Security Researchers Expose Major Flaw in Hotel Keycard Locks Worldwide

A newly discovered hacking method has exposed significant security vulnerabilities in hotel room locks globally, putting millions of hotel rooms at risk of being unlocked by unauthorized individuals in mere seconds. The technique, known as Unsaflok, targets specific models of Saflok-brand RFID-based keycard locks, which are produced by the Switzerland-based lock manufacturer Dormakaba. These keycard systems are currently installed in approximately 3 million doors across 13,000 properties in 131 countries.

The hack involves a simple process where any keycard obtained from the target hotel is manipulated using an RFID read-write device, which can be purchased for around $300. By reading a code from the card and then writing two keycards of their own, hackers can unlock any door equipped with the vulnerable lock system with two quick taps – one to rewrite part of the lock’s data and another to open it.

The security flaw was brought to light by a team of researchers, including Ian Carroll, an independent security researcher and founder of the travel website Seats.aero, and Lennert Wouters, a member of the Computer Security and Industrial Cryptography group at Belgium’s KU Leuven University. They reported their findings to Dormakaba in November 2022, prompting the company to initiate efforts to notify hotels and assist in rectifying or replacing the compromised locks.

Fortunately, for most Saflok systems sold in the last eight years, the fix does not require a hardware replacement for each lock. Hotels need only update or replace their front desk management systems and have a technician reprogram each door lock manually. However, progress in addressing this issue has been slow, with only 36% of the installed Saflok systems updated as of this month, according to the researchers. The full resolution is expected to take several more months, particularly as some older locks require hardware upgrades and the locks are not connected to the internet.

Dormakaba has publicly acknowledged the security vulnerability, emphasizing their commitment to investigating the issue, developing a solution, and systematically communicating with customers. They also highlighted that there have been no reported instances of the vulnerability being exploited.

In the interim, Carroll and Wouters are raising public awareness about the potential risk, advising hotel guests on how to identify the vulnerable locks and take precautionary measures. They suggest guests avoid storing valuables in their rooms and use the door chain for added security while inside, although they note that even the deadbolt does not offer additional protection as it is also controlled by the keycard lock.

This incident serves as a critical reminder of the evolving risks associated with legacy RFID technology and the importance of continuous vigilance and updates to ensure the security of digital lock systems.