Saflok Hotel Locks Vulnerable to Master Key Attack
Photo by hotelmanagement.net
Recently, a critical flaw named Unsaflok has come to light, casting a shadow over the reliability of electronic RFID locks manufactured by dormakaba, a leading security solutions provider. These locks, popularly used in hotels and multi-family housing environments, are now under scrutiny for vulnerabilities that pose significant risks.
The vulnerability was first outlined here to the public, but was disclosed to dormakaba in September of 2022 by Lennert Wouters, Ian Carroll, rqu, BusesCanFly, Sam Curry, sshell, and Will Caruana.
TL;DR
Dormakaba locks, mostly used in hotels in 130 countries, have a series of vulnerabilities that allow attackers to create a master key which gives them access to every room in the hotel. This vulnerability requires those vulnerable to replace both the locks and software used, and at present only 36% have corrected the vulnerability.
The Anatomy of Unsaflok
Unsaflok is not just a singular flaw but a series of serious security vulnerabilities within the Saflok electronic RFID locks. These vulnerabilities, when exploited in conjunction, enable an attacker to bypass security measures using a pair of forged keycards. The implications is that with these keycards, every room in a hotel could potentially be unlocked, leaving guests' belongings and safety in jeopardy.
The Scale of Impact
The reach of Unsaflok is both vast and alarming. It is estimated that over three million hotel locks across 131 countries are susceptible to this security breach. The ubiquity of Saflok locks in the hospitality industry magnifies the potential for widespread security incidents, emphasizing the need for immediate and effective countermeasures.
The Risks Involved
The primary risk posed by Unsaflok is unauthorized access. In hotels and residential buildings, where security and privacy are paramount, the ability for an intruder to unlock doors at will is unacceptable. This vulnerability not only compromises the physical security of guests and residents but also undermines the trust placed in establishments to safeguard their patrons. Additionally, the ease with which these attacks can be carried out—with just a pair of forged keycards—highlights the sophistication of modern security threats and the constant need for vigilance.
The Attack
The requirements for this attack
Valid hotel key card (eg your hotel room card)
Two blank writable cards
Read/Write device (flipper, I-copy, proxmark, etc)
Dormakaba software
The general steps to perform the attack are:
Read code from valid hotel card (your hotel room key)
write this code onto blank card
Using Dormakaba software, create “master key” on second blank card
Tap first card to the door lock you want access to
This writes data to the lock
Tap second “master key” to the lock, this opens the door
The exact code has not been disclosed to the public due to the high probability of misuse
Addressing the Vulnerability
Unfortunately in order to resolve this issue, both the locks and software used must be replaced which is a very costly and time consuming endeavor. This means that many vulnerable hotels will likely remain so for the foreseeable future.
Despite this vulnerability being disclosed in 2022, only 36% of vulnerable systems have so far been resolved. According to the authors of the paper,
”It is not possible to visually tell if a lock has been updated to fix these vulnerabilities. You may be able to tell if a hotel has been through the upgrade process if the guest keycards are using MIFARE Ultralight C cards instead of MIFARE Classic.”