Infosec Watchtower Logo

Unlocking Insecurity: Cybersecurity Team Exposes Major Flaws in Hotel RFID Locks

Charles M. Walls | March 29, 2024 | Views: 203

A high-tech digital illustration showing a shadowy figure in a hoodie, standing in a hotel corridor, holding a smartphone that emits a glowing light.

A recent investigation has unearthed a set of critical security flaws in Dormakaba's Saflok electronic RFID locks, widely utilized in the hospitality industry. Dubbed "Unsaflok" by a team of cybersecurity experts including Lennert Wouters, Ian Carroll, and others, these vulnerabilities present a serious risk, potentially allowing cybercriminals to craft duplicate keycards to gain unauthorized access to hotel rooms undetected.

This issue was brought to the attention of Dormakaba, a Zurich-headquartered firm, in September 2022. The flaws identified by the research team are particularly alarming as they provide a method for an attacker to unlock any room across a hotel premises with a specially crafted pair of keycards.

To protect the integrity of affected establishments and their guests, the full details of these vulnerabilities are being kept under wraps for now, with plans to release them publicly at a later date.

These security gaps affect an expansive network of over three million hotel locks across 13,000 properties in 131 nations, including various models like the Saflok MT, Quantum, RT, Saffire, and Confidant, alongside Dormakaba's management software suites.

As of March 2024, Dormakaba has reportedly updated or replaced about 36% of the vulnerable locks, with some devices dating back to 1988. This retrofitting began in November 2023 as part of the company's response to the discovery.

The exploit requires just one keycard, whether active or expired, from the hotel to launch an attack against any lock on the premises. Attackers can fabricate these keycards using readily available RFID tools or even NFC-enabled Android phones.

In discussions with Andy Greenberg of WIRED, the researchers detailed the process, which involves duplicating a code from an existing keycard to create a new set of keycards—one to alter the lock's data and another to unlock the door by circumventing Dormakaba's encryption.

Additionally, the team uncovered a way to reverse-engineer the lock programming devices and front desk software used by hotels, potentially allowing them to generate a master key that could open any room.

Despite no confirmed incidents of these vulnerabilities being exploited in real-world scenarios, the possibility remains a concern. The research team suggests that hotels could detect abnormal activities by auditing lock entry/exit logs for irregularities, although the flaw might misattribute these records.

This revelation follows closely behind the discovery of significant vulnerabilities in Electronic Logging Devices (ELDs) used in the trucking sector, highlighting a growing issue of cybersecurity threats within the transportation and hospitality industries.

Source of Inspiration