A Vulnerability in Hotel RFID Door Locks Opens All Rooms "with a Single Pair of Forged Keycards"
Research team goes public with a high-level overview, as the manufacturer works to patch millions of locks across the globe.
A team of security researchers has disclosed major security issues in the Saflok range of radio-frequency identification (RFID) door locks commonly used in hotels around the world — allowing for a single pair of fake keycards to unlock every door in the building.
"Unsaflok is a series of serious security vulnerabilities in dormakaba’s Saflok electronic RFID locks, commonly used in hotels and multi-family housing environments," the research team explains in a report brought to our attention by Wired.
"When combined," the researchers continue, "the identified weaknesses allow an attacker to unlock all rooms in a hotel using a single pair of forged keycards. Over three million hotel locks in 131 countries are affected. All locks using the Saflok system are impacted, including (but not limited to) Saflok MT, the Quantum Series, the RT Series, the Saffire Series and the Confidant Series."
The team discovered the issue back in 2022, and disclosed it privately to manufacturer dormakaba. Although the company has developed a fix for the flaws, it's a slow process to roll it out: every lock needs to have its firmware updated or be physically replaced, all keycards need to be reissued, the card encoders and front desk software have to be upgraded, and there may be issues with third-party integrations.
"We are disclosing limited information on the vulnerability now to ensure hotel staff and guests are aware of the potential security concern," the team writes, admitting that only 36 per cent of affected locks have been upgraded or replaced at the time of disclosure. "It will take an extended period of time for the majority of hotels to be upgraded."
The vulnerabilities, which cannot be mitigated against by deploying the deadlock built into the door locks, can be exploited by reading a single keycard using any Near-Field Communication (NFC) capable Android smartphone, a dedicated NFC or RFID reader, or a Flipper Zero or other RFID/NFC-enabled device. The researchers, however, have not published a full proof-of-concept or technical explanation of the attack, "due to the potential impact to hotels and guests."
More information on the vulnerabilities is available on the Unsaflok website.