Security Vulnerability in Saflok’s RFID-Based Keycard Locks

It’s pretty devastating:

Today, Ian Carroll, Lennert Wouters, and a team of other security researchers are revealing a hotel keycard hacking technique they call Unsaflok. The technique is a collection of security vulnerabilities that would allow a hacker to almost instantly open several models of Saflok-brand RFID-based keycard locks sold by the Swiss lock maker Dormakaba. The Saflok systems are installed on 3 million doors worldwide, inside 13,000 properties in 131 countries. By exploiting weaknesses in both Dormakaba’s encryption and the underlying RFID system Dormakaba uses, known as MIFARE Classic, Carroll and Wouters have demonstrated just how easily they can open a Saflok keycard lock. Their technique starts with obtaining any keycard from a target hotel—say, by booking a room there or grabbing a keycard out of a box of used ones—then reading a certain code from that card with a $300 RFID read-write device, and finally writing two keycards of their own. When they merely tap those two cards on a lock, the first rewrites a certain piece of the lock’s data, and the second opens it.

Dormakaba says that it’s been working since early last year to make hotels that use Saflok aware of their security flaws and to help them fix or replace the vulnerable locks. For many of the Saflok systems sold in the last eight years, there’s no hardware replacement necessary for each individual lock. Instead, hotels will only need to update or replace the front desk management system and have a technician carry out a relatively quick reprogramming of each lock, door by door. Wouters and Carroll say they were nonetheless told by Dormakaba that, as of this month, only 36 percent of installed Safloks have been updated. Given that the locks aren’t connected to the internet and some older locks will still need a hardware upgrade, they say the full fix will still likely take months longer to roll out, at the very least. Some older installations may take years.

If ever. My guess is that for many locks, this is a permanent vulnerability.

Tags: , , , , ,

Posted on March 27, 2024 at 7:01 AM23 Comments

Comments

Robin March 27, 2024 9:27 AM

In the old days I used to carry a couple of rubber door wedges with me when I travelled and stuck them under the door before sleeping. Looks like I’ll dig them out again.

Uthor March 27, 2024 10:17 AM

@Robin,
I don’t stay in many hotels, but all the ones I’ve been in have a mechanical latch you can flip over the door to prevent it from opening completely (seems to be designed to let you crack open the door to see/speak with someone on the other side).

Nanette March 27, 2024 11:11 AM

It should be noted that these are room-door locks—not safe-door locks, as the name “Saflok” might make one think. The Wired article is clear about this, but Bruce’s post and the Unsaflok site’s text are not (though the Unsaflok images should make it obvious). And, of course, “smart” safe locks had at least one similarly devastating attack some years ago; at that time, it was noted that any would-be thief would first have to find their way into the room…

Clive Robinson March 27, 2024 11:41 AM

@ Bruce, ALL,

There is very little actually new about this attack.

Put simply the attack described on the lock system rather than the encryption is the same as would have worked back in the 1980’s.

In reality what has happened is the designers of the lock have “bolted on encryption” that as it’s so weak got attacked

“By exploiting weaknesses in both Dormakaba’s encryption and the underlying RFID system Dormakaba uses, known as MIFARE Classic”

If you look up “MIFARE Classic” you will find out it’s been repeatedly successfully attacked in the past.

However it is “dirt cheap” where it counts thus very attractive to the “Entertainment Industry” where “Key Cards” are not seen as security items but “consumables” like the chocolate on the pillow or sachet of shampoo in the bathroom.

Back in the 1980’s the locks had no encryption, used mag stripe cards and had a modified serial port underneath for “programing”.

Here they’ve been able to get rid of the programing port by using the RfID port instead. As this comes with “encryption” as standard they probably just followed an application note from Phillips later NXP.

As for “their own encryption” I’ve not looked at it. But I’m assuming it’s a “roll your own” system of some form thus why it’s apparently been trivially broken.

But also these locks are “battery powered” and secure encryption costs in terms of energy for CPU cycles or additional hardware. Thus the designers would have been looking more at minimising energy requirement than “high security”.

It’s the way the entertainment industry works fake gold plate on the bath taps etc.

EY March 27, 2024 12:52 PM

I agree that this will be a permanent vulnerability. I stayed in a hotel close to work in January. The lock on our door refused to open a few times. We reported the problem and were moved to another room.

