Researchers disclosed vulnerabilities today that impact 3 million Saflok electronic RFID locks deployed in 13,000 hotels and homes worldwide, allowing the researchers to easily unlock any door in a hotel by forging a pair of keycards.
The series of security flaws, dubbed "Unsaflok," was discovered by researchers Lennert Wouters, Ian Carroll, rqu, BusesCanFly, Sam Curry, shell, and Will Caruana in September 2022.
As first reported by Wired, the researchers were invited to a private hacking event in Las Vegas, where they competed with other teams to find vulnerabilities in a hotel room and all the devices within it.
The team of researchers focused on finding vulnerabilities in the Saflok electronic lock for the hotel room, discovering security flaws that could open any door within the hotel.
The researchers disclosed their findings to manufacturer Dormakaba in November 2022, allowing the vendor to work on mitigations and inform hotels of the security risk without publicizing the issue.
However, the researchers note that the flaws have been available for over 36 years, so while there have been no confirmed cases of exploitation in the wild, the extensive exposure period increases that possibility.
"While we are not aware of any real-world attacks that use these vulnerabilities, it is not impossible that these vulnerabilities are known, and have been used, by others," explains the Unsaflok team.
Today, the researchers publicly disclosed the Unsaflok vulnerabilities for the first time, warning that they impact almost 3 million doors utilizing the Saflok system.
The Unsaflok flaws
Unsaflok is a series of vulnerabilities that, when chained together, enable an attacker to unlock any room in a property using a pair of forged keycards.
To initiate exploitation, the attacker only needs to read one keycard from the property, which can be the keycard from their own room.
The researchers reverse-engineered Dormakaba's front desk software and a lock programming device, learning how to spoof a working master key that could open any room on the property. To clone the cards, they had to crack Dormakaba's key derivation function.
Forged keycards can be created using any MIFARE Classic card and any commercially available tool capable of writing data to these cards, including Proxmark3, Flipper Zero, and an NFC-capable Android smartphone.
The equipment needed to create the two cards used in the attack costs less than a few hundred USD.
When exploiting the flaws, the first card rewrites the lock's data and the second opens the lock, as demonstrated in the below video.
The researchers have not provided any further technical details at this time to give time for the various properties to upgrade their systems.
A wide impact
The Unsaflok flaws impact multiple Saflok models, including the Saflok MT, the Quantum Series, the RT Series, the Saffire Series, and the Confidant Series, managed by the System 6000 or Ambiance software.
The affected models are used in three million doors on 13,000 properties in 131 countries, and while the manufacturer is actively working to mitigate the flaw, the process is complicated and time-consuming.
The researchers say that Dormakaba started replacing/upgrading impacted locks in November 2023, which also requires reissuing all cards and upgrading their encoders. As of March 2024, 64% of the locks remain vulnerable.
"We are disclosing limited information on the vulnerability now to ensure hotel staff and guests are aware of the potential security concern," reads the post by the researchers.
"It will take an extended period of time for the majority of hotels to be upgraded."
It is further noted that malicious keycards can override the deadbolt, so that security measure isn't enough to prevent unauthorized entry.
Hotel staff might be able to detect occurrences of active exploitation by auditing the lock's entry/exit logs. However, that data may still be insufficient to detect unauthorized access accurately.
Guests can determine if the locks on their rooms are vulnerable by using the NFC Taginfo app (Android, iOS) to check their keycard type from their phone. MIFARE Classic cards indicate a likely vulnerability.
The researchers promised to share the full details of the Unsaflok attack in the future when the remediation effort reaches satisfactory levels.
Update 3/22 - Dormakaba shared the following statement with BleepingComputer:
On March 21, 2024, dormakaba published information regarding a security vulnerability associated with both the key derivation algorithm used to generate MIFARE Classic® keys and the secondary encryption algorithm used to secure the underlaying card data. This vulnerability affects Saflok systems (System 6000™, Ambiance™, and Community™).
As soon as we were made aware of the vulnerability by a group of external security researchers, we initiated a comprehensive investigation, prioritized developing and rolling out a mitigation solution, and worked to communicate with customers systematically. We are not aware of any reported instances of this issue being exploited to date.
Per the principles of responsible disclosure, we are collaborating with the researchers to provide a broader alert to highlight how existing risks with legacy RFID technology are evolving, so that others can take precautionary steps.
Post a Comment Community Rules
You need to login in order to post a comment
Not a member yet? Register Now