Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Vulnerabilities

Saflok Lock Vulnerability Can Be Exploited to Open Millions of Doors

Vulnerability in Dormakaba’s Saflok electronic locks allow hackers to forge keycards and open millions of doors.

Door lock hacking

A security vulnerability in Dormakaba’s Saflok electronic locks can be exploited to forge keycards and open doors, security researchers warn.

The issue, named Unsaflok, impacts more than three million locks commonly used in hotels and multi-family housing environments. A total of more than 13,000 locations across 131 countries are likely affected.

Vulnerable lock models include Saflok MT and the Quantum, RT, Saffire, and Confidant series devices, which are used in combination with the System 6000, Ambiance, and Community management software.

According to the security researchers who identified and reported the flaw in September 2022, an attacker could use a keycard from a property where the vulnerable locks are used to forge a keycard and unlock any door on that property.

“This keycard can be from their own room, or even an expired keycard taken from the express checkout collection box. Forged keycards can then be created using any MIFARE Classic card, and any commercially available tool capable of writing data to these cards. One pair of forged keycards allows an attacker to open any door in the property,” the researchers explain.

Any device that can write or emulate MIFARE Classic cards can be used to perform the attack, including an NFC-capable Android phone.

While the researchers refrained from sharing specific information on the bug, Dormakaba reveals that the issue is “associated with both the key derivation algorithm used to generate MIFARE Classic keys and the secondary encryption algorithm used to secure the underlying card data”.

Dormakaba began working on patches shortly after learning of the vulnerability and has started rolling them out in November 2023, but the process is slow and only 36% of affected locks have received the fix to date.

Advertisement. Scroll to continue reading.

“Upgrading each hotel is an intensive process. All locks require a software update or have to be replaced. Additionally, all keycards have to be reissued, front desk software and card encoders have to be upgraded, and 3rd party integrations,” the researchers explain.

While there is no visible difference between patched and unpatched locks, the use of MIFARE Ultralight C cards instead of MIFARE Classic does mean that the hotel has been upgraded.

According to the security researchers, while the vulnerable locks have been commercially available since 1988, they are not aware of real-world attacks exploiting this vulnerability.

To determine whether the vulnerability has been exploited, hotel staff can audit the lock’s entry/exit logs, via the HH6 device.

“We are unaware of any reported instances of this issue being exploited. Still, we strongly recommend all customers not already engaged in scheduled security upgrades address this vulnerability as soon as possible,” Dormakaba notes.

The company has prepared self-diagnosis guidance for its hospitality and multi-family housing customers and encourages them to contact it for additional support in addressing the vulnerability.

Although MIFARE Classic keycards are used by other electronic lock manufacturers as well, the Unsaflok vulnerability only impacts Dormakaba Saflok systems.

SecurityWeek has emailed Dormakaba for a statement on the issue and will update this article as soon as a reply arrives.

Related: Unpatched Sceiner Smart Lock Vulnerabilities Allow Hackers to Open Doors

Related: Aiphone Intercom System Vulnerability Allows Hackers to Open Doors

Related: Nuki Smart Lock Vulnerabilities Allow Hackers to Open Doors

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join the session as we discuss the challenges and best practices for cybersecurity leaders managing cloud identities.

Register

SecurityWeek’s Ransomware Resilience and Recovery Summit helps businesses to plan, prepare, and recover from a ransomware incident.

Register

People on the Move

Former DoD CISO Jack Wilmer has been named CEO of defensive and offensive cyber solutions provider SIXGEN.

Certificate lifecycle management firm Sectigo has hired Jason Scott as its CISO.

The State of Vermont has appointed John Toney as the state’s new CISO.

More People On The Move

Expert Insights

Related Content

Vulnerabilities

Less than a week after announcing that it would suspended service indefinitely due to a conflict with an (at the time) unnamed security researcher...

Data Breaches

OpenAI has confirmed a ChatGPT data breach on the same day a security firm reported seeing the use of a component affected by an...

IoT Security

A group of seven security researchers have discovered numerous vulnerabilities in vehicles from 16 car makers, including bugs that allowed them to control car...

Vulnerabilities

A researcher at IOActive discovered that home security systems from SimpliSafe are plagued by a vulnerability that allows tech savvy burglars to remotely disable...

Risk Management

The supply chain threat is directly linked to attack surface management, but the supply chain must be known and understood before it can be...

Cybercrime

Patch Tuesday: Microsoft calls attention to a series of zero-day remote code execution attacks hitting its Office productivity suite.

Vulnerabilities

Patch Tuesday: Microsoft warns vulnerability (CVE-2023-23397) could lead to exploitation before an email is viewed in the Preview Pane.

IoT Security

A vulnerability affecting Dahua cameras and video recorders can be exploited by threat actors to modify a device’s system time.