Security Flaw Could Let Hackers Unlock Millions of Hotel Room Doors Worldwide

Security researchers have identified a security flaw in a popular keycard-powered lock system that can be exploited to easily unlock doors in millions of hotels worldwide.

The flaw, found in RFID-based Saflock keycard lock systems, allows a hacker to clone a hotel’s master keycard to access any room on the property. These lock systems come from the Swiss keycard and lock manufacturer Dormakaba.

The Saflock system has been around for 36 years and is installed in more than 3 million hotels in 131 countries worldwide. According to the researchers Ian Carroll, Lennert Wouters, and their team, all Saflock lock systems are impacted.

First reported on Wired, the flaw was discovered in August 2022, at a private hacking event in Las Vegas. The group of researchers reported their findings to Dormakaba, who started working on the security patch. As of March 2024, only 36% of the impacted locks have been updated or replaced.

“Upgrading each hotel is an intensive process. All locks require a software update or have to be replaced,” the researchers explained. “Additionally, all keycards have to be reissued, front desk software and card encoders have to be upgraded, and 3rd party integrations (e.g. elevators, parking garages, and payment systems) may require additional upgrades.’’

Although it was discovered in 2022, the extended time needed to upgrade the locks and potential security concerns made the researchers disclose the flaw dubbed “Unsaflok”, in a public post.

Despite limited technical details, the flaw is relatively easy to exploit. All that a hacker would need is access to any keycard from the property, including expired cards.

By reverse-engineering the hotel’s property code and any room’s lock programming software, the hacker can unlock any room door and retract the deadbolt as well.

The whole process would only cost a few hundred dollars, as any Near Field Communication (NFC)-enabled Android phone or commercial card writing tool like Flipper Zero can be used to forge the keycard.

The researchers disclosed the public release of their research findings; it would be difficult for hotel guests and staff to visually identify the vulnerability in any Saflock lock.

Following the publication of the research findings, Dormakaba also released a statement confirming the flaw. They said their investigation did not reveal any instance of this flaw being exploited in the real world.