{"id":33292,"date":"2024-05-23T21:03:48","date_gmt":"2024-05-23T19:03:48","guid":{"rendered":"https:\/\/www.kaspersky.co.za\/blog\/unsaflok-forging-keycards-for-hotel-doors\/33292\/"},"modified":"2024-05-23T21:03:51","modified_gmt":"2024-05-23T19:03:51","slug":"unsaflok-forging-keycards-for-hotel-doors","status":"publish","type":"post","link":"https:\/\/www.kaspersky.co.za\/blog\/unsaflok-forging-keycards-for-hotel-doors\/33292\/","title":{"rendered":"Unsaflok: vulnerable locks on three million hotel room doors"},"content":{"rendered":"

A group of researchers has published information about the so-called Unsaflok<\/a> attack, which exploits a number of vulnerabilities in the company dormakaba\u2019s Saflok hotel door locks. We explain how this attack works, why it\u2019s dangerous, and how hotel owners and guests can protect themselves against it.<\/p>\n

How the Unsaflok attack works<\/h2>\n

\nThe most important thing to know about the Unsaflok attack is that it permits the forging of keycards for electronic Saflok locks, which are widely used in hotels around the world. All an attacker needs is a RFID key from a targeted hotel where these locks are installed. Getting hold of one is easy: for example, the keycard to the attacker\u2019s own room would suffice. Data obtained from this card would be enough to program a keycard so it can open any door in the hotel.<\/p>\n

No particularly exotic equipment is required for this either: to read legitimate keycards and also forge keycards, an attacker can use a laptop with an RFID card reader\/writer connected to it. Even a regular Android smartphone with NFC can do the trick.<\/p>\n

\"One<\/a>

A laptop with a contactless smart-card reader\/writer can be used to forge keycards. However, a regular Android smartphone with NFC would also do. Source<\/a><\/p><\/div>\n

Various hacking tools that work with RFID \u2014 such as the popular Flipper Zero or the somewhat more exotic Proxmark3 \u2014 can also be used for the Unsaflok attack.<\/p>\n

It turns out the researchers discovered the possibility of attacking Saflok locks back in 2022. However, adhering to responsible vulnerability disclosure procedures, they gave the manufacturer considerable time to develop protective measures and begin updating the locks. To protect the safety of hotels and their guests, full details of the attack mechanism as well as the proof-of-concept have not yet been published. The researchers promise to share more details about Unsaflok in the future.<\/p>\n

Which locks are vulnerable to the Unsaflok attack<\/h2>\n

\nAccording to researchers, all locks using the dormakaba Saflok system are vulnerable to the attack, including (but not limited to) the RT Series, MT Series, Quantum Series, Saffire Series, and Confidant Series. According to the dormakaba website, Saflok locks have been manufactured since 1988 \u2014 for more than 30 years.<\/p>\n

\"Saflok<\/a>

The Saflok RT series is one of the most common types of dormakaba Saflok locks. Source<\/a><\/p><\/div>\n

How common are these locks? As the researchers themselves say, vulnerable Saflok locks are used in over 13,000 hotels in 131 countries worldwide \u2014 installed on around three million doors. If data<\/a> is to be believed stating that there are a total of 17.5 million hotel rooms in the world, it turns out that roughly one in six hotel locks is vulnerable to the Unsaflok attack.<\/p>\n

dormakaba developed an update that protects against the Unsaflok attack and began updating the locks in November 2023. However, we\u2019re talking about thousands of hotels and millions of locks, each of which must be individually updated or completely replaced, as well as vast quantities of related equipment. Therefore, the update process takes a considerably long time. According to the researchers, by March 2024, 36% of the vulnerable locks had been updated.<\/p>\n

Safety tips for guests<\/h2>\n

\nSaflok locks are easy to recognize \u2014 the most popular series, which you\u2019re most likely to encounter in hotels, were shown in the illustrations above. And here you can see what the other models of vulnerable locks<\/a> look like.<\/p>\n

However, it\u2019s not possible to distinguish a vulnerable lock from an already updated one by appearance, as outwardly they look exactly the same. However, the type of keycard can help with that: if the hotel uses MIFARE Classic keycards with Saflok locks, then these locks are still vulnerable to the Unsaflok attack. If the hotel has already switched to MIFARE Ultralight C keycards, this is a sign that the locks have been updated. You can determine the keycard type by using the NFC TagInfo by NXP app (Android<\/a>, iOS<\/a>).<\/p>\n

The researchers emphasize that the mere use of MIFARE Classic keycards doesn\u2019t necessarily mean that the hotel\u2019s locks are insecure \u2014 other lock systems that use these same cards haven\u2019t been found to have problems. The danger lies specifically in the combination of MIFARE Classic cards and Saflok locks. If you come across this combo, be aware that the lock may not provide reliable protection against unauthorized entry into the given room.<\/p>\n

It\u2019s worth noting that the internal latch in Saflok locks is also electronically controlled and can be opened with a keycard \u2014 including a forged one. Therefore, it\u2019s pointless using it to protect against intrusion. Instead, you should lock the door with a chain, or a separate deadbolt if there is one.<\/p>\n

