Electronic RFID locks Saflok from the manufacturer Dormakaba suffer from a series of serious security vulnerabilities that allow hackers to open any door in the property thanks to the relatively easy exploit.
The series of vulnerabilities, ironically dubbed Unsaflok, was discovered and reported to the manufacturer in September 2022, and the security researchers disclosed it publicly only recently, as reported by Security Week. The fix has been available since November 2023, however, roughly two-thirds of all affected locks are still yet to be patched.
All locks using the Saflok system are impacted, including – but not limited to – Saflok MT, the Quantum Series, the RT Series, the Saffire Series, and the Confidant Series.
“These are primarily used in hotels where the management software is System 6000 or Ambiance. Some applications in the multifamily housing space which use System 6000 or Community are also affected,” the researchers specified, adding that it is not possible to visually distinguish patched and unpatched locks.
In total, the vulnerability impacts over three million doors across 13,000 properties in 131 countries.
Security researchers demonstrate #Unsaflok vulnerability in dormakaba electric RFID locks.
— Martin Hodás (@Hody_MH11) March 22, 2024
Video courtesy of @LennertWo, Ian Carroll, @rqu53, @BusesCanFly, @samwcyo, @sshell_ & Will Caruana. pic.twitter.com/TTe71vRj3E
The researchers disclosed only limited information on the vulnerability. When combined, the identified weaknesses allow an attacker to unlock all rooms using just a single pair of forged keycards:
“An attacker only needs to read one keycard from the property to perform the attack against any door in the property. This keycard can be from their own room, or even an expired keycard taken from the express checkout collection box.
“Forged keycards can then be created using any MIFARE Classic card, and any commercially available tool capable of writing data to these cards. One pair of forged keycards allows an attacker to open any door in the property.”
Saflok locks from Dormakaba have been on the market since 1988, therefore the vulnerabilities are now over 36 years old.
Despite the fact, that the researchers are not aware of any real-world attacks using this exploit, there is a possibility that these vulnerabilities are known by hackers, and actively used in the wild.