Old Hotel Key Cards Pose Ongoing Security Risk,Allowing Access Months After checkout
A security researcher’s recent test at Marriott,Hyatt,and Westin hotels revealed a persistent vulnerability: old key cards continued to grant access to lounges,gyms,and even elevators months after being deactivated. The findings underscore ongoing security concerns within the hospitality industry, despite advancements in key card technology.
The researcher discovered that previously used key cards,even those months old,could still unlock doors to amenities and,in some cases,floors with guest rooms. This isn’t due to a flaw in new security systems, but rather the prevalence of older lock systems still in use and potential misconfigurations in access control. While modern locks utilize more secure card types like MIFARE Ultralight AES and DESFire with features like AES-128 mutual authentication and per-card diversified keys, many hotels operate on decade-long replacement cycles, leaving older, less secure systems vulnerable.
Hotels are addressing the issue with upgrades including more secure card types, improved key management systems with tighter control over credential permissions and validity, and the adoption of mobile keys tied to specific devices. Though, the researcher notes that even with advanced technology, misconfigured access groups and overly generous time windows for access remain potential weaknesses.The core issue isn’t simply “free lounge access,” but a essential reminder that physical security is only as strong as it’s configuration and ongoing maintenance. Weaknesses include unreturned keys,extended validity periods for shared doors,and master keys left unattended. experts recommend utilizing the physical deadbolt and door latch for added security when in a hotel room.
