Security vulnerabilities found in Saflok electronic RFID locks by Dormakaba can be exploited by hackers to create forged keycards and gain unauthorized access to locked hotel rooms.
A group of researchers including Lennert Wouters, Ian Carroll, rqu, BusesCanFly, Sam Curry, sshell, and Will Caruana named the identified vulnerabilities as Unsaflok. The vulnerabilities were reported to Dormakaba in September 2022.
“By exploiting these weaknesses, an attacker can potentially unlock all rooms in a hotel using a single pair of forged keycards,” they stated.
Detailed technical information about the vulnerabilities has not been disclosed yet due to the potential impact, but it is expected to be shared publicly in the future.
These vulnerabilities affect over three million hotel locks in 13,00 properties across 131 countries, including Saflok MT, Quantum, RT, Saffire, and Confidant series devices used with System 6000, Ambiance, and Community management software.
As of March 2024, Dormakaba has updated or replaced 36% of the affected locks as part of a rollout that started in November 2023. Some of these vulnerable locks have been in use since 1988.
The researchers explained that an attacker only needs to read one keycard from the property to execute the attack on any door within the property. This keycard can be from their own room or an expired keycard from the express checkout box.
Using MIFARE Classic cards or RFID read-write tools, hackers can craft forged keycards. They can also use Proxmark3, Flipper Zero, or an NFC-enabled Android phone instead of physical keycards.
According to the researchers in an interview with WIRED’s Andy Greenberg, the attack involves reading a specific code from the keycard and creating a pair of forged keycards to manipulate the lock’s data and crack Dormakaba’s encryption system.
“With two taps, we can open the door,” Wouters said.
Reverse engineering Dormakaba’s lock programming devices and front desk software is another crucial step to spoof a master key and unlock any room.
While there is no known exploitation of these vulnerabilities in the wild, researchers do not discount the possibility that others may have discovered or used them.
They recommended auditing lock entry/exit logs to detect potential attacks, suggesting hotel staff use the HH6 device to search for suspicious records. Due to the vulnerability, entry/exit records could be misattributed.
This disclosure follows the discovery of critical vulnerabilities in Electronic Logging Devices (ELDs) used in the trucking industry, which could allow unauthorized control over vehicle systems and data manipulation, including the possibility of a self-propagating truck-to-truck worm.
These findings raise concerns about security in various industries and the potential risks associated with exploiting electronic systems vulnerabilities.
