Hackers Found a Way to Open Any of 3 Million Hotel Keycard Locks in Seconds
The hacking technique lays bare the security vulnerabilities of certain models of Saflok-brand RFID-based keycard locks used in 131 countries worldwide
Getty
A stock image of a keycard lockHackers have discovered a technique that would enable intruders to unlock any of millions of hotel rooms around the world in just seconds.
Ian Carroll and Lennert Wouters, along with a team of other security researchers, have unveiled a hotel keycard hacking method called Unsaflok, which lays bare the series of security vulnerabilities that would allow a hacker to almost instantly unlock certain models of Saflok-brand RFID-based keycard locks sold by Switzerland-based lockmaker Dormakaba, according to Wired.
Saflok keycard systems are installed on roughly 3 million doors worldwide at 13,000 properties in 131 countries, per the outlet.
Related: Why You Should Always Put One Shoe In Your Hotel Safe, According to a Flight Attendant's Viral Video
Carroll and Wouters' technique begins with obtaining any keycard from a target hotel, reading a certain code from that card using an RFID read-write device (easily purchased for $300), and then writing two keycards of their own. When they tap those two cards on a lock, the first one rewrites a piece of the lock's data and the second card opens it, according to Wired.
“Two quick taps and we open the door,” Wouters, a researcher in the Computer Security and Industrial Cryptography group at Belgium's KU Leuven University, told Wired. “And that works on every door in the hotel.”
He and Carroll, an independent security researcher and founder of the travel website Seats.aero, shared their hacking technique with Dormakaba in November 2022. For about a year now, the company has been working to alert hotels that use Saflok of the system's security flaws and help them fix or replace their locks.
For the majority of Saflok systems sold in the past eight years, no hardware replacement is necessary for each individual lock, according to Wired. To fix the issue, hotels only need to update or replace their front desk management system and bring in a technician to manually reprogram each door lock.
Never miss a story — sign up for PEOPLE's free daily newsletter to stay up-to-date on the best of what PEOPLE has to offer, from celebrity news to compelling human interest stories.
However, so far, not much progress has been made in addressing the serious safety issue. Wouters and Carroll told Wired that they were informed by Dormakaba that only 36% of installed Safloks have been updated, as of this month. Dormakaba also told the pair that the full fix will likely take months or longer, especially since the locks are not connected to the internet and some older locks require a hardware upgrade.
Related: Why You Should Tie Your Keys to Your Charging Cable in a Hotel Room, According to This Viral Tiktok
Dormakaba told PEOPLE in a statement that the company published detailed information about the security vulnerability on March 20.
"As soon as we were made aware of the vulnerability by a group of external security researchers, we initiated a comprehensive investigation, prioritized developing and rolling out a mitigation solution, and worked to communicate with customers systematically," the statement said.
"We are not aware of any reported instances of this issue being exploited to date," the statement continued. "Per the principles of responsible disclosure, we are collaborating with the researchers to provide a broader alert to highlight how existing risks with legacy RFID technology are evolving, so that others can take precautionary steps."
In the meantime, Wouters and Carroll say they hope to warn the public about the hacking technique.
“We're trying to find the middle ground of helping Dormakaba to fix it quickly, but also telling the guests about it," Carroll told Wired. “If someone else reverse engineers this today and starts exploiting it before people are aware, that might be an even bigger problem.”
They told the outlet that guests can, in most cases, recognize the vulnerable locks by their distinct design — a round RFID reader featuring a wavy line running through it. If it is a Saflok on their door, guests can verify whether the lock has been updated by checking their keycard with the NFC Taginfo app by NXP. If the lock is made by Dormakaba, and the app indicates that the keycard is still a MIFARE Classic card, it's likely still vulnerable to hacking.
In that situation, Carroll and Wouters advise guests to avoid storing valuables in their room and to bolt the door chain while they're inside. They noted to Wired that the deadbolt is also controlled by the keycard lock so it won't provide an added safeguard.
“If someone locks the deadbolt, they’re still not protected,” Carroll told the outlet.
For more People news, make sure to sign up for our newsletter!
Read the original article on People.
