Every August, Las Vegas becomes a playground for thousands of security researchers who gather for the annual Black Hat and Defcon hacker conferences, colloquially known as “hacker summer camp”. Amidst the city’s glittering casinos and high-tech hospitality infrastructure, these experts test their skills against the city’s digital defenses. In 2022, a unique challenge was posed at a private event: a competition to find and exploit vulnerabilities in a typical Vegas hotel room’s technology, from the television to the VoIP phone.
One team of hackers turned their attention to what could be considered the room’s most critical piece of technology: the door lock. After more than a year of diligent work, they have now unveiled a startling discovery. They developed a method that would enable an unauthorized individual to gain access to millions of hotel rooms globally in a matter of seconds, using just two taps.
Unveiling ‘Unsaflok’
Today, security researchers Ian Carroll, Lennert Wouters, and their team are disclosing a hotel keycard hacking method they’ve dubbed ‘Unsaflok’. This technique exploits a series of security flaws that allow almost instantaneous access to several models of Saflok-brand RFID-based keycard locks, manufactured by Swiss lock maker Dormakaba. These Saflok systems are found on 3 million doors across 13,000 properties in 131 countries.
How Does ‘Unsaflok’ Work?
The ‘Unsaflok’ technique leverages vulnerabilities in both Dormakaba’s encryption and the underlying MIFARE Classic RFID system that Dormakaba employs. By obtaining any keycard from a target hotel, reading a specific code from that card with a $300 RFID read-write device, and then creating two keycards of their own, Carroll and Wouters demonstrated the ease with which they could unlock a Saflok keycard lock. A simple tap of these two cards on a lock first rewrites a portion of the lock’s data, and the second tap opens it.
“Two quick taps and we open the door,” says Wouters, a researcher in the Computer Security and Industrial Cryptography group at KU Leuven University in Belgium. “And that works on every door in the hotel.”
Addressing the Vulnerability
Wouters and Carroll, an independent security researcher and founder of the travel website Seats.aero, shared the full technical details of their hacking technique with Dormakaba in November 2022. Dormakaba has been working since early last year to alert hotels using Saflok of these security flaws and assist them in fixing or replacing vulnerable locks. For many of the Saflok systems sold in the past eight years, there is no need for a hardware replacement for each lock. Instead, hotels will only need to update or replace the front desk management system and have a technician reprogram each lock, door by door.
Addressing the Issue
Dormakaba, in a statement to WIRED, confirmed that they have been working closely with their partners to identify and implement an immediate solution for this vulnerability, along with a long-term strategy. However, they did not provide specific details about the immediate mitigation. They emphasized that their customers and partners take security very seriously and expressed confidence that all reasonable steps will be taken to address this issue responsibly.
The Hacking Technique Explained
The hacking technique that Wouters and Carroll’s research group discovered involves two distinct types of vulnerabilities. The first allows them to write to Dormakaba’s keycards, and the second enables them to determine what data to write to the cards to successfully trick a Saflok lock into opening.
Upon analyzing Saflok keycards, they found that they use the MIFARE Classic RFID system, known for over a decade to have vulnerabilities that allow hackers to write to keycards. However, this brute-force process can take up to 20 seconds. The researchers then cracked a part of Dormakaba’s encryption system, its so-called key derivation function, which enabled them to write to its cards much faster. With either of these tricks, the researchers could then duplicate a Saflok keycard at will, but still not create one for a different room.
Obtaining the Necessary Tools
The researchers’ more crucial step required them to obtain one of the lock programming devices that Dormakaba distributes to hotels, as well as a copy of its front desk software for managing keycards. By reverse-engineering that software, they were able to understand all the data stored on the cards, extract a hotel property code as well as a code for each room, then create their values and encrypt them just as Dormakaba’s system would. This allowed them to spoof a working master key that opened any room on the property.
When asked how they obtained Dormakaba’s front desk software, Wouters stated, “We nicely asked a few people.” He pointed out that manufacturers often assume that no one will sell their equipment on eBay or make a copy of their software, assumptions that are often proven incorrect.
Executing the Attack
Once they had managed all that reverse-engineering work, the final version of their attack could be executed with little more than a $300 Proxmark RFID read-write device and a couple of blank RFID cards, an Android phone, or a Flipper Zero radio hacking tool.
The biggest caveat to the hackers’ Unsaflok technique is that it still requires that they have a keycard—even an expired one—for a room somewhere in the same hotel as the room they’re targeting. That’s because each card has a property-specific code they need to read and then duplicate on their spoofed card, as well as a room-specific one.
Once they have that property code, the technique also requires using an RFID read-write device to write two cards—one card that reprograms a target lock as well as the second spoofed card that unlocks it. (An Android phone or a Flipper Zero could also be used to emit one signal after another instead of the two cards, the researchers say.) The researchers hint that the first card allows them to open a target room without guessing its unique identifier in the hotel’s system, but declined to say exactly what that first card does. They’re holding that element of the technique in confidence to avoid giving too clear a set of instructions to would-be intruders or thieves.
Previous Incidents
By contrast, a similar hotel keycard hack was presented at the Black Hat conference in 2012 that opened locks sold by the firm Onity with no such obfuscation. This allowed any hacker to build a device that opened any of Onity’s 10 million locks worldwide. When Onity refused to pay for the hardware upgrades necessary to solve the problem and instead put the onus on its customers, the issue remained unfixed in many cases.
Striking a Balance
Carroll and Wouters are striving to strike a balance between aiding Dormakaba in swiftly rectifying the issue and informing hotel guests about the vulnerability. They believe that if someone else were to reverse-engineer this technique today and start exploiting it before awareness is widespread, the problem could escalate significantly.
Identifying Vulnerable Locks
According to Carroll and Wouters, hotel guests can often identify vulnerable locks by their distinctive design: a round RFID reader with a wavy line running through it. They suggest that guests who find a Saflok on their door can check if it has been updated by using the NFC Taginfo app by NXP, available for iOS or Android. If the lock is manufactured by Dormakaba and the app shows that the keycard is still a MIFARE Classic card, it is likely still vulnerable.
What Can Guests Do?
If a lock is indeed vulnerable, the researchers advise guests to avoid leaving valuables in the room and to bolt the chain on the door when inside. They caution that the deadbolt on the room is also controlled by the keycard lock, so it does not provide an additional layer of security. As Carroll warns, “If someone locks the deadbolt, they’re still not protected.”
The Importance of Awareness
Even without a perfect or fully implemented solution, Wouters and Carroll argue that hotel guests should be aware of the risks rather than having a false sense of security. They note that the Saflok brand has been on the market for over three decades and may have been vulnerable for much, if not all, of that time. While Dormakaba claims it is not aware of any past use of Wouters’ and Carroll’s technique, the researchers point out that this does not mean it has never been exploited in secret.
“We think the vulnerability has been there for a long time,” says Wouters. “It’s unlikely that we are the first to find this.”