Another office trip in early March and I get the same room with the same lock. It was less cranky this time, so I didn’t ask for a change. I did let the manager know about the previous experience and that while it was better on this trip, it wasn’t fully fixed. Her response was “as expensive as the locks are, there’s just not much we can do”.

If this hotel hesitates to replace a lock that won’t let customers into their room, I don’t see them jumping to replace one that could be hacked. Sad–that’s the closest hotel to my office, it’s super convenient to amenities, quiet, and clean. Sigh.

Mike March 27, 2024 12:58 PM

Flipper zero implementation available in 3..2..1

Actually I’m surprised they didn’t use a flipper zero. I think it supports mifare cards.

Nanette March 27, 2024 2:06 PM

Wannabe techguy, I don’t understand what you mean by your comment. Keycards are often encoded to operate multiple locks—the guest-room-door lock, of course, but also often the door locks for the pool and gym, and perhaps an in-room safe. These all have quite different security models.

bcs March 27, 2024 3:05 PM

I wonder if the same vulnerability could be used to close the hole? Can you reprogram the lock on your own room enough that nobody else can gain access the same way?

Sure you will PO management and housekeeping, but for some people that might be a way lower risk than the alternative (I’m sure housekeeping would rather deal with the aftermath a lock having to be forced than of a very unnatural death).

BCS March 27, 2024 3:09 PM

@Robin,
Depending on your threat model, those “flip locks” can be the next thing to useless. They are actually designed to be easy to defeat (and replace) in cases management needs to evict someone. IIRC a set of shorty bolt cutters will do the job in under a second.

Clive Robinson March 27, 2024 4:02 PM

@ Nanette,

I don’t understand what you mean by your comment. Keycards are often encoded to operate multiple locks

They are various forms of “Master Key”

Maintenance, Management and Security need to be able to open all doors at any time.

House keeping just the rooms on their “floor” between certain times.

Laundry, catering, bar staff, entertainments/sports staff don’t need guest room access but guests do require gym door etc access.

Programing plans in large 1000 guest room hotels can be a real nightmare to work out.

Inevitably some staff end up with multiple keys which can be realy annoying when they often carry their key in their ID badge.

You would be surprised how many groups and zones there are even in a small hotel.

vas pup March 27, 2024 4:45 PM

Starshield
https://www.spacex.com/starshield/

“Starshield leverages SpaceX’s Starlink technology and launch capability to
support national security efforts. While Starlink is designed for consumer and
commercial use, Starshield is designed for government use, with an initial focus on three areas:

Earth Observation
Starshield launches satellites with sensing payloads and delivers processed
data directly to the user.

Communications
Starshield provides assured global communications to government users with
Starshield user equipment.

Hosted payloads
Starshield builds satellite buses to support the most demanding customer
payload missions.

Security
Starlink already offers unparalleled end-to-end user data encryption. Starshield uses additional high-assurance cryptographic capability to host classified payloads and process data securely, meeting the most demanding government requirements.

Interoperability
Starlink’s inter-satellite laser communications terminal, which is the only communications laser operating at scale in orbit today, can be integrated onto partner satellites to enable incorporation into the Starshield network.”

Good move, Mr. Musk, to protect yourself from other powerful parts of deep state…

Zaphod March 27, 2024 6:10 PM

@Uthor

I stay in many hotels. My youngster can vouch for that – collecting my room keycards.

The mechanical latch prevents exactly no one from entering your room if they have the correct tool.

@Clive has elaborated at least once in this very organ on the best method to secure your hotel door from the inside using only items normally found within said room.

Z.

JonKnowsNothing March 27, 2024 6:53 PM

@All

re: not secure but very noisy

I have used a small sound emitter that makes a heck of a screech. It can be fastened to a door or use hand held. There are spring blades that fit in the door jamb. If they are dislodged it goes off with an ear splitting noise.

  • Be sure to put up the No Service door tag

When using it hand held, there is a pin that activates the device. Pull the pin and get instant electronic screaming.

It won’t prevent someone from opening the door, but it’s guaranteed to make a heck of a racket.

OldGuy March 27, 2024 10:48 PM

@Zaphod wrote “The mechanical latch prevents exactly no one from entering your room if they have the correct tool.”

