Researchers have developed a simple exploit capable of opening all doors in over 10,000 hotels worldwide.
Saflok brand RFID-based key card locks have been around for 36 years. But only in the late summer of 2022 did a team of seven researchers work identify a series of vulnerabilities which allowed hackers to open them, deadbolt and all, using only a customized key card.
Saflok locks are installed on more than 3 million doors in 13,000 hotels and multifamily residential environments in 131 countries. Dormakaba started rolling out a patch last November but, to implement it, each device must be updated one by one. As of this month, only 36% of affected locks have been updated or replaced.
It’s the latest problem for an industry facing particularly difficult security challenges.
“Important people stay in hotels, and hotels keep sensitive data about their guests,” notes Lee Clark, cyber threat intelligence manager at ISAC Retail and Hospitality. “So if you run a nice hotel, you’re faced with nationally-backed threat actors trying, for cyber espionage purposes, to steal information about important people. And especially for organizations connected to gaming facilities, there’s It’s a lot of money at stake.”
Like walking into millions of hotel rooms
Breaking into the hotel rooms of unsuspecting travelers requires only a few items.
First: any key card to the targeted property: your room key, someone else’s, even an expired one in the trash.
You’ll also need two more MIFARE Classic keycards (of the type used by Saflok) to write to, and any of several commercially available products that can do that job: a Proxmark3, Flipper Zero, or even near-field communication . Android phone compatible with (NFC).
Proxmark3, Source: Guido Schiefer via Alamy Photo
The team behind “Unsaflok” is keeping a tight lid on the details for now, but the outline of how their attack works is as follows.
First, the reader/writer registers a hotel card code. Then the attacker writes on the other two cards. The first custom card, when touched against a Saflok lock, overwrites a crucial part of its data, so the second custom card can be used to open the door.
It may take some time for this exploit to be completely eliminated globally. Some connected locks sold in recent years can be updated through a front desk management system. But for most Safloks around the world, the researchers explained, “Updating each hotel is an intensive process. All locks require a software update or need to be replaced. Additionally, all key cards need to be reissued , front desk software and card encoders need to be updated, and third-party integrations (e.g. elevators, parking and payment systems) may require additional updates.”
Particularly concerned guests can determine whether their hotel room door is vulnerable by using the NFC Taginfo app on iOS and Android, which identifies different types of key cards. Upgraded Saflok locks use MIFARE Ultralight C cards, instead of MIFARE Classic.
Other ways to do it
As effective as Unsaflok is, Clark notes, “It’s a new play in an old game: There are many similar methods for unlocking electronic locks.”
At Black Hat 2019, for example, two members of the Chaos Computer Club undermined a key card system for cell phones used by an EU hotel. Also more dangerous proofs of concept it had been demonstrated long before that.
In fact, just a couple of months ago – and not for the first time – Saflok’s key derivation function (KDF) has been reverse engineeredopening the door for hackers to read and clone key cards.
The easiest way to open a hotel door, though, is probably with a Flipper Zero. “It’s a cool little multitool – it looks like a Game Boy,” Clark explains. “It can do a number of things that help with penetration testing, and one of the things it can do is open hotel locks.
“And that’s all if you don’t want to just kick the door open, right?”
Despite all these potential threats, however, there is good news.
How hotels secure their doors
Hoteliers have many means to protect guests from potential intruders.
Of course, there’s physical security: cameras in the hallways, staff trained to watch for suspicious activity, automatic locking mechanisms that activate seconds after a guest opens the door.
Particularly sophisticated hotels can also incorporate security sensing into larger building automation management systems, Clark explains, “because a smart lock is really only one part of a hotel’s overall system.” [Internet of Things] system, which also includes maintaining the temperature and chemical levels in the pool and spa, the temperature and humidity level in the hotel rooms, etc.”
However, securing hotel locks beyond this point can become risky.
“There are some schools of thought regarding how to better secure these locks,” Clark notes, for example, “by implementing multi-factor authentication where possible. This may be questionable, because you’re putting a barrier between the guest and the convenience to open your room. Password protection is another, but it comes with all the normal risks of potentially weak passwords. One of the biggest risks lately has been biometric locks (adding a fingerprint or something similar to blocks), but then there is the issue of storing that biometric data, which raises other risks and regulatory questions.”
For guests who aren’t comfortable with the current state of hotel security, there’s a way to prevent even the most sophisticated attackers from entering your room, at least when you’re inside: a good old-fashioned lock with chain or oscillating bar.