Security researchers have found a relatively easy and cheap way to clone the key cards used on three million Saflok electronic RFID locks in 13,000 hotels and homes around the world.
Key card and lock manufacturer Dormakaba has been notified and is currently working to replace the vulnerable hardware, but it is a long and arduous process that has not yet been completed.
Although first discovered in 2022, the researchers have released more information about the flaws, called ‘Unsaflok’, to raise awareness.
Cheap card cloning
The flaws were discovered during a private hacking event in Las Vegas, where several research teams competed to find vulnerabilities in a hotel room and all the devices within it. A team consisting of Lennert Wouters, Ian Carroll, rqu, BusesCanFly, Sam Curry, shell and Will Caruana turned their attention to the Dormakaba Saflok electronic locks for hotel rooms. They soon discovered two flaws that, when linked together, allowed them to open the doors with a custom key card.
First, they needed access to every map of the property. That could be the map to their own room. They then reverse engineered the Dormakaba reception software and lock programming device, allowing them to forge a working master key that could open any room on the property. Finally, to clone the cards, they had to break into Dormakaba’s main distraction feature.
To spoof the keycards, the team used a MIFARE Classic card, a commercial card writing tool, and an Android phone with NFC capabilities. All this cost just a few hundred dollars, it was said.
With their custom-made key card, the team would gain access to more than three million locks, installed in 13,000 hotels and homes around the world.
Following the publication of the findings, Dormakaba released a statement to the media, saying that the vulnerability affects Saflok systems System 6000, Ambiance and Community. It added that there is no evidence that these flaws are ever exploited in the wild.
Through BleepingComputer