Google “open hotel door lock with rubber band on youtube”.

Correct tool is a rubber band and some duct tape. Takes seconds. (Videos are in Google’s “shorts” section.)

All this talk about “exploiting a weakness in their encryption” brings to mind a situation I ran into several decades ago. Boss bought this fancy schmancy software. Company bragged how everything was encrypted for security. Then boss forgot his password, didn’t want to pay to get it unlocked, and turned me loose on it. Turned out their security consisted of XOR’ing every byte written to disk with the same hardcoded 8-bit value. Their files contained a lot of NULL characters, i.e. zeros. Sure made it easy to figure out that XOR value. Turned out they encrypted their password file the same way. Turned out boss reused the same password for all his accounts. Security there was turtles all the way down.

You know there’s finding a weakness in the RNG and using it to brute force elliptical curve crypto, and then there’s putting your data through rot13 twice for “extra security”. A lot of people in business want whatever’s cheapest.

Hardware isn’t any different. Google “youtube ollam lockpicking”. He has some great DEFCON lectures.

R.Cake March 28, 2024 5:02 AM

@vas pup – oh c’mon. You do not actually believe that any Musk company has actually invented security technology that nobody else has or could defeat? Best case they run their own trust center and manage their own keys/certificates, and then rely on decent state of the art open-market products for readers and cards/tokens. Worst case they just let a team of interns re-invent the wheel, only that it later turns out their wheel is actually hexagonal.

@all – hotel room card systems are often specified by the central offices of the hotel chain, readers and cards purchased in bulk. The individual hotel has exactly zero say about what is used or how they can configure it, at least if it is a chain hotel, they just get it thumped on their frontdesk as it is.
MIFARE Classic based room cards are indeed a shame, different types of cards with standardized encryption have been available for 15 years or so. On the other hand, simple mechanical locks have been defeated decades ago and are still being used. I guess the expected security of hotel room keys is not particularly high – after all, you can expect the cleaning staff to be able to walk into your room any time they feel like it. So maybe MIFARE Classic is an appropriate security system after all 😀

Clive Robinson March 28, 2024 6:04 AM

@ OldGuy, ALL,

Re : Chain of history

How we get from your,

“Then boss forgot his password, didn’t want to pay to get it unlocked, and turned me loose on it. Turned out their security consisted of XOR’ing every byte written to disk with the same hardcoded 8-bit value.”

To,

https://www.cnet.com/news/privacy/judge-orders-halt-to-defcon-speech-on-subway-card-hacking/

And how history is being rewritten by AI agents etc.

Your comment brings back a memory from nearly a quarter of a century ago. With ElcomSoft’s Dmitry Sklyarov being arrested and as it later turned out illegally detained and coerced by the FBI on behalf of Adobe Systems and their P155 P00r security in their e-book reader that used what sounds like exactly the same encryption system,

“Dmitry Sklyarov the 27 year old Russian programmer at the center of this case was released from U. S. custody and allowed to return to his home in Russia on December 13 2001”

https://www.eff.org/cases/us-v-elcomsoft-sklyarov

Interestingly, searching around shows that slowly bit by bit write ups on,

1, What Dmitry had presented at Defcon-9 about the truly bad state of e-book software.
2, The fact he was arrested on behest of Adobe for embarrassing them publicly about the very poor security in their e-book system
3, The fact it was even Adobe Systems or their product
4, The unlawful behaviour of US authorities
5, The names of FBI and DoJ people involved
6, The fact Dmitry was a PhD researcher.
7, A jury found both Dmitry and Elcomsoft entirely innocent on all charges brought against them.

Is getting “deleted from history” or made difficult to find, via the likes of DuckDuckGo and Microsoft AI based Search engines…

The case was quite famous at the time as it showed the FBI was not just “over reaching” but actively trying to crush legitimate academic research. With even the usually non political and non feather ruffling “Nature” making comment,

https://www.nature.com/articles/35086729

And how speaking “truth unto power” can have consequences,

‘https://www.linux.com/news/sklyarovs-defcon-presentation-online-supporters-reputation-bonfire/

Much of which is what got repeated by the Massachusetts Government against the three students and the RfID “Charlie Card”.

