Skip to main content

Android app 'Caribou' cracks IP-based Cardkey security locks

YouTube link for mobile viewing

Security researcher Ian Robertson has built an Android application that can be used to bypass security on the popular Cardkey door control systems.  Using his Droid Incredible, he is able to brute-force past any PIN, and issue commands across the Internet to the IP-based systems that will unlock all doors, grant 30 seconds to open them, then relock the doors -- all with a push of a button.  Who says you need to be a registered guest to use that Holiday Inn jacuzzi?

This demonstrates not only the really poor security on these systems, but a level of 1337 that we haven't seen on Android as of yet.  Hat's off to you Ian, and hopefully you can persuade a few people that they need to ramp security up a notch.  [CyberSecurityGuy]

Jerry Hildenbrand
Jerry Hildenbrand

Jerry is an amateur woodworker and struggling shade tree mechanic. There's nothing he can't take apart, but many things he can't reassemble. You'll find him writing and speaking his loud opinion on Android Central and occasionally on Twitter.

  • Pool's Closed
  • AWESOME!!!
  • ah sux! not available for the public :)
  • This is totally misleading. Granted the software hacks the door locks but this is only possible if you can put your Android device on the same network as the security system. The place would have to have a WiFi network that was unprotected and the security system would have to be on the same network.
  • i wish this was available. i'm always losing those cards.
  • @frankbo168: I travel a lot and most hotels are still using WEP so you can crack that in about 5mins or less then run this app. But I cannot seem to find it in the market. :-)
  • Is there an app that allows you to crack WEP? I've been looking and i found Penetrate but that is it. I've also seen something like this for MACs... anywho, is there a good android app?
  • F*CKING Genius!
  • Showing Android potential!
  • "Caribou is a proof-of-concept and is not available to the public."
    I was worried about that for a minute.
  • Oh, good. Put more dangerous ideas in the heads of malicious hackers. Thanks a ton, Ian Robertson. You've really made an amazing contribution to society by breaking its codes of conduct. Jerk. And to all of you encouraging this kind of behavior, consider how much of the infrastructure of your daily lives is protected by these very type of systems. You can say "He's showing them that they need to beef up security by hacking it," but that's like saying that harder drugs are good for society because they result in more cops being put on the beat. It's a puerile, intellectually dishonest argument and you know it. How many other hackers and technologically talented ne'er-do-wells (as or more talented than Robertson) read this site and others that published this story? How long before this app, or an ersatz version falls into THEIR hands? I bet Al Qaeda would LOVE to get their hands on it. Just think about that before you tout the 'genius' of apps with such criminal capacity. You may now proceed to flame me.
  • How do you think that these things get fixed before the "bad guys" figure it out. We're just lucky that it was Ian and not Osama, or Ted Kazinski. I used to work in IT security for a few companies and any time we deployed new features or settings, I would get to spend the whole day cracking it (8 ways from Sunday :) to make sure that the features were not easy to get around. Otherwise, the "bad guys" get in, and they don't want to just piss in the pool.
  • The difference being that you were employed specifically for that purpose, and probably did not go out of your way to expose the weaknesses of these systems to people you didn't (or couldn't possibly) know. By publishing the youtube video, Robertson not only exposes the weakness without suggesting a solution, but makes HIMSELF a target of those who would steal the app from him. So, unless Robertson is the most ultimate, supremely secure, mega-bada** hacker, he has exposed himself and many others to danger by putting this out for all to see. A more responsible, less childish thing to do would have been to develop this app, and demonstrate it discreetly for the companies he wanted to work with to fix the security hole ONE-ON-ONE, rather than posting it on youtube. The reason he posted it on youtube is because he wanted others to stroke his ego, not because he really wants to make anything better. And for that reason, I say, BOO, Ian Robertson. You're the sort of person who would show us exactly where the active nukes were hidden to get yourself some attention.
  • If you would click through to the original article here: you would see this: "Credit is given to fellow security researcher Michael Gough who identified the initial vulnerabilities in the cardkey systems. Both security researchers are actively engaged with US-CERT and the manufacturers in order to improve the security of the products and provide better documentation and instructions to system installers." In other words, totally whitehat. This guy is doing more to enhance real security than any of the Great-and-Powerful-Oz'es out there performing security theater. "Pay no attention to the man behind the scanner."
  • Smoke and mirrors. This isn't as grand as it seems. The electronic version of carding a door. So what? May seem cute to do, but if you do this for kicks and get caught, be ready for a criminal trespass charge. As soon as you purposely defeat measures to deny you entry some where in order to enter that place, it is criminal trespass at the least, felony burglary at the worse, in most states. Not really sure why this is Android related news. I can use my Evo to beat someone over the head, is that Android news?
  • Actually, since a computer is being used/attacked to gain access, I wouldn't be surprised if someone caught trying this also got slapped with federal computer crime charges. I'm not a lawyer so I don't know what they would be charged with, but I could see a prosecutor trying.
  • i am glad whomever discovered this hack did not release this to the public for the simple fact of immoral ones who would come into my hotel to jack my stuff on vacation or even worse rape someone they were eyeing. the wrong incidents that can result in this getting leaked are immense even like someone else mentioned terrorist i don't even wanna begin to start.
  • At HOD, you're pretty simple-minded if you believe the truly malicious hackers aren't already figuring things like this out; this one in particular at one level could be really simple, if the network was open. What this guy did is a SERVICE to the rest of us, as it forces the technology product keepers, and in some cases users, forward.
    I understand your sentiment. Think how many knew before the OK bombing by McVey how to make a fertilizer bomb. But the bad guy already did; we now all know it's only a few ingredients available at any feed store. So the feed store guys can at least pay attention when some guy who they don't know, maybe comes up in a shiny car (versus farm truck) and buys these 3 ingredients - that something bad is likely up. In cyber security, this is the norm. Do you understand how bad security on GSM phone networks was just a few years back before someone published the article outing it? It had been that way for YEARS, and many knew it. Look at how long it took Microsoft to 1. be more responsive to hacks 2. create a simple auto or manual update mechanism. I could go on and on, all of these were because someone published enough to embarrass the technology owner to fix the problem.
  • I can use a bump key bought off Ebay for $10 and unlock almost any key locked door in literally 5 seconds. So I actually think this is pretty secure.
  • +1 stryguy