Security Flaw Can Open Over 3 Million Door Locks, Mainly at Hotels | Tech

Security researchers have discovered a flaw that can be used to easily unlock keycard-powered door systems across numerous hotel properties.

The vulnerability involves the Saflok door system from a Swiss company called Dormakaba. “Over three million hotel locks in 131 countries are affected,” according to the researchers, who note that the flaw has existed for the past 36 years.

According to Wired, the security experts uncovered the problem in August 2022 after attending a private event where they were invited to hack a Las Vegas hotel room.  The group then disclosed the findings to Dormakaba, which started work on a patch in November 2023. However, it hasn’t been easy to install the fix across the affected properties. So far, only 36% of the affected locks have been updated or replaced.

“All locks require a software update or have to be replaced,” the researchers wrote. “Additionally, all keycards have to be reissued, front desk software and card encoders have to be upgraded, and 3rd party integrations (e.g. elevators, parking garages and payment systems) may require additional upgrades.”

(Credit: Unsaflok website)

The researchers decided to publicly disclose the flaw so that hotel staff and guests are aware of the threat. They created a website about the flaw, which has been dubbed Unsaflok.

The researchers have not released technical details to prevent hackers from exploiting the threat. Nevertheless, the vulnerability is relatively easy for a bad actor to abuse. “An attacker only needs to read one keycard from the property to perform the attack against any door in the property. This keycard can be from their own room, or even an expired keycard taken from the express checkout collection box,” they wrote.

In addition, the hack can be carried out over electronic devices that can read, write, and emulate MiFare Classic smart cards. This includes using the $169 Flipper Zero and any NFC-capable Android smartphone.

Recommended by Our…

read more

FTC: We use income earning affiliate links. More on Sposored links.
Terms of use and third-party services. More here.

Ad Amazon Minecraft Clothing, toys, and accessories.

Stay connected throughout the year with official, ongoing Microsoft podcasts.
Microsoft Podcasts Apple | Microsoft podcasts YouTube

“Start where you are. Use what you have. Do what you can.” —Arthur Ashe

Related Posts