Rapid7 security researcher Weston Hecker revealed the tool at Black Hat USA. Hecker said that he assembled the tool with off-the-shelf components and cost him only $6 to build. As reported by Forbes, the device can read and duplicate hotel keys, but if a potential hacker is really keen on disrupting a hotel chain, the $6 tool can also be used to “brute force” attack every guest room in the building — by guessing the keys to each room. Hecker’s tool works by guessing possible combinations used by the hotel room lock. After being placed near a door’s card reader, Hecker’s device can make 48 guesses a minute and additional hardware antennas prevent the tiny device from overheating. Hecker said that his tool can also be used to compromise PoS systems, such as those used in retail outlets and hotel shops. If held close to the PoS system which uses a magstripe reader, Hecker says the tool can inject keystrokes — which could force the system to visit a malicious website and both download and execute malware such as financial Trojans, force the cash register to open or close the PoS system entirely. “Hecker started tinkering with hotel key brute force attacks in April, though his techniques were somewhat slower, taking as long as 20 minutes to guess a key. He did, however, discover during that research he could use a cheap Chinese MP3 player to inject credit card numbers into an ATM machine for potential theft.” Forbes noted.
