Details of The Story
As reported by Bleeping Computer, a significant security vulnerability has been revealed, putting at risk nearly 3 million doors across 13,000 hotels and residences that rely on Saflok electronic RFID locks. This disclosure, now referred to as “Unsaflok,” could potentially allow individuals to unlock any door within these facilities by crafting a duo of counterfeit keycards.
Their discovery occurred during a private hacking convention in Las Vegas, aimed at identifying security weaknesses within hotel room environments. It was there that the Saflok electronic lock vulnerability was discovered, revealing that with specific knowledge and tools, one could access any room within a facility.
Upon their discovery, the team promptly informed Dormakaba, the manufacturer of the Saflok locks, in November 2022, facilitating an effort towards developing security mitigations and informing affected properties discreetly.
The gravity of this situation is underscored by the acknowledgment that these vulnerabilities have been present for over 36 years, raising concerns about the potential for past exploitation, despite no confirmed incidents.
Unsaflok comprises a series of exploits that allow for the creation of counterfeit keycards, requiring just a single authentic keycard from the property to initiate the process. By reverse-engineering the associated software and hardware, the researchers demonstrated the ability to produce a master key capable of accessing any room, using readily available tools and at a low cost.
Despite efforts by Dormakaba to address these issues, starting in November 2023, the process of upgrading or replacing the affected locks, along with issuing new keycards and updating encoders, is both complex and lengthy. As of March 2024, a significant portion of the locks remains vulnerable, highlighting the ongoing risk and the necessity for expedited corrective measures.
The decision to publicly disclose these vulnerabilities was driven by the desire to raise awareness among hotel staff and guests about the potential security risks. The researchers emphasize the need for the monitoring and auditing of lock access logs as a means of detecting possible unauthorized entries, although they also note the limitations of such measures in definitively preventing or identifying breaches.
In order to avoid vulnerabilities like this, organizations should consider physical penetration testing, which is a critical, and often overlooked, component of a comprehensive security strategy, particularly for uncovering vulnerabilities that could allow unauthorized access to facilities or sensitive information. For companies relying on systems similar to the Saflok electronic locks, such testing is invaluable. In order to identify vulnerabilities like these we strongly encourage you to look into our own Physical Penetration Testing Services.
