A group of researchers presented the result of an investigation that lasted over a year and a half, demonstrating the existence of some vulnerabilities that allow open hotel rooms of half the world, with two simple steps. The technique, baptized Unsaflokis described in detail by the experts Ian Carroll and Lennert Wouters who underline its seriousness.
Various models are being targeted locks based on RFID installed, globally on 3 million doors worldwide, within 13,000 properties in 131 different countries.
By exploiting the weaknesses of the cryptographic solution in use and of the underlying RFID system, known as MIFARE Classican attacker can open any Saflock brand lock quite easily.
Locks of hotels and accommodation facilities at risk with Unsaflok
Carroll and Wouters explain that the attack begins by recovering any electronic key from a “target” hotel, for example, by booking a room or taking it from a box of used keys. At this point an attacker can read the code contained in the card using a security device read-write RFID 300 dollars and finally by preparing two “ad hoc” cards yourself. By bringing the first key closer to the lock, the first overwrites part of the data stored on the lock side while the second opens the door.
The two experts say they shared the technical details of their discovery with Dormakaba, the Swiss company that markets Saflock locks, as early as November 2022.
For its part, Dormakaba says it has been working since the beginning of last year to inform hotels that use Saflok and help properties fix vulnerable locks. For many of the Saflok systems sold in the last eight years, a hardware replacement is not necessary. Instead, accommodation facilities are called upon to update or replace the management system used in reception and therefore carry out a reprogramming quick release of each lock, door by door.
Currently, Carroll and Wouters reveal, only 36% of installed Saflok devices have been updated. Since the locks are not connected to the internet and some older models still require a hardware update, the full fix will likely take several more months to roll out. In the most optimistic hypothesis. Some older installations may even remain vulnerable for years.
The vulnerabilities identified in hotel keys, in more depth
The technique for hack locks of Dormakaba involves two distinct types of vulnerabilities. The first allows a potential attacker to write arbitrary keys while the other gives the opportunity to establish exactly which data to write on the RFID electronic cards to “trick” the Saflok lock into opening.
MIFARE Classic vulnerabilities have been known for a decade now and are known to allow attackers to write on the keyswith a process of brute forcing which can take up to 20 seconds to complete successfully.
The Carroll-Wouters duo therefore violated a part of the Dormakaba cryptographic system, namely the so-called key derivation: this “forcing” allowed them to write on the cards much faster.
Upon obtaining one of the devices lock programming that Dormakaba distributes to hotels, as well as a copy of the software used at the reception for key management, the researchers carried out a reverse engineering of the application, managing to understand all the data stored on the cards, extract a code belonging to the hotel and a code for each individual room.
Creation of a master key, valid for all rooms of an entire structure
In the end, Carroll-Wouters created a master key functioning capable of opening any room in the structure. “You can prepare a passepartout card that actually looks like it was created by Dormakaba’s software“Wouters said.
Once all the work is completed reverse engineeringas mentioned in the introduction, an attacker simply needs to use a Proxmark RFID reader-writer, a couple of blank RFID cards, an Android phone, or a hacking tool like Flipper Zero.
The researchers conclude that the vulnerability has existed for a long time, that it is unlikely that they were the first to identify it and that therefore there is a high probability that it could have been used in the past by others.
The opening image is from the Unsaflock page.