March 21, 2024 at 02:19PM
Researchers discovered a series of vulnerabilities, called “Unsaflok,” in Saflok electronic RFID locks deployed in 13,000 properties worldwide, impacting 3 million doors. The flaws allow attackers to unlock any door using forged keycards, posing a serious security risk. Dormakaba is working on mitigations, but the process is complex and time-consuming.
The meeting notes detailed the disclosure of “Unsaflok” vulnerabilities impacting 3 million Saflok electronic RFID locks used in 13,000 properties globally. The vulnerabilities, discovered by a team of researchers, could allow the unlocking of any door in a hotel with a forged pair of keycards. The vulnerabilities have been available for over 36 years, and although there have been no confirmed cases of exploitation, the extensive exposure period increases the possibility of such incidents. The researchers disclosed their findings to the manufacturer, Dormakaba, but have now publicly released the details.
The “Unsaflok” vulnerabilities allow attackers to unlock any room in a property using a pair of forged keycards, reverse-engineering Dormakaba’s front desk software to spoof a working master key. The impacted models are used in three million doors across 131 countries. While Dormakaba has started replacing/upgrading impacted locks, as of March 2024, 64% of the locks remain vulnerable. Guests and hotel staff are provided with ways to check if their locks are vulnerable.
The full details of the attack will be shared in the future, once the remediation effort reaches satisfactory levels.