Dormakaba Locks Used in Millions of Hotel Rooms Could Be Cracked in Seconds
30.3.24 Hacking The Hacker News
Security vulnerabilities discovered in Dormakaba's Saflok electronic RFID locks used in hotels could be weaponized by threat actors to forge keycards and stealthily slip into locked rooms.
The shortcomings have been collectively named Unsaflok by researchers Lennert Wouters, Ian Carroll, rqu, BusesCanFly, Sam Curry, sshell, and Will Caruana. They were reported to the Zurich-based company in September 2022.
"When combined, the identified weaknesses allow an attacker to unlock all rooms in a hotel using a single pair of forged keycards," they said.
Full technical specifics about the vulnerabilities have been withheld, considering the potential impact, and are expected to be made public in the future.
The issues impact more than three million hotel locks spread across 13,00 properties in 131 countries. This includes the models Saflok MT, and Quantum, RT, Saffire, and Confidant series devices, which are used in combination with the System 6000, Ambiance, and Community management software.
Dormakaba is estimated to have updated or replaced 36% of the impacted locks as of March 2024 as part of a rollout process that commenced in November 2023. Some of the vulnerable locks have been in use since 1988.
"An attacker only needs to read one keycard from the property to perform the attack against any door in the property," the researchers said. "This keycard can be from their own room, or even an expired keycard taken from the express checkout collection box."
The forged cards can be created using any MIFARE Classic card or any commercially available RFID read-write tools that are capable of writing data to these cards. Alternatively, Proxmark3, Flipper Zero, or even an NFC capable Android phone can be used in place of the cards.
Speaking to WIRED's Andy Greenberg, the researchers said the attack entails reading a certain code from that card and creating a pair of forged keycards using the aforementioned method – one to reprogram the data on the lock and another to open it by cracking Dormakaba's Key Derivation Function (KDF) encryption system.
"Two quick taps and we open the door," Wouters was quoted as saying.
Another crucial step involves reverse engineering the lock programming devices distributed by Dormakaba to hotels and the front desk software for managing keycards, thereby allowing the researchers to spoof a working master key that could be used to unlock any room.
There is currently no confirmed case of exploitation of these issues in the wild, although the researchers don't rule out the possibility that the vulnerabilities have been discovered or used by others.
"It may be possible to detect certain attacks by auditing the lock's entry/exit logs," they added. "Hotel staff can audit this via the HH6 device and look for suspicious entry/exit records. Due to the vulnerability, entry/exit records could be attributed to the wrong keycard or staff member."
The disclosure comes on the back of the discovery of three critical security vulnerabilities in commonly used Electronic Logging Devices (ELDs) in the trucking industry that could be weaponized to enable unauthorized control over vehicle systems and manipulate data and vehicle operations arbitrarily.
Even more concerningly, one of the flaws could pave the way for a self-propagating truck-to-truck worm, potentially leading to widespread disruptions in commercial fleets and leading to severe safety consequences.