Researchers exploited weaknesses in both Dormakaba's encryption and the underlying RFID system used
Apr 02, 2024In a scenario that feels lifted from Oceans 11, a group of hackers have shown the vulnerabilities of RFID-based locks through a hotel room keycard.
A team of security researchers recently revealed a hotel keycard hacking technique they call Unsaflok. The technique exposes a collection of security vulnerabilities that would allow a hacker to open several models of Saflok-brand RFID-based keycard locks sold by lock maker Dormakaba.
The Saflok systems are installed on three million doors worldwide, inside 13,000 properties in 131 countries.
The Hackers Story
As detailed in a story published on Wired, the researchers exploited weaknesses in both Dormakaba's encryption and the underlying RFID system used, known as MIFARE Classic, according to Ian Carroll and Lennert Wouters.
They started by obtaining any keycard from a target hotel—new or used—in order to read a certain code from that card with a $300 RFID read-write device. After writing two keycards of their own, they were able to first rewrite a certain piece of the lock's data and then open it.
“Two quick taps and we open the door,” said Wouters, a researcher in the Computer Security and Industrial Cryptography group at the KU Leuven University in Belgium. “And that works on every door in the hotel.”
Dormakaba Solution
Wouters and Carroll shared the full technical details of their hacking technique with Dormakaba in November 2022. Dormakaba says that it's been working since early last year to make hotels that use Saflok aware of their security flaws and to help them fix or replace the vulnerable locks.
For many of the Saflok systems sold in the last eight years, there's no hardware replacement necessary for each individual lock. Instead, hotels will only need to update or replace the front desk management system and have a technician carry out a relatively quick reprogramming of each lock, door by door.
But Dormakaba has reportedly only updated 36 percent of installed Safloks. Given that the locks aren't connected to the internet and some older locks will still need a hardware upgrade, they say the full fix will still likely take months longer to roll out, perhaps years.
How The Did It
The key piece for the hackers was to obtain the lock programming devices that Dormakaba distributes to hotels, as well as a copy of its front desk software for managing keycards.
By reverse engineering that software, they obtained all the data stored on the cards, the hotel property code and codes for each individual room.
This data enabled them to create their own values and encrypt them just as Dormakaba's system would, essential giving them a master key to the properties. An Android phone or a Flipper Zero could also be used to emit one signal after another instead of the two cards, the researchers say.
Protecting Yourself
So how do you know if your room on vacation is vulnerable to being broken in to? Carroll and Wouters told hotel guests to look for the distinct design of the door: a round RFID reader with a wavy line cutting through it. Guests can determine if the Saflok been updated by checking their keycard with the NFC Taginfo app by NXP, available for iOS or Android. If the lock is manufactured by Dormakaba, and that app shows that the keycard is still a MIFARE Classic card, it's likely still vulnerable.
Additionally, the duo warn that the deadbolt on the room is controlled by the keycard lock, so it doesn't provide an extra safeguard.
Though Dormakaba says it's not aware of any past use of Wouters and Carroll's technique, the researchers point out that doesn't mean it never happened in secret. “We think the vulnerability has been there for a long time,” said Wouters. “It's unlikely that we are the first to find this.”
Key Takeaways:
- A team of security researchers recently revealed a hotel keycard hacking technique they call Unsaflok.
- The Saflok systems are installed on three million doors worldwide, inside 13,000 properties in 131 countries.
