The Huge Security Hack That Might Make Travelers Feel Less Safe In Hotels
Hackers are always looking for new avenues to steal vital personal information, and any sufficiently-advanced computer system can serve as one of those avenues for malicious purposes. One prime example of a potential security hole that you may not have thought to check is in the door to your hotel room. A recently-discovered vulnerability that's arguably worse than a hotel booking site leaking your private info has been discovered in card key systems.
This week, a group of white hat hackers released the research from an in-depth study into a particular set of security vulnerabilities — known as "Unsaflok," named after the Dormakaba-branded Saflok door locks that they target. The study that resulted in Unsaflok's discovery was originally conducted in a hotel in Las Vegas in 2022; a city that has seen its fair share of brutal cyberattacks like the 2022 MGM casino hack. The vulnerability the researchers discovered is equal parts dangerous and simple: All it takes is a couple of quick taps with an ordinary card key, and anyone could theoretically break into a hotel room.
How Unsaflok works
Saflok locking systems are installed on hotel rooms all over the world; with around 3 million doors in 13,000 properties across 131 countries estimated to have doors installed according to the researchers' disclosed information. Even though all of these doors are in different locations and under different owners, this single exploit could take advantage of every one of them.
The vulnerability revolves around the RFID keycards that the Saflok system reads, which utilize a system called MIFARE Classic. If a hacker were to obtain any two MIFARE keycards, even just from renting out a couple of rooms in a hotel themselves, they could then use a generic RFID read-write device to instantly alter their contents.
With these forged keycards in hand, the hacker could open any door in the hotel that uses a Saflok system by tapping both against a door lock. The first tap alters critical data within the lock's system, then the second tap opens the deadbolt and door latch.
Can this vulnerability be removed?
The good news is that, following the original discovery of Unsaflok in 2022, the researchers immediately reported its existence to Dormakaba, which then began the process to remedy it.
"We have worked closely with our partners to identify and implement an immediate mitigation for this vulnerability, along with a longer-term solution," Dormakaba said in a statement to WIRED. "Our customers and partners all take security very seriously, and we are confident all reasonable steps will be taken to address this matter in a responsible way."
The bad news is that, due to the complexity of the systems involved in managing hotel door locks, the process has been slow-going. In addition to individually updating the software in every single lock, all of the relevant keycards need to be reissued, and the front desk management software needs to be overhauled. As of March 2024, only around 36% of the affected Saflok systems have been replaced or updated, according to the researchers' report.