[German]Electronic locks from Saflock are used in many hotels and even in apartments. The doors secured in this way can be unlocked using RFID cards. Great thing? Unfortunately, security vulnerabilities mean that these electronic RFID locks can be picked using simple means. Millions of locks used in 13,000 hotels and apartments worldwide are affected.
Advertising
Vulnerabilities in Saflok
Security researchers have taken a closer look at the electronic RFID locks from Saflok. After all, the hotel locking system is used in 13,000 hotels and apartments worldwide. The security researchers discovered a number of vulnerabilities that make it easy to unlock the doors secured with this locking system.
By combining the identified vulnerabilities, an attacker can unlock all rooms in a hotel with a single pair of counterfeit key cards. To do this, an attacker only needs a key card (e.g. from a rented hotel room or even an expired key card) from the affected hotel, which they must read.
Faked key cards can then be created with any MIFARE Classic card and any commercially available tool that can write data to these cards. All locks in the system can then be opened with the counterfeit key card. Incidentally, a bolt in the lock offers no protection, as this bolt can be unlocked electronically. Protection is only provided by additional locks, such as a chain on the hotel door, to prevent unauthorized entry into a hotel room or apartment through the "Saflok-unprotected" door in question.
According to the security researchers, all locks that use the Saflok system are affected. This includes Saflok MT, the Quantum series, the RT series, the Saffire series and the Confidant series, but may also include other locking systems. According to those who discovered the vulnerabilities, these models are mainly used in hotels where the System 6000 or Ambiance management software is used. Some applications in apartment buildings that use System 6000 or Community are also affected.
Advertising
Over three million hotel locks in 131 countries from around 13,000 hotels are affected. The vulnerabilities were reported to Dormakaba (the manufacturer of Saflok) in September 2022. And in March 2024, the security researchers published the information about the vulnerable door locking systems on the unsaflok.com website.
Vendor Dormakaba patches
After the security researchers reported the vulnerabilities to Dormakaba, the manufacturer began to fix the problem in 2022. The update of the locks in the hotels started in November 2023. As of 03/2024, around 36% of the affected locks have been updated or replaced, the security researchers write.
Replacing or upgrading the locking systems in question is a complex process, according to the people who discovered the vulnerabilities. All locks require a software update or even need to be replaced. In addition, all key cards must be reissued and the reception software and card encoders must be updated. Furthermore, the integration of third-party providers (e.g. elevators, parking garages and payment systems) may require additional upgrades.
Updating all locks isn't complete
For this reason, the security researchers only disclose limited information about the vulnerability on their website unsaflok.com. The aim is to ensure that hotel staff and guests are aware of the potential security problem. According to the security researchers, it will take some time for most hotels to be upgraded.
It is impossible for hotel guests to visually recognize that a lock has already been upgraded. One indication that a hotel has already completed the upgrade process is MIFARE Ultralight C key cards instead of the previous Classic key cards. According to the security researchers, the card type can be determined using the NFC Taginfo app from NXP, which is available for Android and iOS.
And it gets even worse: Dormakaba Saflok locks have been sold since 1988, i.e. for around 36 years. So it cannot be ruled out that these vulnerabilities are known and have been used by others. The attack can also be carried out with a Flipper Zero or other tools such as Proxmark3 or an NFC-enabled Android cell phone. The tools only need to be able to read and write or emulate MIFARE Classic cards. A good example of how digitalization fails with serious consequences.
