Every August, Las Vegas hosts the ultimate “hacker summer camp” with the Black Hat and Defcon conferences, attracting thousands of security researchers. In a unique twist during the 2022 events, a selected group was invited to a challenge inside a hotel room. 

Their mission: to unearth digital weaknesses in everything from the room’s entertainment system to its communication devices, showcasing the fascinating intersection of cybersecurity and everyday technology.

Dedicated to cracking one of the most critical pieces of hotel security, a team of hackers has unveiled a breakthrough over a year in the making. 

They’ve developed a method enabling swift access to potentially millions of hotel rooms globally with a simple, two-tap process. This revelation underscores the urgent need for advancements in digital lock security across the hospitality industry.

Bypassing Saflok: A Keycard Vulnerability Exposed

Ian Carroll, Lennert Wouters, and their team have introduced “Unsaflok,” a groundbreaking approach that identifies and leverages security flaws in the RFID keycard locks of the Saflok brand by Dormakaba. 

These locks, deployed across 13,000 properties in 131 countries, totaling 3 million doors, are susceptible to this technique, which enables rapid unauthorized access, spotlighting significant security challenges in the industry’s prevalent locking mechanisms.

Leveraging vulnerabilities in Dormakaba’s encryption and the MIFARE Classic RFID system, Carroll and Wouters have showcased a method to bypass Saflok keycard locks swiftly. 

This process involves acquiring a hotel’s keycard, using specialized equipment to read and manipulate the card’s data, and then creating two new keycards. These custom cards can then interact with the lock directly, reprogramming and unlocking it in a two-step process, underscoring significant security gaps.

“With a simple, swift action of tapping twice, we can unlock any hotel room door,” explains Wouters, emphasizing the universal applicability of their discovery across all hotel doors equipped with the system.

The Slow Road to Security: Updating Saflok Locks

Wouters and Carroll disclosed their lock hacking method to Dormakaba in late 2022. Dormakaba has been informing hotels about the vulnerability and guiding them through the remediation process, which, for many locks installed in the last eight years, doesn’t require hardware changes but rather updates to the management systems and lock reprogramming.

Despite Dormakaba’s efforts to address the vulnerabilities, Wouters and Carroll have been informed that only 36% of the Saflok locks have been updated to date. 

The process is slow, especially for locks not connected to the internet and older models needing hardware changes. It’s anticipated that fully securing all affected locks could take months or even years.

Dormakaba has emphasized its collaboration with partners to quickly mitigate the vulnerability and work towards a lasting solution. 

Although specific immediate actions weren’t disclosed, the firm reassures that both its customers and partners prioritize security highly and are committed to responsibly managing and resolving the issue.

The Breakthrough in Hotel Lock Security

Wouters and Carroll’s research revealed two major security flaws in Dormakaba’s Saflok locks: the ability to manipulate keycard data and to understand the encryption to open locks. They utilized the known vulnerabilities in the MIFARE Classic RFID system for access and breached Dormakaba’s encryption for faster data manipulation. 

This enabled them to duplicate a keycard, though not to create keys for unassigned rooms, highlighting significant security concerns needing attention.

The researchers achieved a critical breakthrough by acquiring a lock programming device and Dormakaba’s software for keycard management. They reverse-engineered the software to decrypt and understand the data structure of the keycards, including codes for hotel properties and individual rooms. 

This allowed them to generate their own encrypted keys, effectively creating master keys that could open any room within a property, mimicking official Dormakaba keycards. 

Carroll and Wouters cleverly acquired Dormakaba’s software by simply requesting it from a few sources, highlighting the unrealistic assumptions of manufacturers regarding the security and distribution of their systems.

Simplifying Security Breaches: The Ease of Hacking Hotel Locks

After completing the reverse engineering, the researchers could execute their technique using a Proxmark RFID tool, a few blank RFID cards, or even a smartphone or a specialized radio hacking gadget, demonstrating the simplicity of deploying their findings in real-world scenarios.

The Unsaflok method’s primary limitation is its necessity for any hotel-specific keycard to initiate the process. 

This requirement stems from the need to replicate a specific property and room code from an existing card onto a counterfeit one for access. 

Identifying and Mitigating Risks

Carroll and Wouters aim for a balanced approach, cautiously revealing their findings to urge Dormakaba towards swift action, while also informing the public about the potential risk, to prevent exploitation by others who might discover and use the same vulnerabilities before widespread awareness and solutions are implemented.

The Unsaflok team advise is that guests might identify at-risk Saflok locks by their unique design and use the NFC Taginfo app to check if their keycard is the older, vulnerable MIFARE Classic type. 

This method offers a way to gauge the lock’s security status.

Final Thoughts: Navigating Lock Security and Personal Safety

They recommend extra caution, suggesting not to leave valuables unattended in rooms with potentially vulnerable locks. 

They also note that using the door’s deadbolt for added security might not offer additional protection since it’s integrated with the keycard system.

Wouters and Carroll emphasize the importance of transparency regarding security risks, arguing that awareness is preferable to a false sense of safety. 

They suggest the vulnerability in the Saflok system, existing for decades, might not be a new discovery, even if unreported previously. 

Their stance is aimed at fostering a proactive approach to security, encouraging both guests and the industry to prioritize genuine safety measures over assumed security.