March 22, 2024 at 01:10PM
Vulnerabilities in Saflok keycard locks, affecting 3 million hotel locks globally, allow intruders to access locked rooms. Exploit requires access to a valid keycard, enabling attackers to create and rewrite data on the lock. Manufacturer is working on a fix, but upgrades are slow. Guests can verify updates with MIFARE card types. Security researchers plan to disclose technical details in the future.
Based on the meeting notes, here are the key takeaways:
1. **Vulnerabilities in Saflok Keycard Locks**: Security researchers have identified significant vulnerabilities in Saflok keycard locks manufactured by dormakaba. These flaws could potentially affect over 3 million hotel locks across 131 countries.
2. **Exploit Details**: The exploit, named “Unsaflok,” requires a keycard from the target property to create two additional keycards, one to rewrite the lock’s data and another to open it. This process could be carried out using commercially available equipment. Additionally, intruders would need to reverse engineer the software used by hotel front desk staff to reprogram keycards to locks.
3. **Manufacturer’s Response**: After being informed of the vulnerabilities in September 2022, dormakaba initiated a fix in November 2023. However, the process of updating or replacing affected locks has been slow, with only 36% of affected locks being upgraded so far.
4. **Widespread System Upgrades**: Upgrading the vulnerable locks is not the only task; hotel software, keycard encoders, and the keycards themselves also need to be updated. The use of MIFARE Ultralight C cards as opposed to MIFARE Classic can indicate if a lock has been updated.
5. **Mitigation Concerns**: Due to fears of widespread exploitation during the upgrade process, full technical details of the vulnerabilities have not been disclosed. This cautious approach is meant to prevent an increase in intrusions while hotels are in the process of upgrading.
6. **Historical Exploitation Potential**: While there is no available evidence of historical intrusion attempts, the vulnerabilities have existed for over 36 years, indicating a potentially long window for exploitation.
7. **Precedents**: The vulnerabilities in Saflok keycard locks are not the first of their kind. Other keycard systems, such as VingCard’s Vision system and Onity locks, have been exploited in the past.
These takeaways provide a clear understanding of the security concerns related to Saflok keycard locks and the efforts being made to address the vulnerabilities.