Matt Blaze2d ago

Physical security and cryptography can learn from each other, part 11367:

Hotels wisely don't put the room number on guest keycards so if someone finds your card, they'd have to exhaustively search the hotel to find the room it opens.

Some hotels now have elevators programmed to only let you call the floor for which your keycard is coded, preventing guests from wandering to other floors.

But it also means the elevator can be used as an efficient oracle to determine the floor of a found key.

Show threadMatt Blaze2d ago
In other words, restricting the elevator in this way is a bad tradeoff. It makes it harder for guests to visit their friends on other floors, but it reduces the complexity for an outsider burglar from O(|rooms|) to O(|floors|) + O(|rooms_per_floor|), a much more feasible search space.
Show threadBernard Sheppard

@mattblaze I am in a hotel now (in Japan, for context).

I observed that you could access any floor when my backpack pressed several floor buttons on our first ride.

When I later attempted to access the laundry room floor but could not, but could access my floor, thought that perhaps the first observation was an anomaly associated with the fact that the only other elevator was being attended by an elevator repairman at the time of the multiple floor incident.

It turns out that I had my Suica card in my hand, not my hotel card, had selected my floor based on the swipe of another guest in the elevator, but was unable to select the laundry floor after a time out.

I discovered this when I couldn't open my room with the Suica.

The flaw in this hotel is that one swipe enables multiple floors, defeating the security access aspect while providing the anonymity. A guest can swipe, and an intruder can then access a floor that they have previously observed a target accessing, and then, presumably, having determined the room number via other (social engineering) means, door knock with "hotel engineering".

Mar 27 at 12:19amWeb
Show threadYsegrim2d ago

@BernardSheppard @mattblaze In a hotel I stayed in a few years back, someone discovered an interesting hack: while you could only select a floor after swiping your card (IIRC and only your own), after someone had selected a floor you could select any additional floor by pushing the button of the already selected floor and the new floor at the same time, thanks to the physical wiring of the card-reader add-on.

Not sure whether you'd count that wiring as "software bug" or "physical security issue" :)