How to open millions of hotel keycard locks

Researchers recently disclosed a significant security flaw in Dormakaba's Saflok electronic RFID locks, which are popular with hotels. It could allow a hacker to clone a hotel's keycard to access any room in the building. It is unclear whether hackers are actively exploiting the vulnerability.

The exploit affects Saflok MT, Quantum Series, RT Series, Saffire Series, Confidant Series, and all other Saflok locks. Saflok MT and RT (pictured below) are the most common. Most hotels that use the impacted locks employ either System 6000, Ambiance, or Community management software.

Using the exploit requires a genuine MIFARE Classic keycard – active or expired – and any device that can write data to a card. Some examples of devices that can hack an NFC card include Flipper Zero, Prixmark3, and any NFC-equipped Android phone. A single fake card can unlock any door in the hotel that produced the original. It can also override deadbolts, so a chain lock is likely required to stop an intruder.

The only way to check if someone has used a forged keycard is to look at the lock's entry/exit logs using an HH6 device. Still, it's difficult to tell if a suspicious entry was from a tenant using the wrong card or a staff member unlocking a door.

The researchers initially developed the method during a 2022 Las Vegas hacking conference and immediately informed Dormakaba. The company devised a fix but has only patched or replaced 36 percent of the affected locks.

Updated locks are visually indistinguishable from vulnerable ones. However, any hotel using Saflok systems with MIFARE Ultralight C cards has likely completed the upgrade. Worried travelers can easily identify keycard types using NXP's NFC Taginfo app, which is available on iOS and Android.

Addressing the problem in every affected building worldwide is difficult, if not impossible. The process requires updating or replacing the locks, management software, cards, keycard encoders, and integrated third-party devices like elevators, garage doors, and payment systems – a daunting challenge at best.

The researchers haven't published all the details on the vulnerability yet but plan to release more. The exploit likely isn't in the wild. However, the impacted locks have been in circulation since 1988, so someone else could have theoretically devised a similar hack at any point over the last three-and-a-half decades.

Update: dormakaba's PR team contacted us and asked us to publish the following statement (slightly edited for brevity):

"As soon as we were made aware of the vulnerability by a group of external security researchers, we initiated a comprehensive investigation, prioritized developing and rolling out a mitigation solution, and worked to communicate with customers systematically.

We are not aware of any reported instances of this issue being exploited to date. Per the principles of responsible disclosure, we are collaborating with the researchers to provide a broader alert to highlight how existing risks with legacy RFID technology are evolving, so that others can take precautionary steps. We appreciate the responsible disclosure and collaborative approach taken by the researchers who have shared our goal of protecting users and strengthening security technology throughout this process."