Unsafe Hotels? Millions of Rooms Vulnerable to Attack

Annually in August, thousands of cybersecurity professionals gather in Las Vegas for an event often dubbed the “hackers’ summer camp.” This period marks the convening of two of the largest information security conferences: Black Hat and Defcon. At one such event in 2022, a team of researchers was assigned the unique challenge of hacking into a Las Vegas hotel room by exploiting vulnerabilities in all its devices.

The investigation focused on hotel room technologies, encompassing televisions, telephones, and most crucially, door locks. A year and a half post-event, the hacker team, including Ian Carroll and Lennert Wouters, finally unveiled their findings—a method that allows for the unlocking of any of the millions of hotel rooms globally in just a matter of seconds.

This method, named “Unsaflok,” targets vulnerabilities in the Saflok brand locks produced by the Swiss company Dormakaba, which are installed on three million hotel doors across 131 countries. The researchers identified weaknesses in the encryption and the RFID system used in these locks, demonstrating the ease with which a Saflok lock could be opened.

To hack a lock, the team needed only to acquire a card from any room in the target hotel, read its code using a special RFID reader-writer device priced at about $300, and then create their pair of cards. Touching these cards to any Saflok brand lock installed in the target hotel allowed them to first overwrite the embedded data and then effortlessly open it.

Dormakaba was notified of these vulnerabilities in November 2022. Since then, it has begun the process of informing hotels using Saflok systems and assisting in rectifying the vulnerabilities.

Hundreds of hotels were compelled to manually reprogram each vulnerable lock, a process that was both time-consuming and laborious. Nevertheless, according to Carroll and Wouters, even after a year and a half, only 36% of the installed Saflok systems had been updated. Due to such slow progress in addressing the vulnerability, the researchers decided not to wait any longer, relying on the hotel owners’ integrity, and disclosed all the details, alerting the entire world to the danger.

Given that Saflok locks do not support software auto-updates, as they are not connected to the internet, and some older models even require hardware replacement to fix the vulnerability, a complete solution to the problem, where all Dormakaba customers eliminate the breach, will take significant time. Until then, millions of Saflok locks remain vulnerable to hacker manipulation, putting the physical safety of countless individuals at risk.

For hotel guests encountering Saflok locks, the researchers recommend using the “NFC Taginfo” mobile application to check their key cards. If the application indicates that the card uses the MIFARE Classic system, likely, that the hotel room lock is still vulnerable. In such cases, it’s advised not to leave valuables in the room and to use an additional latch when inside.

Carroll and Wouters assert that even though only 36% of vulnerable locks have been secured, hotel guests should be aware of potential risks rather than have a false sense of security.

Considering that Saflok locks have been sold for over three decades and might have been vulnerable for most of this time, the absence of information on previous malicious use of this technique does not mean it has never been exploited before.

This emphasizes the importance of awareness and heightened vigilance on the part of hotel visitors, as well as the increased responsibility borne by hotel owners notified of this breach but who have yet to rectify it. A year and a half is, after all, a considerable amount of time to resolve potential security issues.

This story underscores the significance of continuous monitoring and the timely elimination of potential vulnerabilities, especially when it concerns the protection of physical assets and the safety of real people.