Unsaflok
Unsaflok is a series of serious security vulnerabilities in dormakaba’s Saflok electronic RFID locks, commonly used in hotels and multi-family housing environments.
When combined, the identified weaknesses allow an attacker to unlock all rooms in a hotel using a single pair of forged keycards. Over three million hotel locks in 131 countries are affected.
The vulnerabilities were reported to dormakaba in September of 2022 and disclosed in March 2024 by Lennert Wouters, Ian Carroll, rqu, BusesCanFly, Sam Curry, sshell, and Will Caruana.
Our slides from DEF CON 32, which contain additional technical information about these vulnerabilities, are now available here.
FAQs
What locks are impacted?
The vulnerability impacts over 3 million doors on over 13,000 properties in 131 countries. All locks using the Saflok system are impacted, including (but not limited to) Saflok MT, the Quantum Series, the RT Series, the Saffire Series and the Confidant Series.
These are primarily used in hotels where the management software is System 6000 or Ambiance. Some applications in the multifamily housing space which use System 6000 or Community are also affected.
Saflok MT and Saflok RT Plus (pictured below) are the most common models of impacted locks. Note that while it is possible to visually identify a Saflok lock, it is not possible to visually see if the locks have been patched.
Have the vulnerabilities been fixed?
Dormakaba started working on a fix after they received our vulnerability report, and began upgrading hotels in November of 2023. As of 03/2024, approximately 36% of the impacted locks have been updated or replaced.
Upgrading each hotel is an intensive process. All locks require a software update or have to be replaced. Additionally, all keycards have to be reissued, front desk software and card encoders have to be upgraded, and 3rd party integrations (e.g. elevators, parking garages and payment systems) may require additional upgrades.
We are disclosing limited information on the vulnerability now to ensure hotel staff and guests are aware of the potential security concern. It will take an extended period of time for the majority of hotels to be upgraded.
How can I tell if a lock has been updated?
It is not possible to visually tell if a lock has been updated to fix these vulnerabilities. You may be able to tell if a hotel has been through the upgrade process if the guest keycards are using MIFARE Ultralight C cards instead of MIFARE Classic.
The NFC Taginfo app by NXP is available for Android or iOS and can be used to identify the type of keycard.
Note that this information only applies to dormakaba Saflok systems; several other lock manufacturers use MIFARE Classic keycards and are not affected by the Unsaflok vulnerability. Nevertheless, the use of MIFARE Classic in a security sensitive application is not recommended.
Will the deadbolt protect against a forged keycard?
No. Saflok locks can retract the deadbolt from software, and the deadbolt can be overridden by a malicious keycard. In order to deter entry into a room, another physical locking device must be used, such as a chain lock found in many hotels.
What does an attacker need to perform this attack?
An attacker only needs to read one keycard from the property to perform the attack against any door in the property. This keycard can be from their own room, or even an expired keycard taken from the express checkout collection box.
Forged keycards can then be created using any MIFARE Classic card, and any commercially available tool capable of writing data to these cards. One pair of forged keycards allows an attacker to open any door in the property.
Can the attack be carried out using a Flipper Zero or other tools?
Yes, this attack can also be performed using any device that is capable of reading and writing or emulating MIFARE Classic cards. This includes tools like the Proxmark3 and Flipper Zero, but also an NFC capable Android phone.
Is it possible to detect an occurence of this attack?
It may be possible to detect certain attacks by auditing the lock’s entry/exit logs. Hotel staff can audit this via the HH6 device and look for suspicious entry/exit records. Due to the vulnerability, entry/exit records could be attributed to the wrong keycard or staff member.
Has this vulnerability been exploited?
Dormakaba started selling Saflok locks in 1988, which means that vulnerable locks have been in use for over 36 years.
While we are not aware of any real world attacks that use these vulnerabilities, it is not impossible that these vulnerabilities are known, and have been used, by others.
How does Unsaflok relate to the Saflok KDF that was published recently?
Dormakaba uses a Key Derivation Function (KDF) to derive the keys for some of the Saflok MIFARE Classic sectors. This proprietary KDF only uses the card’s Unique IDentifier (UID) as an input.
Knowledge of the KDF allows an attacker to easily read and clone a Saflok MIFARE Classic card. However, the KDF by itself is not sufficient for an attacker to create arbitrary Saflok keycards.
We are aware that this KDF has been reverse engineered by several people over the years, and that it was published recently after we had disclosed our findings to dormakaba.
Are you sharing more technical information or proof of concepts?
We are not planning on sharing a full proof of concept at this time due to the potential impact to hotels and guests. We plan on sharing additional technical details of the vulnerability in the future.
What was the disclosure timeline?
- 08/2022: Our research began on Saflok locks
- 09/2022: We completed a proof of concept exploit and contacted dormakaba
- 10/2022: We had our first meeting with dormakaba about the issues
- 2022 - 2024: During this time we had at least 13 meetings with dormakaba
- 11/2023: First hotels upgraded to resolve vulnerability
- 03/2024: Coordinated disclosure of the vulnerability’s high-level details
How can I contact you?
- You can contact us (the researchers) at [email protected].
- If you are a hotel owner and have questions regarding the upgrade you can contact dormakaba at [email protected].
- For media inquiries dormakaba can be contacted at [email protected].