Security Flaw Can Open Over 3 Million Door Locks, Mainly at Hotels

Security researchers have discovered a flaw that can be used to easily unlock keycard-powered door systems across numerous hotel properties.

The vulnerability involves the Saflok door system from a Swiss company called Dormakaba. “Over three million hotel locks in 131 countries are affected,” according to the researchers, who note that the flaw has existed for the past 36 years.

According to Wired, the security experts uncovered the problem in August 2022 after attending a private event where they were invited to hack a Las Vegas hotel room. The group then disclosed the findings to Dormakaba, which started work on a patch in November 2023. However, it hasn’t been easy to install the fix across the affected properties. So far, only 36% of the affected locks have been updated or replaced.

“All locks require a software update or have to be replaced,” the researchers wrote. “Additionally, all keycards have to be reissued, front desk software and card encoders have to be upgraded, and 3rd party integrations (e.g. elevators, parking garages and payment systems) may require additional upgrades.”

The researchers decided to publicly disclose the flaw so that hotel staff and guests are aware of the threat. They created a website about the flaw, which has been dubbed Unsaflok.

The researchers have not released technical details to prevent hackers from exploiting the threat. Nevertheless, the vulnerability is relatively easy for a bad actor to abuse. “An attacker only needs to read one keycard from the property to perform the attack against any door in the property. This keycard can be from their own room, or even an expired keycard taken from the express checkout collection box,” they wrote.

In addition, the hack can be carried out over electronic devices that can read, write, and emulate MiFare Classic smart cards. This includes using the $169 Flipper Zero and any NFC-capable Android smartphone.

The vulnerability affects all locks under the Saflok brand, including the Saflok MT, the Quantum Series, the RT Series, the Saffire Series and the Confidant Series, among others. Unfortunately, it’s impossible for a hotel guest to visually tell if a lock has been patched, the researchers say. Whether anyone else knows about the flaw remains unclear. But the team notes that the “Key Derivation Function” for the Saflok brand — necessary to clone the keycards— was recently reverse-engineered with the details published online.

In a statement, Dormakaba confirmed that the flaw exists. "As soon as we were made aware of the vulnerability by a group of external security researchers, we initiated a comprehensive investigation, prioritized developing and rolling out a mitigation solution, and worked to communicate with customers systematically," the company said. "We are not aware of any reported instances of this issue being exploited to date."

The company didn't comment on why the patch is taking so long to roll out. But according to the researchers, “it will take an extended period of time for the majority of hotels to be upgraded.”

by Michael Kan