Security researchers have uncovered vulnerabilities that affect 3 million Saflok electronic RFID locks installed in hotels and homes around the world, potentially allowing intruders to easily unlock any door by creating fake keycards.
The vulnerabilities, collectively referred to as “Unsaflok,” were identified by a team of researchers including Lennert Wouters, Ian Carroll, rqu, BusesCanFly, Sam Curry, shell, and Will Caruana back in September 2022. The group was participating in a private hacking event in Las Vegas when they discovered flaws in the Saflok electronic lock system.
After informing the manufacturer, Dormakaba, of their findings in November 2022, the researchers waited until now to publicly disclose the Unsaflok vulnerabilities. The security flaws have been present for over 36 years, increasing the likelihood of exploitation even though no incidents have been confirmed in the wild.
The vulnerabilities enable attackers to unlock any room using a pair of forged keycards, with the attacker needing access to at least one keycard from the targeted property. By reverse-engineering Dormakaba’s software and lock programming device, the team learned how to create a master key that could open any door on the property. The attack involves rewriting the lock’s data with the first card and opening the lock with the second.
Multiple Saflok models, including the Saflok MT, Quantum Series, RT Series, Saffire Series, and Confidant Series, are affected by the Unsaflok flaws. These models are currently being used in 3 million doors across 13,000 properties in 131 countries. While Dormakaba is working to address the vulnerabilities, the process of replacement and upgrade is complex and ongoing.
To help hotel staff and guests identify potentially vulnerable locks, researchers recommend using the NFC Taginfo app to check the keycard type. MIFARE Classic cards are indicative of a likely vulnerability.
Dormakaba has issued a statement acknowledging the security issue and assuring customers that they are actively working on a mitigation solution. They have not received any reports of the vulnerabilities being exploited so far and are collaborating with the researchers to raise awareness about evolving risks with legacy RFID technology.