Safety tips for hotel owners<\/h2>\n

\nThe researchers note that they aren\u2019t aware of any real-life cases of the Unsaflok attack being used against hotels. However, they don\u2019t rule out the possibility that someone had already discovered the vulnerabilities in Saflok locks before them \u2014 after all, these locks have been on the market for several decades.<\/p>\n

Therefore, it\u2019s quite possible that malicious actors are already using this attack to break into hotel rooms, and since such an intrusion looks the same as legitimate use of the lock, it\u2019s not so easy to notice a break-in.<\/p>\n

The researchers mention that it\u2019s possible to detect an Unsaflok attack by examining the entry\/exit logs using the Saflok HH6 programmer: due to the nature of the vulnerability, entry with a forged key for all doors might be attributed to an \u201cincorrect keycard or incorrect employee\u201d.<\/p>\n

And of course, the main advice: eliminate the vulnerabilities in your dormakaba Saflok locks so as not to put your clients and their property at risk. As you might guess, this means updating your locks as soon as possible. For questions regarding updating Saflok locks, contact the manufacturer\u2019s technical support service.<\/p>\n\n","protected":false},"excerpt":{"rendered":"

dormakaba Saflok locks \u2014 used on around three million doors across 13,000 hotels \u2014 are vulnerable to an attack that involves forging electronic keycards.<\/p>\n","protected":false},"author":2726,"featured_media":33294,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"_acf_changed":false,"footnotes":""},"categories":[1999,3020,3021,2670],"tags":[111,2141,1318,3732,1374,1373,821,1006,663],"class_list":{"0":"post-33292","1":"post","2":"type-post","3":"status-publish","4":"format-standard","5":"has-post-thumbnail","7":"category-business","8":"category-enterprise","9":"category-smb","10":"category-threats","11":"tag-attacks","12":"tag-business","13":"tag-hotels","14":"tag-keycards","15":"tag-keys","16":"tag-locks","17":"tag-nfc","18":"tag-rfid","19":"tag-travel"},"hreflang":[{"hreflang":"en-za","url":"https:\/\/www.kaspersky.co.za\/blog\/unsaflok-forging-keycards-for-hotel-doors\/33292\/"},{"hreflang":"en-in","url":"https:\/\/www.kaspersky.co.in\/blog\/unsaflok-forging-keycards-for-hotel-doors\/27482\/"},{"hreflang":"en-ae","url":"https:\/\/me-en.kaspersky.com\/blog\/unsaflok-forging-keycards-for-hotel-doors\/22800\/"},{"hreflang":"en-us","url":"https:\/\/usa.kaspersky.com\/blog\/unsaflok-forging-keycards-for-hotel-doors\/30154\/"},{"hreflang":"en-gb","url":"https:\/\/www.kaspersky.co.uk\/blog\/unsaflok-forging-keycards-for-hotel-doors\/27634\/"},{"hreflang":"ru","url":"https:\/\/www.kaspersky.ru\/blog\/unsaflok-forging-keycards-for-hotel-doors\/37482\/"},{"hreflang":"x-default","url":"https:\/\/www.kaspersky.com\/blog\/unsaflok-forging-keycards-for-hotel-doors\/51292\/"},{"hreflang":"ru-kz","url":"https:\/\/blog.kaspersky.kz\/unsaflok-forging-keycards-for-hotel-doors\/27788\/"},{"hreflang":"en-au","url":"https:\/\/www.kaspersky.com.au\/blog\/unsaflok-forging-keycards-for-hotel-doors\/33628\/"}],"acf":[],"banners":"","maintag":{"url":"https:\/\/www.kaspersky.co.za\/blog\/tag\/locks\/","name":"locks"},"_links":{"self":[{"href":"https:\/\/www.kaspersky.co.za\/blog\/wp-json\/wp\/v2\/posts\/33292","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.kaspersky.co.za\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.kaspersky.co.za\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.kaspersky.co.za\/blog\/wp-json\/wp\/v2\/users\/2726"}],"replies":[{"embeddable":true,"href":"https:\/\/www.kaspersky.co.za\/blog\/wp-json\/wp\/v2\/comments?post=33292"}],"version-history":[{"count":1,"href":"https:\/\/www.kaspersky.co.za\/blog\/wp-json\/wp\/v2\/posts\/33292\/revisions"}],"predecessor-version":[{"id":33293,"href":"https:\/\/www.kaspersky.co.za\/blog\/wp-json\/wp\/v2\/posts\/33292\/revisions\/33293"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/www.kaspersky.co.za\/blog\/wp-json\/wp\/v2\/media\/33294"}],"wp:attachment":[{"href":"https:\/\/www.kaspersky.co.za\/blog\/wp-json\/wp\/v2\/media?parent=33292"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.kaspersky.co.za\/blog\/wp-json\/wp\/v2\/categories?post=33292"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.kaspersky.co.za\/blog\/wp-json\/wp\/v2\/tags?post=33292"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}