Security researchers have discovered vulnerabilities in Dormakaba’s Saflok line of electronic RFID locks, which could allow an attacker access to hotel rooms and multi-family housing unit doors in a matter of seconds using a single pair of forged keycards.
The series of vulnerabilities, dubbed “Unsaflok”, was discovered by researchers Lennert Wouters, Ian Carroll, rqu, BusesCanFly, Sam Curry, shell, and Will Caruana in September 2022 and disclosed in March 2024, as first reported by Wired.
Unsaflok affects over 3 million doors on over 13,000 properties in 131 countries.
All locks using the Saflok system are affected, including (but not limited to) the Saflok lock series – Saflok MT, the Quantum series, the RT series, the Saffire series, and the Confidant series, which are used in combination with the System 6000, Ambiance, and Community management software.
Dormakaba, the keycard and lock manufacturer, has been notified and already started working on a fix.
It began upgrading hotels in November of 2023. As of March 2024, approximately 36% of the affected locks have been updated or replaced.
However, the researchers say that it is impossible to visually tell if a lock has been updated to fix these vulnerabilities.
“Upgrading each hotel is an intensive process. All locks require a software update or have to be replaced. Additionally, all keycards have to be reissued, front desk software and card encoders have to be upgraded, and 3rd party integrations,” the researchers explain.
“An attacker only needs to read one keycard from the property to perform the attack against any door in the property. This keycard can be from their own room, or even an expired keycard taken from the express checkout collection box,” the researchers wrote on their website.
“Forged keycards can then be created using any MIFARE Classic card, and any commercially available tool capable of writing data to these cards. One pair of forged keycards allows an attacker to open any door in the property.”
This attack can be performed by any device capable of reading, writing, or emulating MIFARE Classic cards, including Proxmark3 and Flipper Zero and an NFC-capable Android smartphone.
Currently, the researchers have disclosed only limited information on the Unsaflok vulnerability due to its potential impact on hotels and guests.
They intend to share additional technical details of the vulnerability in the future, as they want to give numerous properties enough time to upgrade their systems.
Dormakaba started selling Saflok locks in 1988, which means that they have been commercially available for over 36 years. The researchers say that they are not aware of real-world attacks exploiting this vulnerability.
“On March 21, 2024, dormakaba published information regarding a security vulnerability associated with both the key derivation algorithm used to generate MIFARE Classic® keys and the secondary encryption algorithm used to secure the underlaying card data. This vulnerability affects Saflok systems (System 6000™, Ambiance™, and Community™),” Dormakaba said in a statement to the BleepingComputer.
“As soon as we were made aware of the vulnerability by a group of external security researchers, we initiated a comprehensive investigation, prioritized developing and rolling out a mitigation solution, and worked to communicate with customers systematically. We are not aware of any reported instances of this issue being exploited to date.
“Per the principles of responsible disclosure, we are collaborating with the researchers to provide a broader alert to highlight how existing risks with legacy RFID technology are evolving, so that others can take precautionary steps.”
