Hackers Discovered a Method to Unlock Any of 3 Million Hotel Keycard Locks in Mere Seconds

  • Home
  • More Info
  • Hackers Discovered a Method to Unlock Any of 3 Million Hotel Keycard Locks in Mere Seconds

Hackers Discovered a Method to Unlock Any of 3 Million Hotel Keycard Locks in Mere Seconds

More Info 0 Comments

A group of hackers has devised a method to rapidly unlock any of the 3 million hotel keycard locks, specifically those under the Saflok brand.

While the company responsible for these locks is working on a solution, its implementation across hotels may take an extended period, possibly stretching into months or even years. In November 2022, independent security researchers Wouters and Carroll, who also founded the travel website Seats.aero, shared the comprehensive technical details of their hacking technique with Dormakaba. Dormakaba has been actively addressing these security vulnerabilities since early last year, primarily by making hotels using Saflok locks aware of the flaws and assisting them in fixing or replacing the compromised locks. For many of the Saflok systems sold in the last eight years, individual lock hardware replacements are unnecessary. Instead, hotels only need to update or replace the front desk management system and have technicians perform a relatively swift reprogramming of each lock, door by door.

However, despite Dormakaba’s efforts, Wouters and Carroll were informed by Dormakaba that, as of this month, only 36 percent of installed Safloks have been updated. Since some older locks are not connected to the internet and may still require a hardware upgrade, achieving a complete fix is expected to take several more months, if not longer. In some cases, older installations may take years to update.

Dormakaba stated to WIRED that they have been working closely with their partners to identify and implement both an immediate mitigation and a longer-term solution to address this vulnerability, although they declined to provide details about the immediate mitigation. They expressed confidence that all reasonable steps would be taken by their customers and partners to address the matter responsibly. The hacking technique discovered by Wouters and Carroll’s research group exploits two distinct vulnerabilities in Dormakaba’s locks: one that enables writing to its keycards and another that allows determining what data to write to the cards to deceive a Saflok lock into opening. Upon analyzing Saflok keycards, they observed the use of the MIFARE Classic RFID system, which has been known for over a decade to have vulnerabilities allowing hackers to write to keycards, although the brute-force process may take up to 20 seconds. Subsequently, they managed to crack a portion of Dormakaba’s encryption system, known as its key derivation function, enabling them to write to its cards significantly faster. With either of these methods, the researchers could copy a Saflok keycard at will, albeit not generate one for a different room.

The critical step in the researchers’ approach involved acquiring one of the lock programming devices distributed by Dormakaba to hotels, along with a copy of its front desk software for managing keycards. By reverse engineering this software, they could decipher all the data stored on the cards, retrieve a hotel property code, and a code for each individual room. They could then create their own values and encrypt them similarly to Dormakaba’s system, thereby spoofing a working master key that opens any room on the property. According to Wouters, “You can make a card that really looks as if it was created by the software from Dormakaba, essentially.”

When asked how they obtained Dormakaba’s front desk software, Wouters stated, “We nicely asked a few people.” He highlighted that manufacturers often assume their equipment won’t be sold on eBay or their software copied, which he believes are invalid assumptions.

Once they completed the reverse engineering process, executing the final version of their attack required little more than a $300 Proxmark RFID read-write device and a couple of blank RFID cards, along with an Android phone or a Flipper Zero radio hacking tool.

However, it’s important to note a significant caveat to the hackers’ technique: it still necessitates having a keycard, even an expired one, for a room somewhere in the same hotel as the target room. This is because each card contains a property-specific code and a room-specific one, both of which need to be read and duplicated on the spoofed card. Once they obtain the property code, the technique further involves using an RFID read-write device to write two cards: one that reprograms the target lock and another that unlocks it. Alternatively, an Android phone or a Flipper Zero could emit one signal after another instead of using two cards.

Carroll and Wouters are striving to avoid scenarios similar to the exploitation of vulnerabilities found in Onity locks in 2012. They’re taking a cautious approach while still raising awareness about their technique. They emphasize that hundreds of properties may remain vulnerable, even with Dormakaba’s offered fix. Carroll stated, “We’re trying to find the middle ground of helping Dormakaba to fix it quickly, but also telling the guests about it.” He expressed concern that if someone reverse-engineered the technique and started exploiting it before people were aware, it could pose an even greater problem.

To aid in recognizing vulnerable locks, Carroll and Wouters suggest hotel guests look for the distinct design feature of a round RFID reader with a wavy line cutting through it. They propose using the NFC Taginfo app by NXP, available for iOS or Android, to check if their keycard has been updated. If the lock is manufactured by Dormakaba and the app shows that the keycard is still a MIFARE Classic card, it’s likely still vulnerable.

In the event that a lock is vulnerable, the researchers advise guests to avoid leaving valuables in the room and to bolt the chain on the door when inside. They caution that the deadbolt on the room is also controlled by the keycard lock, providing no extra safeguard. Despite the ongoing efforts to fix the vulnerability, Wouters and Carroll argue that it’s better for hotel guests to be aware of the risks rather than having a false sense of security. They highlight that the Saflok brand has been sold for over three decades, potentially leaving it vulnerable for much of that time.

Although Dormakaba stated that it’s not aware of any past use of Wouters and Carroll’s technique, the researchers believe the vulnerability has likely existed for a long time, suggesting they might not be the first to discover it.

Share this post

Author

FALLZ HOTELS™ is a unique and exclusive online environment designed specifically for the private sale of hotels. With a strong focus on integrity and confidentiality, FALLZ HOTELS™ provides a trusted platform for verified hotel sellers and buyers, as well as dedicated subscribers who are actively looking to either sell or buy hotels. Our services are available across North America (with a global reach), connecting sellers and buyers in the region.

Leave a Reply

Your email address will not be published. Required fields are marked *