Why you should protect your hotel room key card
Outdated cards aren’t useful for hackers — but your current one is
Every once in a while, an email or Facebook posting makes the rounds sounding alarms over the supposed danger of used hotel card keys. To stay safe, the reasoning goes, travelers must carefully dispose of them.
To test whether it was true, USA TODAY took a stack of used hotel key cards to the Black Hat computer security conference in Las Vegas recently and had an expert see what exactly might be done with them.
The verdict?
“You’ve got nothing to worry about. There’s nothing on here at all except the room number and a date field,” Mickey Shkatov, a security researcher at McAfee, said after he methodically swiped them through a card scanner he’d brought along.
“All clear,” he said.
The bad news came when he asked to see the key for the hotel I was staying at during the conference.
“Now this I can do something with, I think,” he said.
A few key strokes, and he ran one of the blank cards he’d bought on eBay through the machine.
“Try this when you get back to your hotel,” he told me.
The cloned key worked perfectly throughout my entire stay.
The credit-card-sized plastic keys used by most hotels today contain at most four pieces of information — which room the key is for, when the key can begin
The security expert took my latest hotel room key and, using a blank card he bought on eBay, quickly cloned the card. The clone opened my door throughout my entire stay.
opening the door, when it should stop working and, sometimes, a guest number.
When the desk clerk types furiously into their key coding machine and then swipes the card through, that information is being transferred to either the magnetic stripe on the back of the card or, in newer cards, the chip embedded in it.
When the guest puts the key into the room’s door lock mechanism, the key tells the lock it’s meant to open the door to that exact room, when the guest can begin occupying the room and when they have to have checked out, said Christopher Balch, with Maglocks, a locking company based in Amsterdam, N.Y.
In many ways, hotel key cards are a great example of what the computer security world calls “least privilege,” the concept that to maintain security a system should have only enough privilege to access the information it needs to get its work done and no more, said Steve Grobman, McAfee’s chief technology officer.
“For a hotel key card, it should only have the data on it that it needs to do its job. For example a time stamp, so if you’re in the room from Monday to Thursday and you try to use that key on Fri- day, it doesn’t work,” said Grobman, who oversaw the cardtesting.
Sometimes, systems also include a guest number that lets the software track who has gone in and out of a room.
“It’s not really a name, it’s just an encoded guest number which maps back to the software for the lock system. It gives you an audit trail so you know who accessed the room,” Balch said.
Most hotels stopped using actual metal keys because programmable cards are cheaper and more versatile. With a metal key, a guest who forgets to return it could open the door to their room days or even weeks later, meaning the hotel might have to go to the expense of changing the room’s lock.
Metal keys are also expensive to replace, while the plastic key cards can go for as little as 10 cents if they’re magnetic stripe and around $1 per card if they contain a smart chip, Balch said.
They’re also pretty strong, which is a plus given that people tend to stick them in pockets, close them in suitcases and generally abuse them.
“They’re reusable to the point where we offer a lifetime warranty,” Balch said.
As for my cloned hotel room key, Grobman said all current cards should be treated just as you’d treat an old-fashioned room key and not be left laying around where someone might make a copy.
In the old days, that might have meant making an impression in a bar of soap or spiriting it off to a key-cutting machine.
At a hacker conference, it simply meant keeping it on my person and safe the entire time I was there. “That’s just operational security, and common sense,” Grobman said.