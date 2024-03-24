Security researchers Ian Carroll and Lennert Wouters have unveiled a critical vulnerability in Saflok-brand RFID hotel keycard locks, potentially affecting 3 million doors across 131 countries. This discovery, first reported by Wired, highlights a significant security risk in the hotel industry's reliance on outdated technology. Carroll, an independent security researcher, and Wouters, a member of Belgium's KU Leuven University's Computer Security and Industrial Cryptography group, demonstrated a method named Unsaflok, which can unlock any door equipped with the compromised lock in seconds.

Unveiling Unsaflok: A Global Security Concern

The hacking technique begins with the acquisition of any hotel's keycard and the use of an RFID read-write device to manipulate the card's data. This process allows the creation of two master keycards that can unlock any door with a vulnerable Saflok lock by merely tapping them against the lock. The simplicity and efficiency of this method lay bare the glaring security vulnerabilities within the Saflok system, which is widely used in the hospitality sector.

Response from Dormakaba and Security Measures

In response to the discovery, Dormakaba, the Swiss company behind Saflok locks, has been working with Carroll and Wouters since November 2022 to mitigate the issue. According to Wired, the company has informed hotels of the vulnerability and provided solutions that, for most systems sold in the last eight years, do not require hardware replacements. Despite these efforts, only 36% of the locks have been updated as of March 2024, leaving a significant number of properties at risk. Dormakaba has not reported any instances of the vulnerability being exploited but continues to work on comprehensive solutions.

Protecting Yourself as a Guest

For hotel guests, the presence of Saflok locks can be identified by their distinct design—a round RFID reader with a wavy line. Carroll and Wouters recommend guests use the NFC Taginfo app by NXP to check if their keycard is a MIFARE Classic card, indicating a vulnerable lock. In such cases, guests are advised not to store valuables in their rooms and to use the door chain for added security, although it's noted that even the deadbolt does not offer complete protection against this hacking method.

This significant security breach underscores the need for the hospitality industry to reassess its security measures and for guests to remain vigilant. The collaboration between security researchers and Dormakaba aims to mitigate the risks, but the situation highlights the evolving threats in digital security and the importance of staying ahead of potential vulnerabilities.