Unsaflok flaw can let hackers unlock millions of hotel doors


Researchers disclosed vulnerabilities today that impact 3 million Saflok electronic RFID locks deployed in 13,000 hotels and homes worldwide, allowing the researchers to easily unlock any door in a hotel by forging a pair of keycards.

The series of security flaws, dubbed “Unsaflok,” was discovered by researchers Lennert Wouters, Ian Carroll, rqu, BusesCanFly, Sam Curry, shell, and Will Caruana in September 2022.

As first reported by Wired, the researchers were invited to a private hacking event in Las Vegas, where they competed with other teams to find vulnerabilities in a hotel room and all the devices within it.

The team of researchers focused on finding vulnerabilities in the Saflok electronic lock for the hotel room, discovering security flaws that could open any door within the hotel.

The researchers disclosed their findings to manufacturer Dormakaba in November 2022, allowing the vendor to work on mitigations and inform hotels of the security risk without publicizing the issue.

However, the researchers note that the flaws have been available for over 36 years, so while there have been no confirmed cases of exploitation in the wild, the extensive exposure period increases that possibility.

“While we are not aware of any real-world attacks that use these vulnerabilities, it is not impossible that these vulnerabilities are known, and have been used, by others,” explains the Unsaflok team.

Today, the researchers publicly disclosed the Unsaflok vulnerabilities for the first time, warning that they impact almost 3 million doors utilizing the Saflok system.

The Unsaflok flaws

Unsaflok is a series of vulnerabilities that, when chained together, enable an attacker to unlock any room in a property using a pair of forged keycards.

To initiate exploitation, the attacker only needs to read one keycard from the property, which can be the keycard from their own room.

The researchers reverse-engineered Dormakaba’s front desk software and a lock programming device, learning how to spoof a working master key that could open any room on the property. To clone the cards, they had to crack Dormakaba’s key derivation function.

Forged keycards can be created using any MIFARE Classic card and any commercially available tool capable of writing data to these cards, including Poxmark3, Flipper Zero, and an NFC-capable Android smartphone.

The equipment needed to create the two cards used in the attack costs less than a few hundred USD.

When exploiting the flaws, the first card rewrites the lock’s data and the second opens the lock, as demonstrated in the below video.

The researchers have not provided any further technical details at this time to give time for the various properties to upgrade their systems.

A wide impact

The Unsaflok flaws impact multiple Saflok models, including the Saflok MT, the Quantum Series, the RT Series, the Saffire Series, and the Confidant Series, managed by the System 6000 or Ambiance software.

Two of the most commonly found impacted models
Two of the most commonly found impacted models (unsaflok.com)

The affected models are used in three million doors on 13,000 properties in 131 countries, and while the manufacturer is actively working to mitigate the flaw, the process is complicated and time-consuming.

The researchers say that Dormakaba started replacing/upgrading impacted locks in November 2023, which also requires reissuing all cards and upgrading their encoders. As of March 2024, 64% of the locks remain vulnerable.

“We are disclosing limited information on the vulnerability now to ensure hotel staff and guests are aware of the potential security concern,” reads the post by the researchers.

“It will take an extended period of time for the majority of hotels to be upgraded.”

It is further noted that malicious keycards can override the deadbolt, so that security measure isn’t enough to prevent unauthorized entry.

Hotel staff might be able to detect occurrences of active exploitation by auditing the lock’s entry/exit logs. However, that data may still be insufficient to detect unauthorized access accurately.

Guests can determine if the locks on their rooms are vulnerable by using the NFC Taginfo app (Android, iOS) to check their keycard type from their phone. MIFARE Classic cards indicate a likely vulnerability.

The researchers promised to share the full details of the Unsaflok attack in the future when the remediation effort reaches satisfactory levels.



Source link