Search This Blog

Powered by Blogger.

Blog Archive

Labels

Showing posts with label hotel room access. Show all posts

This Security Flaw Enables Hackers to Unlock Millions of Hotel Doors

 

Researchers have unveiled vulnerabilities impacting approximately 3 million Saflok electronic RFID locks found in 13,000 hotels and homes globally, which could potentially enable unauthorized access to any door in a hotel by creating fake keycards.

Discovered by a team of researchers including Lennert Wouters, Ian Carroll, rqu, BusesCanFly, Sam Curry, shell, and Will Caruana in September 2022, these security flaws, dubbed "Unsaflok," were brought to light during a private hacking event in Las Vegas. At the event, various teams competed to identify vulnerabilities within a hotel room and its associated devices. The researchers focused on scrutinizing the Saflok electronic lock system and uncovered flaws that could compromise the security of any door in the hotel.

After notifying the manufacturer, Dormakaba, of their findings in November 2022, the researchers allowed time for the vendor to address the issues and inform affected hotels without publicizing the matter.

Despite no confirmed instances of exploitation in the wild, the researchers caution that these vulnerabilities have existed for over 36 years, raising concerns about potential misuse. The researchers publicly disclosed the Unsaflok vulnerabilities, alerting the public to their impact on nearly 3 million doors utilizing the Saflok system.

The Unsaflok vulnerabilities involve a series of exploits that, when combined, allow an attacker to unlock any door using a pair of counterfeit keycards. This attackThe Unsaflok vulnerabilities involve a series of exploits that, when combined, allow an attacker to unlock any door using a pair of counterfeit keycards. This attack method requires the attacker to obtain method requires the attacker to obtain one legitimate keycard from the property, which can include their own room keycard. 

By reverse-engineering Dormakaba's front desk software and lock programming device, the researchers were able to spoof a master key capable of opening any room. Creating forged keycards involves cracking Dormakaba's key derivation function and utilizing readily available tools such as Proxmark3, Flipper Zero, or an NFC-enabled Android smartphone.

Affected Saflok models include Saflok MT, Quantum Series, RT Series, Saffire Series, and Confidant Series managed by System 6000 or Ambiance software. These models are deployed in 13,000 properties across 131 countries, with Dormakaba actively working on mitigations. However, the process is complex and time-consuming, with only 64% of locks upgraded as of March 2024.

While Dormakaba issued a statement acknowledging the vulnerability and their efforts to address it, the researchers stress the importance of heightened awareness among hotel staff and guests. Measures such as auditing entry/exit logs and using the NFC Taginfo app to check keycard types can help detect potential vulnerabilities. The full details of the Unsaflok attack will be shared once the remediation efforts reach satisfactory levels.