Electronic door locks in some of the most well-known hotel chains around the world are vulnerable to hacking, according to research from the Finnish cybersecurity and privacy company F-Secure.

After an incident where an F-Secure employee's laptop was stolen during a hotel stay, the company set out to investigate how the thief had been able to access the room. Researchers found flaws in the equipment software, which enabled hackers to create "master keys" capable of opening hotel room doors without leaving an activity log.

"We wanted to find out if it's possible to bypass the electronic lock without leaving a trace," explained Timo Hirvonen of F-Secure. "Only after we thoroughly understood how it was designed were we able to identify seemingly innocuous shortcomings [and] come up with a method for creating master keys."

Additionally, the researchers found that the data scanned from used and discarded cards could also be used in an attack — even if it had expired or was used to open other doors on the hotel property (for instance, the garage).

For the last year, F-Secure has been at work on a fix with Swedish lock manufacturer Assa Abloy, who insists that the move is more of a precaution.

"Vision Software is a 20-year-old product, which has been compromised after 12 years and thousands of hours of intensive work by two employees at F-Secure," said a spokeswoman for the company, Assa Abloy. "These old locks represent only a small fraction [of the those in use] and are being rapidly replaced with new technology. Digital devices and software of all kinds, are vulnerable to hacking. However, it would take a big team of skilled specialists years to try to repeat this."

For now, it is unclear which properties — the system is found at such chains as Hyatt, Radisson, Sheraton and Intercontinental — are still equipped with the vulnerable version of the Vision by VingCard System.

To contact the author of this article, email mdonlon@globalspec.com