A security vulnerability in Dormakaba’s Saflok electronic locks can be exploited to forge keycards and open doors, security researchers warn.
The issue, named Unsaflok, impacts more than three million locks commonly used in hotels and multi-family housing environments. A total of more than 13,000 locations across 131 countries are likely affected.
Vulnerable lock models include Saflok MT and the Quantum, RT, Saffire, and Confidant series devices, which are used in combination with the System 6000, Ambiance, and Community management software.
According to the security researchers who identified and reported the flaw in September 2022, an attacker could use a keycard from a property where the vulnerable locks are used to forge a keycard and unlock any door on that property.
“This keycard can be from their own room, or even an expired keycard taken from the express checkout collection box. Forged keycards can then be created using any MIFARE Classic card, and any commercially available tool capable of writing data to these cards. One pair of forged keycards allows an attacker to open any door in the property,” the researchers explain.
Any device that can write or emulate MIFARE Classic cards can be used to perform the attack, including an NFC-capable Android phone.
While the researchers refrained from sharing specific information on the bug, Dormakaba reveals that the issue is “associated with both the key derivation algorithm used to generate MIFARE Classic keys and the secondary encryption algorithm used to secure the underlying card data”.
Dormakaba began working on patches shortly after learning of the vulnerability and has started rolling them out in November 2023, but the process is slow and only 36% of affected locks have received the fix to date.
“Upgrading each hotel is an intensive process. All locks require a software update or have to be replaced. Additionally, all keycards have to be reissued, front desk software and card encoders have to be upgraded, and 3rd party integrations,” the researchers explain.
While there is no visible difference between patched and unpatched locks, the use of MIFARE Ultralight C cards instead of MIFARE Classic does mean that the hotel has been upgraded.
According to the security researchers, while the vulnerable locks have been commercially available since 1988, they are not aware of real-world attacks exploiting this vulnerability.
To determine whether the vulnerability has been exploited, hotel staff can audit the lock’s entry/exit logs, via the HH6 device.
“We are unaware of any reported instances of this issue being exploited. Still, we strongly recommend all customers not already engaged in scheduled security upgrades address this vulnerability as soon as possible,” Dormakaba notes.
The company has prepared self-diagnosis guidance for its hospitality and multi-family housing customers and encourages them to contact it for additional support in addressing the vulnerability.
Although MIFARE Classic keycards are used by other electronic lock manufacturers as well, the Unsaflok vulnerability only impacts Dormakaba Saflok systems.
SecurityWeek has emailed Dormakaba for a statement on the issue and will update this article as soon as a reply arrives.
Related: Unpatched Sceiner Smart Lock Vulnerabilities Allow Hackers to Open Doors
Related: Aiphone Intercom System Vulnerability Allows Hackers to Open Doors
Related: Nuki Smart Lock Vulnerabilities Allow Hackers to Open Doors
