More than 3 million hotel doors are instantly open to intruders

The manufacturer of Saflok electronic door locks has a patch for this vulnerability, but applying the patch may take a long time.

Every year, thousands of researchers and security enthusiasts travel to Las Vegas in August to attend what is known as “hacker summer camp,” namely the Black Hat and Defcon conferences.

But during a special event in 2022, a group of carefully selected researchers were invited to remotely decode a hotel room in Las Vegas.

In a suite crowded with laptops and cans of Red Bull, they competed to find digital flaws in every electronic gadget in the room, from the television to the bedside VoIP phone.

Unsaflok: 3M key cards can be hacked remotely

After several days of focusing on the electronic bedroom door lock, and more than a year and a half later, they finally revealed the results of their work: a technology they discovered that would allow an intruder to open any of the millions of hotel rooms in the world. In seconds, with just two clicks.

Today, Ian Carroll, Lennert Waters, and a team of other security researchers reveal a hotel key card hacking technique they call Unsaflok. This is a set of security flaws that would allow a hacker to almost instantly open several models of Saflok brand key card locks, based on RFID technology and sold by the Swiss lock manufacturer Dormakaba.

Saflok systems are installed on 3 million doors worldwide, inside 13,000 properties in 131 countries.

“Two quick clicks on the lock and we open the door.”

By exploiting vulnerabilities in Dormacaba's encryption and the underlying RFID system it uses The manufacturer is based in Rümlang (16,000 employees worldwide), known as the MIFARE Classic, Carroll Waters demonstrated how easy it is to open a Saflok key card lock.

Their technology begins by obtaining any key card from a target hotel — for example, taking a key card from a box of used cards — then reading a specific code from that card to use a $300 RFID reader and writer, and finally by writing two special key cards. With them. When they simply tap these two cards on the lock, the first rewrites part of the lock's data, while the second opens it.

Dormakaba

“Two quick clicks and the door opens,” explains Waters, a researcher in the Computer Security and Industrial Cryptography Group at KU Leuven in Belgium. It works on all hotel doors. »

All technical details of their hacking technique are with the manufacturer Dormakaba who will update the locks. However, updating older versions will take longer, months or even years.