Hotel Keycard Security Flaw Exposed: Millions of Locks Vulnerable
In a stark revelation, security researchers have unveiled a critical vulnerability in the Saflok-brand door locks, affecting over 3 million hotel keycard locks globally. This discovery, known as the "Unsaflok" technique, raises concerns about the security of hotel rooms worldwide.
At a private event during a renowned hacker conference in Las Vegas, a team of researchers delved into the intricate technology of a hotel room, aiming to expose potential vulnerabilities. Among their discoveries was a technique that could allow unauthorized access to millions of hotel rooms within seconds, using just a simple two-tap process.
The method, meticulously crafted by Ian Carroll, Lennert Wouters, and their research team, exploits weaknesses in the encryption and RFID system of Saflok locks, manufactured by Dormakaba. These locks are prevalent, adorning the doors of over 13,000 properties across 131 countries.
By leveraging flaws in Dormakaba's encryption and the underlying MIFARE Classic RFID system, the researchers demonstrated how an intruder could exploit the vulnerability. The process begins with acquiring any keycard from the target hotel, followed by extracting a specific code using an affordable RFID read-write device. Subsequently, the attacker can craft two counterfeit keycards. Upon tapping these cards on the lock, the first alters a crucial piece of data, enabling the second card to effortlessly unlock the door.
Despite promptly notifying Dormakaba about their findings in November 2022, the researchers discovered that only a fraction of the affected locks had been updated as of the latest assessment. Dormakaba has been working to inform and assist hotels in mitigating these security flaws. However, the extensive nature of the fix, which involves updating or replacing front desk management systems and reprogramming individual locks, suggests that the resolution process may stretch over several months or even years.
The vulnerability uncovered by Carroll and Wouters rests on two key weaknesses: the ability to manipulate keycards and decipher the data required to trick Saflok locks into unlocking. By reverse engineering Dormakaba's front desk software and lock programming devices, the researchers could replicate legitimate keycards, effectively bypassing the security measures.
Despite the gravity of their findings, Carroll and Wouters have refrained from divulging certain aspects of their technique to prevent malicious exploitation. Unlike previous instances where vulnerabilities were exposed without discretion, the researchers aim to strike a balance between raising awareness and preventing widespread abuse.
In light of these revelations, hotel guests are advised to exercise caution, especially if their rooms are equipped with Saflok locks. Identifying vulnerable locks can be done by inspecting the RFID reader's design or using NFC Taginfo app to verify the keycard's vulnerability status. While a comprehensive fix remains elusive, guests are urged to take precautionary measures, such as securing valuables and utilizing additional door locks when inside the room.
Despite efforts to address the issue, the prolonged existence of this vulnerability underscores the need for heightened vigilance and proactive security measures in the hospitality industry. As Carroll and Wouters emphasize, awareness of the risks is paramount in safeguarding against potential threats, ensuring a more secure environment for hotel guests worldwide.