3 million hotel doors worldwide can be opened by hackers

Every year, cybersecurity specialists gather in Las Vegas for two conferences, Black Hat and DefconDefcon. During their stay in the city, they do not hesitate to test the security of the different facilities they encounter. In August 2022, they attacked the card system to access their hotel rooms, and they discovered a very serious flaw that allowed them to open any lock of this type by the same manufacturer.

This concerns more than three million locks, in more than 13,000 establishments in 131 countries, all using the Saflok system. The researchers therefore named their technique to open them Unsaflok. In order to open all these portesportes, they just need to swipe a specially created card to reprogram the lock, and a second to unlock it. And this, even if the locklock manual has been engaged.

Only 36% of hotels have updated their system

To successfully hack a hotel’s system, however, researchers must get their hands on an existing card, even if it is expired. They obtained an encoding box usually distributed only to hotels, and managed to recreate the software to connect to it. This allows them to extract the identifier specific to that establishment, then create the two necessary cards using a Proxmark RFID box. They can then open all the doors in the hotel with these same cards.

Researchers alerted Dormakaba, the maker of Saflok locks, in September 2022, and then worked with the company to find a solution. The firm began rolling out an update in November 2023, but the process is quite long. Each lock must be updated or changed, and the software and card encoder of the lock must be updated. receptionreception, then all the cards must be redone. To date, only 36% of locks have been updated or replaced. For this reason, researchers will not publish details of the flaw until later.