Keycard Hack Can Open Hotel Guest Rooms

A hacking technique exposes security vulnerabilities of some RFID-based hotel keycard locks.

Keycard Hack Can Open Hotel Guest Rooms

Image via Adobe, by makistock

Editor’s Note: This article, which was originally published by CS sister publication Security Sales & Integration, covers the vulnerabilities of some Saflok-brand RFID-based hotel keycard locks used in more than 130 countries. Because some institutions of higher education and hospitals own hotels, campus staff should investigate if this vulnerability applies to those buildings, and possibly college campus dormitories and residence halls.

Hackers Ian Carroll and Lennert Wouters, along with a team of other security researchers, have discovered a technique that would “enable intruders to unlock any of millions of hotel rooms around the world in just seconds,” according to a recent People report, citing information from Wired.

The hackers recently unveiled a hotel keycard hacking method called Unsaflok, which highlights “the series of security vulnerabilities that would allow a hacker to almost instantly unlock certain models of Saflok-brand RFID-based keycard locks sold by Switzerland-based lock manufacturer dormakaba,” the report says.

Saflok keycard systems are installed on about 3 million doors worldwide at 13,000 properties in 131 countries, according to the report.

The hacking technique unveiled by Carroll and Wouters begins with obtaining any keycard from a target hotel, reading a certain code from that card using an RFID read-write device (purchased for $300), and then writing two keycards of their own.

When users tap those two cards on a lock, the first one rewrites a piece of the lock’s data and the second card opens it, according to Wired.

“Two quick taps and we open the door,” says Wouters, a researcher in the Computer Security and Industrial Cryptography group at Belgium’s KU Leuven University, in the Wired report. “And that works on every door in the hotel.”

Inside the Hotel Keycard Hack

Wouters and Carroll, an independent security researcher and founder of the travel website, shared their hacking technique with dormakaba in November 2022. The company has been working since then to “alert hotels that use Saflok of the system’s security flaws and help them fix or replace their locks,” the report says.

No hardware replacement is necessary for the majority of Saflok systems sold in the past eight years, according to the Wired report. To fix the issue, hotels “only need to update or replace their front desk management system and bring in a technician to manually reprogram each door lock,” the report says.

Wouters and Carroll told Wired they were informed by dormakaba officials that only 36% of installed Safloks have been updated, as of last month.

Dormakaba also told the researchers it will likely take “months or longer” to fully remedy the situation, since the locks are not connected to the internet and some older locks require a hardware upgrade, the report says.

In a statement to People, dormakaba said the company published “detailed information about the security vulnerability” on Wednesday, March 20.

“As soon as we were made aware of the vulnerability by a group of external security researchers, we initiated a comprehensive investigation, prioritized developing and rolling out a mitigation solution, and worked to communicate with customers systematically,” the dormakaba statement says.

“We are not aware of any reported instances of this issue being exploited to date,” the statement continues. “Per the principles of responsible disclosure, we are collaborating with the researchers to provide a broader alert to highlight how existing risks with legacy RFID technology are evolving, so that others can take precautionary steps.”

Craig MacCormack is a veteran journalist who joined Security Sales & Integration in June 2023 as web editor. He covered AV, IT and security with SSI’s sister publication, Commercial Integrator, from January 2011 to June 2021.

If you appreciated this article and want to receive more valuable industry content like this, click here to sign up for our FREE digital newsletters!

Leading in Turbulent Times: Effective Campus Public Safety Leadership for the 21st Century

This new webcast will discuss how campus public safety leaders can effectively incorporate Clery Act, Title IX, customer service, “helicopter” parents, emergency notification, town-gown relationships, brand management, Greek Life, student recruitment, faculty, and more into their roles and develop the necessary skills to successfully lead their departments. Register today to attend this free webcast!

Leave a Reply

Your email address will not be published. Required fields are marked *

Get Our Newsletters
Campus Safety Conference promo