Security Flaw Can Open Over 3 Million Door Locks, Mainly at Hotels

According to security researchers, the flaw can let a hacker unlock door systems from Dormakaba's Saflok brand, which is used across numerous hotel properties.
Security Flaw Can Open Over 3 Million Door Locks, Mainly at Hotels

Security researchers have discovered a flaw that can be used to easily unlock keycard-powered door systems across numerous hotel properties.

The vulnerability involves the Saflok door system from a Swiss company called Dormakaba. “Over three million hotel locks in 131 countries are affected,” according to the researchers, who note that the flaw has existed for the past 36 years.

According to Wired, the security experts uncovered the problem in August 2022 after attending a private event where they were invited to hack a Las Vegas hotel room. The group then disclosed the findings to Dormakaba, which started work on a patch in November 2023. However, it hasn’t been easy to install the fix across the affected properties. So far, only 36% of the affected locks have been updated or replaced.

“All locks require a software update or have to be replaced,” the researchers wrote. “Additionally, all keycards have to be reissued, front desk software and card encoders have to be upgraded, and 3rd party integrations (e.g. elevators, parking garages and payment systems) may require additional upgrades.”

The researchers decided to publicly disclose the flaw so that hotel staff and guests are aware of the threat. They created a website about the flaw, which has been dubbed Unsaflok.

The researchers have not released technical details to prevent hackers from exploiting the threat. Nevertheless, the vulnerability is relatively easy for a bad actor to abuse. “An attacker only needs to read one keycard from the property to perform the attack against any door in the property. This keycard can be from their own room, or even an expired keycard taken from the express checkout collection box,” they wrote.

In addition, the hack can be carried out over electronic devices that can read, write, and emulate MiFare Classic smart cards. This includes using the $169 Flipper Zero and any NFC-capable Android smartphone.

The vulnerability affects all locks under the Saflok brand, including the Saflok MT, the Quantum Series, the RT Series, the Saffire Series and the Confidant Series, among others. Unfortunately, it’s impossible for a hotel guest to visually tell if a lock has been patched, the researchers say. Whether anyone else knows about the flaw remains unclear. But the team notes that the “Key Derivation Function” for the Saflok brand — necessary to clone the keycards— was recently reverse-engineered with the details published online.

In a statement, Dormakaba confirmed that the flaw exists. "As soon as we were made aware of the vulnerability by a group of external security researchers, we initiated a comprehensive investigation, prioritized developing and rolling out a mitigation solution, and worked to communicate with customers systematically," the company said. "We are not aware of any reported instances of this issue being exploited to date."

The company didn't comment on why the patch is taking so long to roll out. But according to the researchers, “it will take an extended period of time for the majority of hotels to be upgraded.”

by Michael Kan 

Similar articles

Legacy PMS is Negatively Impacting Guest Intelligence and a Barrier to Innovation

Legacy PMS is Negatively Impacting Guest Intelligence and a Barrier to Innovation

As the former COO of Shiji ReviewPro, my team and I have worked with many clients over the years across the globe to optimise the process of the collection of quality of the guest data that they are collecting from their guests during the reservation process, or upon checkin. The collection of guest data is critical for the operation to be able to increase the guest feedback that the hotels can collate, but also drives efficiency through the ability to encourage hotels to checkinonline prior to arrival.

Starbucks shutters Odyssey, its NFT-backed metaverse program

Starbucks shutters Odyssey, its NFT-backed metaverse program

In Sept. 2022, Starbucks officially unveiled its highly anticipated foray into the metaverse: Starbucks Odyssey. At the time, NFTs and the metaverse were the trendy tech innovation of the moment, with businesses across many sectors scrambling to figure out how to cash in on the popularity of Web3, which was promised to be a more immersive “Internet of the Future.”