A group of cybersecurity experts has disclosed a significant flaw in hotel keycard systems, dubbed “Unsaflok,” which poses a threat to the security of over three million hotel rooms worldwide.
This vulnerability, identified in the RFID locks manufactured by Dormakaba, known as Saflok, spans across more than 13,000 hotel properties in 161 countries.
The security loophole stems from shortcomings in the encryption and RFID technology utilized by Dormakaba.
The method for exploiting this vulnerability involves initially acquiring a keycard from the hotel in question, achievable through booking a room or finding a discarded card.
With the aid of an RFID writer-reader, priced around $300, the data on the keycard is duplicated onto two new cards.
These cards, when used sequentially on a hotel room’s lock, manipulate the lock’s data, ultimately unlocking the door.
Interestingly, this hack can also be executed using an Android smartphone equipped with Near-Field Communication (NFC) capability.
By downloading a specific app that emits the necessary signal, the smartphone can replicate the function of the two physical keycards, enabling door unlocking without them.
This revelation follows a previous security breach presented at the 2012 Black Hat conference in Las Vegas, where a vulnerability in Onity’s lock systems, affecting 10 million locks, was exposed.
Onity’s refusal to fund the necessary updates forced hotels to manage the rectifications independently, a decision that led to the exploit being used for criminal activities, including theft from hotel rooms.
In contrast to the previous incident, the team behind Unsaflok has opted for a more reserved approach in disclosing the full details of their discovery.
Hacker Ian Carroll stated their intention to strike a balance between facilitating Dormakaba’s swift response to the issue and raising awareness among hotel guests.
The team’s concern is that premature full disclosure could enable malefactors to exploit the vulnerability before a widespread understanding and remediation effort is in place.
The Unsaflok vulnerability is a security flaw in the Saflok RFID lock systems produced by Dormakaba. It affects over three million hotel rooms across more than 13,000 properties in 161 countries. The issue lies in the encryption and RFID technology, making it possible to unlock doors unauthorizedly.
Exploiting the Unsaflok flaw requires obtaining a hotel’s keycard, then using an RFID writer-reader to duplicate its data onto two new cards. Using these cards in sequence on a door’s lock can unlock it. Alternatively, an Android phone with NFC and a specific app can mimic the keycards’ function.
While the technicalities of the Unsaflok exploit are complex, guests are advised to safeguard their keycards and report any lost or stolen cards immediately. Awareness and vigilance, such as ensuring doors are securely locked and using additional security measures like door stoppers, can offer extra protection.
The cybersecurity team behind the discovery of the Unsaflok flaw is working with Dormakaba to address the issue. By not fully disclosing the hack, they aim to prevent its exploitation and ensure a solution is found before the vulnerability becomes widely known and misused.
Also Read: Android 14 Storage Bug in Several Pixel Devices Causing User Lockout
Highlights Nothing Phone (4a) goes on sale in India on March 13, while the higher-end…
Highlights Poco X8 Pro Iron Man Edition teased shows logo, Stark branding and themed packaging.…
Highlights Apple rolled out iOS 16.7.15/iPadOS 16.7.15 and iOS 15.8.7/iPadOS 15.8.7 for older iPhones and…
Highlights Vivo introduced the Vivo Y11 5G and Vivo Y21 5G in Singapore, both positioned…
Highlights Foldable iPhone may feature an iPad-like UI with split-screen multitasking, app sidebars, and developer…
Highlights OPPO A6s 5G is tipped to debut in India on or before March 20,…
This website uses cookies.