Hackers reveal vulnerability in "universal room card" that can open millions of hotel rooms around the world in seconds

2024.03.31


Recently, security researchers Ian Carroll, Lennert Wouters and their team disclosed a series of security vulnerabilities (named Unsaflok) in the Saflok brand RFID sensor room card lock produced by Swiss lock manufacturer Dormakaba.

The Saflok door lock system is widely used by world-renowned hotels such as Marriott International, Huazhu Hotel Group, Jinjiang Hotel Group, Hilton Hotel Group, Home Inns Hotel Group, etc. Saflok door locks are installed on 3 million doors in 13,000 properties in 131 countries around the world.

A "universal room card" that can "open" millions of hotel rooms around the world in seconds

The cracking of the Saflok room card door lock began at the hacker conference held in Las Vegas in August 2022. In a private event during the conference, a small group of researchers were invited to "legally" hack into a Las Vegas hotel room, competing in a suite crowded with laptops and Red Bull drinks to mine all the electronics in the room. Devices, from televisions to bedside VoIP phones, are immune to vulnerabilities.

One group of hackers (Carroll and Wouters' team) focused their research on room door locks, perhaps one of the most sensitive pieces of technology in hotel rooms. After more than a year, the team has finally unveiled the results of its research: a technology that can open millions of hotel rooms around the world with just two taps.

Taking advantage of vulnerabilities in the Dormakaba encryption system and the underlying MIFARE Classic RFID system, Carroll and Wouters successfully cracked the Saflok sensor room card lock. They simply obtain any key card from the target hotel (such as booking a room or taking one from a discarded key card box) and then use $300 worth of RFID reading and writing devices including Proxmark3, Flipper Zero and NFC-enabled Android smartphones ) reads the specific code in the card and finally writes two room cards they made themselves. As long as the two cards are touched to the door lock, the first card will rewrite a certain part of the door lock data, and the second card will open the door lock.

"With just two taps, we can open the door," said Wouters, a researcher in the Computer Security and Industrial Cryptography Research Group at the University of Leuven in Belgium. "And this method can be applied to every door in the hotel."

Only 36% of Saflok door locks have vulnerabilities fixed

Wouters and Carroll fully shared their cracking technical details with Dormakaba as early as November 2022. Dormakaba said that since the beginning of 2023, they have widely informed hotel customers about Saflok's security vulnerabilities and helped customers repair or replace vulnerable locks. For most Saflok systems sold within the past eight years, there is no need to replace the hardware of individual door locks individually. Hotels simply need to update or replace their front desk management systems and have technicians quickly reprogram them door by door.

However, Wouters and Carroll said Dormakaba informed them that only 36% of installed Saflok systems had been updated as of this month. To make matters worse, since these locks are not Internet-connected devices and some older locks still require hardware upgrades, they estimate that it will take at least several months to fully fix the vulnerability, and some older systems may even take years to complete (Editor: This often means that many door locks will not be repaired at all).

Crack details: Two vulnerabilities are exploited

Wouters and Carroll's research team's Dormakaba door lock cracking technique exploited two different vulnerabilities: one that allowed them to write key card data, and another that let them know what data needed to be written to the key card to successfully spoof it. Saflok door lock makes it open.

When analyzing Saflok room cards, researchers found that these room cards used the MIFARE Classic RFID system. This system had a vulnerability discovered more than ten years ago. Hackers can write room card data through this vulnerability. However, the brute force cracking process It may take up to 20 seconds. They then cracked a part of Dormakaba's encryption system, known as the key derivation function, allowing them to write data to the key card more quickly. Using any of the above tricks, the researchers could copy Saflok key cards at will, but they still couldn't generate a "universal key card" that could open all rooms.

Next, the most critical step is to obtain the door lock programming device Dormakaba distributes to the hotel (second-hand items can be purchased online), as well as a copy of the front-end software used to manage room cards. By reverse engineering the software, they were able to read all the data stored on the card, extract the hotel property code as well as the code for each room, and then create their own values ​​and encrypt them using the Dormakaba system's encryption, thus creating a fake one that could be opened Universal key card for any room in the hotel. "Essentially, you can make a key card that looks like it was created by Dormakaba software," Wouters said.

So how did Carroll and Wouters obtain Dormakaba's front-end software? “We just politely ask people in the industry,” Wouters admits. “Also, manufacturers generally think that no one will sell their equipment on eBay and no one will copy their software. But I think everyone knows that these Assumptions are self-deception.”

Once all the reverse engineering work is complete, the final attack can be accomplished using just a $300 Proxmark RFID reader and a few blank RFID cards, an Android phone, or the Flipper Zero radio cracking tool.

The biggest limitation of this technique is that the hacker still needs a key card for the target hotel room (even an expired key card). This is because each card has a specific property code that they need to read and copy onto the counterfeit card, as well as the code for the target room.

How to identify a vulnerable door lock?

The Unsaflok vulnerability affects multiple Saflok models, including the Saflok MT, Quantum series, RT series, Saffire series and Confidant series managed by System 6000 or Ambiance software.

Carroll and Wouters point out that hotel guests can identify vulnerable door locks (but not always) by the design features of the reading area on the door lock (a round RFID reader with a wavy coil).

Image of two common vulnerable Saflok product models: unsaflok.comImage of two common vulnerable Saflok product models: unsaflok.com

The researchers also suggest that if users check into a hotel room with a Saflok-brand door lock, they can use the NFCTaginfo app (available in iOS and Android versions) developed by NXP to check their key card to determine whether it has been updated. If the door lock is made by Dormakaba and the app shows that the key card is still a MIFARE Classic card, it is likely that the vulnerability is still present.

Safety advice: wear an anti-theft chain

The two researchers suggested that if there is a loophole in the room card, in addition to avoiding leaving valuables in the room, be sure to fasten the anti-theft chain when in the room, because the safety bolt on the door lock is also controlled by the room card lock and cannot provide additional security. safety guarantee.

Even though there are currently a large number of hotel rooms around the world that have not fully implemented repair plans, Wouters and Carroll believe that it is better to educate hotel guests about the risks rather than lulling them into a false sense of security. After all, the Saflok brand has been sold for over thirty years, and probably most or all of its products over the years have had bugs. Although Dormakaba said they had not discovered that Wouters and Carroll's technique had been used in the past, the researchers noted that that doesn't mean it never happened secretly.

"We believe this vulnerability has been around for a long time," Wouters said. "We couldn't have been the first to discover it."

Editor in charge: Hua XuanSource: GoUpSec