Millions of hotel doors vulnerable to attack, researchers find

Security researchers have discovered vulnerabilities in dormakaba’s Saflok electronic locks, which would allow hackers access to rooms and residences in a matter of seconds.

Saflok, an electronic RFID (Radio Frequency Identification) lock, is installed on three million doors on over 13,000 properties worldwide, mostly hotels and multi-family housing environments. All Saflok systems are impacted.

The flaws, dubbed Unsaflok, were first discovered and reported to dormakaba in September of 2022 and disclosed in March 2024 by Lennert Wouters, Ian Carroll, rqu, BusesCanFly, Sam Curry, sshell, and Will Caruana. They were first spotted by Wired.

At the time of writing, not all impacted locks have been updated or replaced. In fact, as per researchers, only 36% of them have been upgraded.

“Upgrading each hotel is an intensive process. All locks require a software update or have to be replaced. Additionally, all keycards have to be reissued, front desk software and card encoders have to be upgraded, and 3rd party integrations (e.g. elevators, parking garages and payment systems) may require additional upgrades,” researchers explained.

Due to the fact that the lion’s share of Saflok’s locks are still vulnerable, they decided to disclose only limited information on vulnerability to “ensure that hotel staff and guests are aware of the potential security concern.”

“It will take an extended period of time for the majority of hotels to be upgraded,” they added.

Interestingly, the locks have been for sale since 1988, meaning the vulnerability has existed for 36 years.

“While we are not aware of any real-world attacks that use these vulnerabilities, it is not impossible that these vulnerabilities are known, and have been used, by others,” researchers said.

All an attacker needs is a keycard from the hotel or property where they want to perform the attack. This can be easily obtained if you book a room in a hotel or swipe an expired keycard.

The hacker would then have to forge two keycards using any MIFARE Classic card and any tool capable of writing data onto these cards.

From there, all the attacker needs to do is tap one card to rewrite a specific part of the lock's data and a second card to open the door.

Hacking into the Saflok system can be carried out using any device capable of reading, writing, and emulating MIFARE Classic cards, the researchers said.

MIFARE cards are a brand of Radio Frequency Identification (RFID) commonly used to access a hotel or apartment complex.

Tools such as Flipper Zero, Proxmark3 or even an NFC-capable Android phone can be used to exploit this vulnerability.

Cybernews has reached out to dormakaba for comment.