Over three million hotel room locks in 13,000 buildings in over 130 countries are vulnerable to serious security danger, according to researchers who recently disclosed a significant security flaw in Dormakaba’s Saflok electronic RFID locks used in hotels where the management software is System 6000 or Ambiance.
When combined, the identified weaknesses could allow hackers to unlock all rooms in a hotel using a single pair of forged or cloned keycards. Â Â Hackers only need to read one keycard from the property to perform the attack against any door in the property. This keycard can be from their own room, or even an expired keycard taken from the express checkout collection box.
Saflok MT and Saflok RT Plus (pictured below) are the most common models of impacted locks.
Any NFC-enabled Android phone could forge a master key for every room in a hotel. Near Field Communication (NFC) is a set of short-range wireless technologies, typically requiring a distance of 4 cm or less to initiate a connection. NFC lets you share small payloads of data between an NFC tag and an Android-powered device, or between two Android-powered devices.
Some examples of devices that can hack an NFC card include Flipper Zero, Prixmark3, and any NFC-equipped Android phone. A single fake card can unlock any door in the hotel that produced the original.
It is unclear whether hackers are actively exploiting the vulnerability.
Dormakaba began upgrading hotels in November of 2023. As of March 2024, about 36% of the impacted locks have been updated or replaced. Dormakaba started selling Saflok locks in 1988, which means that vulnerable locks have been in use for over 36 years.
Upgrading each hotel is an intensive process. All locks require a software update or have to be replaced. Additionally, all keycards have to be reissued, front desk software and card encoders have to be upgraded, and 3rd party integrations (e.g. elevators, parking garages and payment systems) may require additional upgrades. It will take an extended period of time for the majority of hotels to be upgraded.
Techspot published dormakaba’s statement as follows which is in response to the report on the security flaw being made public:
“As soon as we were made aware of the vulnerability by a group of external security researchers, we initiated a comprehensive investigation, prioritized developing and rolling out a mitigation solution, and worked to communicate with customers systematically.
We are not aware of any reported instances of this issue being exploited to date. Per the principles of responsible disclosure, we are collaborating with the researchers to provide a broader alert to highlight how existing risks with legacy RFID technology are evolving, so that others can take precautionary steps. We appreciate the responsible disclosure and collaborative approach taken by the researchers who have shared our goal of protecting users and strengthening security technology throughout this process.”