Clive Robinson March 28, 2024 6:41 AM

@ OldGuy, ALL,

I forgot to add the all important,

https://en.citizendium.org/wiki/Snake_oil_(cryptography)

Which tells you,

‘One company advertised “the only software in the universe that makes your information virtually 100% burglarproof!”; their actual encryption, according to Sklyarov, was “XOR-ing each byte with every byte of the string “encrypted”, which is the same as XOR with constant byte”. Another used Rot 13 encryption, another used the same fixed key for all documents, and another stored everything needed to calculate the key in the document header.

You can see why your comment triggered my memory ancient memory 😉

Winter March 28, 2024 7:50 AM

@Clive

You can see why your comment triggered my memory ancient memory

Ah, the memories!

I remember this encryption system from way back that bettered all the other ones. They pointed out that all the other systems only changed half of the bits in the original. Their system was double as good, it changed ALL the bits in the original.

I tried to find it again, but somehow, I am unable to find any mention of this perfect encryption system. Maybe it has become too secret?

Clive Robinson March 28, 2024 9:27 AM

@ Winter, OldGuy, ALL,

Re : “Thanks for the memories” and similar refrains from times past.

You mention,

“They pointed out that all the other systems only changed half of the bits in the original. Their system was double as good, it changed ALL the bits in the original.”

I remember such a claim or more correctly,

“The avalanche of complaints”

Or was it the other way around,

“The complaints of avalanche”

Or lack there of.

You would have thought that by our creaky old age, we would have heard it all by now and the Industry would be wiser…

But as philosopher George Santayana once observed,

“Those who do not remember the past are condemned to repeat it”

We realise holds immense meaning and importance in understanding the impact of history on our past present and future on the idiocy we see repeated as the wheel of history turns in it’s rut.

Santayana tried reminding us that failing to learn from our past mistakes or gain insight from historical events can lead us down a path of repetition, perpetuating the same errors and worse, much worse.

Yet in the ICT industry especially that subset involving security we appear to fail to learn from what is very clearly well within living memory, sometimes less than a couple of years old.

I was yet again reminded of this just a couple of days back…

I assume that you remember LogShell and Log4j and how it’s “be every thing for every one” kitchen sink approach opened a massive security violation via a lack of sufficient input checking?

https://www.xkcd.com/2347/

Well how long ago?

And now to discover it is being repeated this time with an old idea,

https://www.xkcd.com/1700/

But updated with AI LLM’s… “Little Bobby Tables Mum would be proud”,

https://xkcd.com/327/

And so “handbags” used as transport modes to places of “Hell” you do not want to go to are featuring in our lives again…

bozo, ideho March 28, 2024 10:14 AM

@vas pup,

You forgot that Mr. Musk founded PayPal with Mr. Palantir so please do your homework next time, before you decide to praise Mr. Musk.
I’m not sayin, just sayin’!

Nanette March 28, 2024 1:29 PM

OldGuy, with respect to the rubber band trick, I view that as outside the threat model of the door-latch. I doubt very much that hotels formally threat-model those, which means that we’re all just guessing; naturally, this leads to different expections, and, thus, surprises.

The latches are useful to stop housekeeping from walking in while you’re naked, and not much else. Slightly better than the “do not disturb” sign, because it can’t be casually removed. Maybe also to stop you from accidentally wandering into the hall while not fully awake (as referenced in Jeff Foxworthy’s 2022 comedy special).

How well can a hotel really guard against an adversary who can bring two huge suitcases without raising suspiscion? Bolt cutters would be no problem. Other possibilities include battering rams and plasma torches, because people intentionally breaking into currently-occupied rooms probably don’t care about stealth. In some cases, there’s a fire-axe conveniently stored on every floor, perfectly capable of opening a wall. And then there’s the window…

recherche March 31, 2024 4:03 AM

Worst case I’ve heard about is an ASCII database with space (0x20) padding…

… and the key was ‘A’-‘Z’ letters, which, XORed with 0x20, neatly gives ‘a’-‘z’.

Sigh.

Leave a comment

Login

Allowed HTML <a href="URL"> • <em> <cite> <i> • <strong> <b> • <sub> <sup> • <ul> <ol> <li> • <blockquote> <pre> Markdown Extra syntax via https://michelf.ca/projects/php-markdown/extra/

Sidebar photo of Bruce Schneier by Joe MacInnis.