Exposing the insecurity of hotel safes
Travel documents, cash, mobile devices, cameras, jewellery and company documents – on holiday or on a business trip, tourists and business people alike often carry valuable objects in their luggage. For a small fee, many hotels offer a room safe for keeping important documents and valuables safe. However, these safes are not as secure as is often assumed.
When looking at one popular safe model, G DATA SecurityLabs experts found serious security deficiencies. With a little technical effort, the safe can be hacked and cleared out in a very short time. If the safe has a magnetic card reader, it offers criminals the option of using skimming to access the data on the card and offering it for sale on the Internet or in special underground forums.
The safe model investigated by the G DATA security experts could be opened using various methods. The safe can easily be opened using the master code provided by the manufacturer, which is only supposed to be used to open it in emergencies. Many hotel owners, however, do not bother to change the default code – making life easy for thieves. “We urgently advise hotel owners to change the master code in safes and to regularly check room safes for modifications,” recommends Ralf Benzm??ller, head of G DATA SecurityLabs.
Another option for opening a safe is to hack the emergency lock. The hotel manager usually has an emergency key. However, after unscrewing a plate on the front of the safe, the lock underneath can also be opened using a false key. Alternatively, the code can be reset via a short circuit and a new one entered, which can then be used to open the safe. “A safe is not the worst place to store valuables. Their security, however, should not overestimated”, summarizes Ralf Benzm??ller.
Tips from the G DATA security experts on using hotel safes:
Do not use credit cards: Hotel guests should never use their credit card when using a safe. If a safe is equipped with a magnetic card reader, the device may be able to read personal data.
Do not take valuables: Before going away you should consider which valuables you will actually need on holiday. Expensive jewellery should preferably be left at home if possible.
Activate anti-theft protection: Users should take precautions in case their mobile device is lost. Install security software on their mobile devices, including anti-theft protection. This enables the device to be located and locked remotely and all data stored on it to be deleted. With notebooks, the hard disk should be encrypted, leaving no opportunity for thieves to read the stolen data.
Back up data: Before going away, create a backup copy of all data stored on an external storage medium.
Note blocking numbers: Holidaymakers should note down the service numbers for their mobile phone operator and credit and debit card providers. The card, surf stick or mobile device concerned can be blocked immediately in the event of loss.
Scan ID documents: Important documents such as identification papers, flight tickets, travel tickets and data on travel insurance should be copied before going away and kept separate from the originals during the trip. A digital scan of the documents can also be kept on a smartphone, laptop or USB stick. In the event of loss they will help when reporting an incident and replacing the documents.
Note down the address of the embassy: When travelling abroad, travellers should note down the address and telephone number of the embassy or the nearest consulate. If your passport is stolen, the embassy can issue a replacement passport.
Document losses: If the hotel safe is broken into, the traveller must notify the local police and document the losses. This might help the lost property to be reimbursed under the insurance in your own country.
For more technical details and images read the G Data blog.