Security Vulnerability Allows Intruders to Unlock Hotel Rooms Using Forged Keycards
A newly disclosed security vulnerability allows individuals to open hotel room and multi-family housing unit doors using a keycard hacking technique.
The vulnerability affects the popular Saflok line of electronic RFID locks manufactured by dormakaba and was originally publicized in reports from WIRED magazine. The vulnerability, dubbed Unsaflok, affects three Saflok systems—System 6000, Ambiance, and Community—and at least five Saflok lock series—Confidant, RT, Saffire, Saflok MT, and Quantum.
“When combined, the identified weaknesses allow an attacker to unlock all rooms in a hotel using a single pair of forged keycards,” according to researchers Lennert Wouters, Ian Carroll, rqu, BusesCanFly, Sam Curry, sshell, and Will Caruana in a post on their website. “Over 3 million hotel locks in 131 countries are affected.”
Dormakaba did not respond to Security Management’s request for comment on this story. In a statement on its Security Support center, however, dormakaba wrote that the researchers had disclosed the vulnerability to the company. The hack impacts the “key derivation algorithm used to generate MIFARE Classic keys and the secondary encryption algorithm used to secure the underlaying key data,” the manufacturer explained.
Dormakaba has rolled out a mitigation solution for the vulnerability and is recommending all customers address it as soon as possible.
“We are unaware of any reported instances of this issue being exploited,” dormakaba said. “Still, we strongly recommend all customers not already engaged in scheduled security upgrades address this vulnerability as soon as possible.”
Dormakaba has provided a self-assessment tool and a self-serve guide to assist security practitioners in identifying if their properties are affected by the vulnerability.
Additionally, the researchers wrote that it might be possible for security practitioners to detect exploitation of the vulnerability by conducting an audit of their entry and exit logs.
“Hotel staff can audit this via the HH6 device and look for suspicious entry/exit records,” the researchers explained. “Due to the vulnerability, entry/exit records could be attributed to the wrong keycard or staff member.”
Addressing the vulnerability is a priority because malicious keycards can be used to override the software of the affected locks, causing their deadbolts to retract. People staying or living in an affected unit must use an alternative security measure—like a chain lock—to attempt to prevent unauthorized entry.
The attack method the researchers discovered can be performed using devices that can read, write, or emulate MIFARE Classic cards, including NFC capable Android phones and Proxmark3 and Flipper Zero tools.
“Their technique starts with obtaining any keycard from a target hotel—say, by booking a room there or grabbing a keycard out of a box of used ones—then reading a certain code from that card with a $300 RFID read-write device, and finally writing two keycards of their own,” according to WIRED. “When they merely tap those two cards on a lock, the first rewrites a certain piece of the lock’s data, and the second opens it.”
The researchers discovered the vulnerability and shared their findings with dormakaba in September 2022. They then met with dormakaba representatives at least 14 times. Hotels then began upgrading their systems to resolve the vulnerability in November 2023, according to the researchers’ website. The researchers then went public with their findings in March 2024.
Despite this lengthy process, the researchers disclosed on their website that as of March 2024 only 36 percent of the impacted locks have been updated or replaced.
“Upgrading each hotel is an intensive process,” they explained. “All locks require a software update or have to be replaced. Additionally, all keycards have to be reissued, front desk software and card encoders have to be upgraded, and third-party integrations (e.g. elevators, parking garages, and payment systems) may require upgrades.”
Difficulties in addressing the vulnerabilities are compounded by the fact that upgrades for hotels would be dependent on local practitioners often operating on a seven-year technology cycle, says Lee Odess, CEO of Access Control Executive Brief. If practitioners are aware of the vulnerability, they might be weighing the risks of it being exploited versus the cost of immediately addressing it.
The original hotel keycard lock systems—VingCards—were invented by Tor Sørnes, who sought to increase hotel safety after hearing about a woman attacked in her hotel room. Hotel keys at the time were often metal keys that included the hotel name, address, and room number.
Updating to the new keycard-based system was perceived as embracing a safer solution than previous access control measures. But in a LinkedIn post and in an interview with Security Management, Odess says that as the security industry shifts into a mainstream market it needs to elevate its standards.
“Our industry is one that has been allowed to live off of 30-year-old technology, and as long as we delivered what was seen as keeping bad people out, we did it,” Odess explains, adding that the security industry needs increase the level of how it defines safety and security. “Now, it’s beyond keeping the bad people out. It’s letting the right people in.”
