Researchers Discover Critical Vulnerabilities in Saflok Hotel Locks
Security researchers have uncovered a series of vulnerabilities affecting 3 million Saflok electronic RFID locks installed in 13,000 hotels and residences across 131 countries. These flaws make it possible to easily unlock any door by forging a pair of key cards.
The Unsaflok Vulnerability
The chain of vulnerabilities, dubbed Unsaflok, was discovered by researchers Lennert Wouters, Ian Carroll, rqu, BusesCanFly, Sam Curry, shell, and Will Caruana in September 2022. The team was invited to a private hacker event in Las Vegas, where they competed to find security flaws in a hotel room and its devices. Focusing on Saflok electronic locks, they identified weaknesses that could allow an attacker to open any door.
In November 2022, the researchers reported their findings to Dormakaba, the manufacturer of Saflok locks. Dormakaba developed risk mitigation measures and notified hotels of the threat without making the issue public. However, the vulnerabilities have existed for over 36 years, and while there are no confirmed cases of exploitation, the risk remains significant.
Scope and Impact
The researchers have now publicly disclosed information about Unsaflok, warning that nearly 3 million doors worldwide using Saflok systems are at risk. The vulnerability affects several Saflok models, including Saflok MT, Quantum series, RT series, Saffire series, and Confidant series, all managed by System 6000 or Ambiance software.
Unsaflok is a chain of vulnerabilities that allows an attacker to unlock any door using a pair of forged key cards. To carry out the attack, an attacker only needs to read a single key card (which could be an old card or a card from their own room).
How the Attack Works
During their tests, the researchers reverse-engineered Dormakaba’s software, typically used at hotel front desks, as well as the lock programming device. They managed to forge a working master key capable of opening any room in a hotel. To clone cards, they also had to break the key derivation function used by Dormakaba.
Fake key cards can be created using a MIFARE Classic card and any commercially available tool capable of writing data to cards, such as Proxmark3, Flipper Zero, or Android smartphones with NFC support. The required equipment for the attack costs only a few hundred US dollars.
In practice, the first card overwrites the lock’s data, and the second card opens the door, as demonstrated in the researchers’ video.
Mitigation and Ongoing Risks
So far, the researchers have not released additional technical details about Unsaflok to give companies time to update their systems. Dormakaba began replacing and upgrading vulnerable locks in November 2023, but the process also requires reissuing all key cards and updating encoding devices. As of March 2024, more than 64% of affected locks remain vulnerable. The researchers have promised to share full details about Unsaflok in the future.
“We are currently disclosing limited information about the vulnerability so that hotel staff and guests are aware of the potential security threat. Updating most hotels will take a significant amount of time,” the experts said.
How to Check If Your Hotel Room Is Vulnerable
Hotel guests can check if their room locks are vulnerable by using the NFC Taginfo app (available for Android and iOS) to scan their key card with their phone. If the card uses MIFARE Classic technology, it is likely vulnerable.
Dormakaba’s Response
After the researchers’ publication, Dormakaba confirmed the vulnerability in their security system, which is related to both the key derivation algorithm used for generating MIFARE Classic keys and the secondary encryption algorithm protecting card data. The vulnerability affects Saflok systems (System 6000, Ambiance, and Community).
“As soon as we became aware of the vulnerability from the external security research group, we launched a comprehensive investigation, prioritized the development and deployment of fixes, and systematically informed our customers. To date, we are not aware of any cases where this issue has been exploited,” the company stated.