Around 3 million doors protected by popular keycard locks are thought to be vulnerable to security flaws that allow miscreants to quickly slip into locked rooms.

Security researchers developed an exploit that applies to various Saflok keycard locks made by Swiss security company dormakaba, ones that are prevalent in hotels around the world, as well as properties of multiple occupancy.

The researchers who worked on the exploit, dubbed "Unsaflok," said more than 3 million hotel locks across 131 countries are affected.

Lennert Wouters, Ian Carroll, rqu, BusesCanFly, Sam Curry, sshell, and Will Caruana reported the vulnerabilities to dormakaba in September 2022 and disclosed them this week.

Saflok MT and Saflok RT Plus are the most common models people may have encountered on their travels, although all locks using the Saflok system are vulnerable - these include door locks, and the keycard readers used in elevators and parking garages.

A keycard from the property an intruder wants to break into is required to pull off the attack. This could be a valid card such as one issued to the intruder's own hotel room, or even an expired one swiped from the express checkout deposit bin.

From there, two cards would need to be created - one to rewrite the data on the lock and another to open it, the researchers explained to Wired. This could all be done using commercially available equipment, including a Flipper Zero or even an NFC-capable Android phone, and a few MIFARE Classic cards.

It would also require the intruders to reverse engineer the software used by hotel front desk staff to reprogram keycards to locks. Hotels that use these locks, of which there are more than 13,000 around the world, typically use System 6000 or Ambience for the management of keycards, researchers said. 

El Reg asked dormakaba to comment, and we'll add that in if we hear back. According to the researchers' writeup on Unsaflok, the manufacturer started working on a fix in November 2023, more than a year after the vulnerabilities were discovered.

That fix has now been developed, but apparently the process of getting these locks updated, or in some cases replaced entirely, is a bit of a chore. That's illustrated by the rate of upgrades so far, which stands at just 36 percent of all affected locks.

It's not just the door locks that need upgrading - the hotel software also needs upgrading, as do the keycard encoders, and the keycards themselves. The researchers said the keycards may actually be a giveaway to anyone wanting to know if their lock is free from forgeries.

"It is not possible to visually tell if a lock has been updated to fix these vulnerabilities," they said. "You may be able to tell if a hotel has been through the upgrade process if the guest keycards are using MIFARE Ultralight C cards instead of MIFARE Classic."

NFC reader apps available on Android and iOS can present this kind of data, and well-informed front desk staff may be able to let guests know too.

"Note that this information only applies to dormakaba Saflok systems; several other lock manufacturers use MIFARE Classic keycards and are not affected by the Unsaflok vulnerability. Nevertheless, the use of MIFARE Classic in a security-sensitive application is not recommended."

There's no available evidence to suggest that these locks have been bypassed in historical intrusion attempts, however, the vulnerabilities have been present in Saflok systems for more than 36 years … so that's a pretty long window in which they could have been exploited before.

While it is possible to detect for unauthorized intrusions by auditing each lock's entry and exit logs, the researchers said due to the nature of the vulnerability, these logs could be misattributed to a different keycard or even a staff member.

Full details of the vulnerabilities, which are chained together to forge these keycards, haven't been revealed yet and won't be for some time out of fears that an explosion in intrusions will take place while hotels upgrade.

"We are not planning on sharing a full proof of concept at this time due to the potential impact to hotels and guests," the researchers said. "We plan on sharing additional technical details of the vulnerability in the future."

Unsaflok certainly isn't a first-of-its-kind type of exploit, as other security whizzes have broken into other keycard systems before.

Back in 2018, before its enterprise arm split off to WithSecure, F-Secure publicized exploitable flaws in VingCard's Vision system, which is also used to secure millions of rooms worldwide, although only a small proportion of these were thought to be exploitable.

Going back to 2012, researchers demonstrated a way to break into Onity locks too during that year's Black Hat event - the same event that saw Unsaflok flaunted in 2022, albeit behind the closed doors of a private security competition to which the researchers were invited. ®

https://www.theregister.com//2024/03/22/tap_and_go_straight_to/