Security researchers demonstrate inexpensive one-minute method to clone master hotel key cards


Originally published at:


A friend moved to a brand new apartment complex with RFID keys. They wanted to give me a key for backup, but it turns out the complex charges $30 a month per copy.

Turns out, their keys are MIFARE Classics, which have been known to be vulnerable to cloning as early as 2008, 10 years ago! Better and faster cloning techniques have even emerged since then, making it possible to clone the key with even cheap USB-based RFID readers. We were shocked to learn that the apartment complex had chosen this known-bad technology. The Proxmark is a swiss-army knife of RFID exploration, and would make it even easier.

We didn’t clone friend’s key, but we did think about it…


So I haven’t been nuts all these years, throwing the physical lock AND deadbolt when I’m in hotels…


It’s said in the article that fixing this problem will take longer because the locks don’t have internet connections.

If they did have internet connections, they could all probably be hacked remotely at the same time. I’m not seeing a big upside here.



We need to crowdsource a database of which hotels use crappy systems.


Young John Connor nods in approval.


Once when I was working in Singapore I checked in to a hotel in the afternoon, and put the chain on the door when I went to bed. Around 11 PM the door opened as far as the chain would let it. I walked up to the door and observed the situation as a member of a family in the corridor tried to trick the chain in to letting them in. After about five minutes of that I pushed the door closed which lead to to a few “woha” like statements from the other side.

But in this case I assumed the hotel mucked up and allocated my room twice.


This topic was automatically closed after 5 days. New replies are no longer allowed.