brand of lock known for quality and security to identify flaws in the system's design, indicating a purposeful effort to uncover vulnerabilities [70360]. |
| Capability (Incompetence/Accidental) | development_incompetence | (a) The software failure incident in the articles can be attributed to development incompetence. The vulnerability in the hotel door locks was due to flaws found in the equipment's software, allowing researchers to create "master keys" without leaving an activity log [70353]. The researchers discovered a weakness in how the locks were deployed and installed, along with a technical design flaw, which ultimately led to the security breach [70374]. The researchers spent several thousand hours working on understanding the system's design and identifying shortcomings to create master keys [70049]. (b) The software failure incident can also be considered accidental. The security researchers accidentally discovered the vulnerability in the hotel key card system about a year ago and reported it to Assa Abloy, the lock manufacturer [70374]. The researchers did not intend to exploit the vulnerability for malicious purposes but rather to investigate if it was possible to bypass the electronic lock without leaving a trace [70360]. Additionally, the researchers stressed that during their research, no hotel rooms were actually broken into, and the attack tools were not made available [70049]. |
| Duration | permanent, temporary | (a) The articles describe the software failure incident related to the vulnerability of hotel door locks as a permanent failure. The vulnerability in the software of the Vision by VingCard system allowed for the creation of "master keys" that could open hotel rooms without leaving an activity log. The flaw in the software was present for a significant period, with the system being compromised after 12 years of use [70353, 70374, 70360]. (b) The software failure incident can also be considered temporary to some extent as the vulnerability was discovered by researchers from F-Secure, who then worked with the lock manufacturer, Assa Abloy, to create a fix. Software updates were issued in response to the security breach, and hotels were encouraged to install the fixes to address the issue. The fix was made available to hotel chains in February, and some hotels had already updated their systems, with ongoing efforts to fully resolve the issue [70353, 70374, 70360]. |
| Behaviour | other | (a) crash: The software failure incident in the articles does not involve a crash where the system loses state and does not perform any of its intended functions. The incident is related to a vulnerability in the electronic door lock system used in hotels, allowing unauthorized access without leaving a trace [70353, 70374, 70360, 70049]. (b) omission: The software failure incident does not involve the system omitting to perform its intended functions at an instance(s). Instead, the vulnerability allowed the creation of master keys that could open hotel rooms without leaving an activity log [70353, 70374, 70360, 70049]. (c) timing: The software failure incident is not related to the system performing its intended functions too late or too early. The vulnerability allowed immediate unauthorized access to hotel rooms without any delay [70353, 70374, 70360, 70049]. (d) value: The software failure incident does not involve the system performing its intended functions incorrectly in terms of the value provided. The issue was related to a security flaw that allowed the creation of master keys to bypass the locks without authorization [70353, 70374, 70360, 70049]. (e) byzantine: The software failure incident does not exhibit a byzantine behavior where the system behaves erroneously with inconsistent responses and interactions. The vulnerability discovered in the electronic lock system allowed consistent unauthorized access without leaving a trace [70353, 70374, 70360, 70049]. (f) other: The software failure incident involves a security vulnerability in the electronic door lock system used in hotels, allowing the creation of master keys to access rooms without leaving an activity log. The incident highlights a flaw in the software that could be exploited for unauthorized access [70353, 70374, 70360, 70049]. |
| Layer | Option | Rationale |
|---|---|---|
| Perception | processing_unit, embedded_software | (a) sensor: Failure due to contributing factors introduced by sensor error - The software failure incident related to the hotel door locks being vulnerable to a hack was not directly related to a sensor error. The vulnerability was due to flaws found in the equipment's software that allowed the creation of "master keys" without leaving an activity log [Article 70353]. (b) actuator: Failure due to contributing factors introduced by actuator error - The articles did not mention any failure related to actuator errors. (c) processing_unit: Failure due to contributing factors introduced by processing error - The software failure incident was primarily related to a processing error in the lock system's software that allowed the creation of master keys to open rooms without leaving a trace [Article 70353]. (d) network_communication: Failure due to contributing factors introduced by network communication error - The failure was not directly attributed to network communication errors in the articles. (e) embedded_software: Failure due to contributing factors introduced by embedded software error - The vulnerability in the hotel door lock system was due to flaws in the embedded software of the Vision by VingCard system, which allowed the creation of master keys using data scanned from discarded key cards [Article 70374]. |
| Communication | unknown | The software failure incident reported in the news articles was not related to the communication layer of the cyber physical system that failed. There is no mention of the failure being due to contributing factors introduced by the wired or wireless physical layer (link_level) or the network or transport layer (connectivity_level) in the articles [70353, 70374, 70360, 70049]. |
| Application | TRUE | [70353, 70374, 70360, 70049] The software failure incident related to the vulnerability of hotel door locks worldwide to a hack was indeed related to the application layer of the cyber physical system. The failure was due to flaws found in the equipment's software, which allowed researchers to create "master keys" that could open rooms without leaving an activity log. This vulnerability was exploited by scanning data from discarded key cards to mount the attack, even if the card's access privileges had expired or had been used for other purposes within the hotel [70353, 70374, 70360, 70049]. |
| Category | Option | Rationale |
|---|---|---|
| Consequence | property, theoretical_consequence | (d) property: People's material goods, money, or data was impacted due to the software failure The software failure incident in the articles led to a significant impact on property. The vulnerability in the hotel door lock software allowed attackers to create "master keys" that could open hotel rooms without leaving an activity log. This flaw in the software potentially compromised the security of millions of electronic door locks fitted in hotel rooms worldwide [70353, 70374, 70360, 70049]. |
| Domain | entertainment | (a) The failed system was intended to support the hospitality industry, specifically hotel room security systems. The vulnerability in the electronic door locks used in hotel rooms worldwide allowed for a hack that could create "master keys" to access locked rooms without leaving an activity log [70353, 70374, 70360, 70049]. (m) The incident is related to the cybersecurity industry as it involves the discovery and exploitation of software vulnerabilities in electronic lock systems used in hotels [70353, 70374, 70360, 70049]. |
Article ID: 70353
Article ID: 70374
Article ID: 70360
Article ID: 70049