Researchers Lennert Wouters, Ian Carroll, rqu, BusesCanFly, Sam Curry, sshell, and Will Caruana discovered a series of vulnerabilities, collectively named Unsaflok, in Dormakaba Saflok electronic RFID locks. The researchers explained that the issues be chained to forge keycards. Dormakaba Saflok electronic RFID locks are very popular and used in hotels and multi-family housing environments.
The Saflok electronic RFID locks are installed in 13,000 properties in 131 countries. The researchers estimated that they are installed on 3 million doors worldwide.
Once obtained a keycard from the hotel, by booking a room there or stealing one from the box of used ones at the reception, the researchers used a $300 RFID read-write device to read a code. Then they wrote the code on two keycards and used it to open the door.
“An attacker only needs to read one keycard from the property to perform the attack against any door in the property. This keycard can be from their own room, or even an expired keycard taken from the express checkout collection box.” reads a website set up by the researchers. “Forged keycards can then be created using any MIFARE Classic card, and any commercially available tool capable of writing data to these cards. One pair of forged keycards allows an attacker to open any door in the property.”
The experts revealed that an attacker can perform this attack by using any device that can read and write or emulate MIFARE Classic cards. Proxmark3 and Flipper Zero tools can be used to carry out, but experts explained that hackers can also use an NFC-capable Android device.
The experts reported the flaws in September 2022, on November 2023 Dormakaba issued the updates to address the problem.
“An immediate mitigation solution is available for a security vulnerability associated with both the key derivation algorithm used to generate MIFARE Classic® keys and the secondary encryption algorithm used to secure the underlaying card data. This vulnerability affects Saflok systems (System 6000™, Ambiance™, and Community™).” reads the advisory published by the vendor.
The issues impact multiple lock models, including Saflok MT, the Quantum Series, the RT Series, the Saffire Series and the Confidant Series.
These lock models are commonly used in hotels using the management software System 6000 or Ambiance. The flaws also affect some applications in the multifamily housing space which use System 6000 or Community.
The researchers estimated that only approximately 36% of the impacted locks have been updated or replaced as of March 2024.
“Upgrading each hotel is an intensive process. All locks require a software update or have to be replaced. Additionally, all keycards have to be reissued, front desk software and card encoders have to be upgraded, and 3rd party integrations (e.g. elevators, parking garages and payment systems) may require additional upgrades.” added the researchers.
The experts did not share details of the attack to ensure that hotels staff and guests are informed about the flaws.
To determine whether the Unsaflok attack was carried out, the researchers recommend hotel staff to audit the lock’s entry/exit logs, via the HH6 device.
“Dormakaba started selling Saflok locks in 1988, which means that vulnerable locks have been in use for over 36 years.” concludes the report. “While we are not aware of any real world attacks that use these vulnerabilities, it is not impossible that these vulnerabilities are known, and have been used, by others.”
Follow me on Twitter: @securityaffairs and Facebook and Mastodon
(SecurityAffairs – hacking, Unsaflok)