Security vulnerabilities discovered in Dormakaba’s Saflok RFID electronic locks used in hotels could be weaponized by threat actors to spoof key cards and stealthily break into locked rooms.
The deficiencies were named collectively Unsaflok by researchers Lennert Wouters, Ian Carroll, rqu, BusesCanFly, Sam Curry, sshell and Will Caruana. They were reported to the Zurich-based company in September 2022.
“When combined, the identified weaknesses allow an attacker to unlock all rooms in a hotel using a single pair of counterfeit key cards,” they said.
Full technical specifications on the vulnerabilities have been withheld, considering the potential impact, and are expected to be made public in the future.
The problems affect more than three million hotel locks spread across 13,000 properties in 131 countries. This includes Saflok MT models and Quantum, RT, Saffire and Confidant series devices, which are used in conjunction with System 6000, Ambiance and Community management software.
Dormakaba is estimated to have upgraded or replaced 36% of the affected locks as of March 2024 as part of an implementation process that began in November 2023. Some of the vulnerable locks have been in use since 1988.
“An attacker only needs to read a property key card to carry out the attack against any door on the property,” the researchers said. “This key card could be from their own room, or even an expired key card from the Express Checkout collection box.”
Counterfeit cards can be created using any MIFARE Classic card or any commercially available RFID read-write tool capable of writing data to these cards. Alternatively, you can use Proxmark3, Flipper Zero or even an NFC-compatible Android phone instead of cards.
Speaking to WIRED’s Andy Greenberg, the researchers said that the attack involves reading a certain code from that card and creating a pair of counterfeit key cards using the aforementioned method: one to reprogram the data on the lock and a ‘other to open it by cracking the Dormakaba key derivation function. (KDF) encryption system.
“Two quick touches and we open the door,” Wouters said.
Another crucial step involves reverse engineering the lock programming devices distributed by Dormakaba to hotels and the front desk software for managing key cards, thus allowing researchers to forge a working master key that could be used to open any room.
There is currently no confirmed case of exploitation of these issues in the wild, although researchers do not rule out the possibility that the vulnerabilities were discovered or exploited by others.
“It may be possible to detect certain attacks by checking the lock’s entry/exit logs,” they added. “Hotel staff can verify this via the HH6 device and look for suspicious entry/exit records. Due to the vulnerability, entry/exit records could be attributed to the wrong key card or staff member.”
The disclosure comes on the heels of the discovery of three critical security vulnerabilities in electronic logging devices (ELDs) commonly used in the trucking industry that could be weaponized to enable unauthorized control over vehicle systems and arbitrarily manipulate data and vehicle operations.
Even more concerning, one of the flaws could pave the way for a worm that self-propagates from truck to truck, potentially leading to widespread disruptions in commercial fleets and leading to serious safety consequences.