A security flaw found in Dormakaba Saflok electronic RFID locks used in hotels could allow threat actors to exploit them to forge key cards and sneak into locked rooms.
Disadvantages are collectively referred to as winsaflock Written by researchers Lennert Wouters, Ian Carroll, rqu, BusesCanFly, Sam Curry, sshell, and Will Caruana. They report to the Zurich-based company in September 2022.
“Combined, the vulnerabilities discovered allow an attacker to unlock all rooms in the hotel using a pair of counterfeit key cards,” they said.
Due to the potential impact, full technical details about the vulnerability have been withheld and are expected to be made public in the future.
These issues affect more than 3 million hotel locks at 13,00 hotels in 131 countries. These include Saflok MT models as well as Quantum, RT, Saffire and Confidant series devices, which are used with System 6000, Ambiance and Community management software.
It is estimated that as of March 2024, Dormakaba has updated or replaced 36% of affected locks as part of a rollout process that will begin in November 2023. Some of the vulnerable locks have been in use since 1988.
“An attacker can compromise any door in the property simply by reading a key card in the property,” the researchers said. “This key card could come from their own room or even be collected from an express checkout. Expired key card taken out of box.”
Counterfeit cards can be created using any MIFARE Classic card or any commercially available RFID reading and writing tool capable of writing data to these cards. Alternatively, Proxmark3, Flipper Zero or even an NFC-enabled Android phone can be used in place of the card.
In an interview with Wired’s Andy Greenberg, the researchers said the attack would require reading a specific code from the card and using the method described above to create a pair of fake keycards – one of which would match the lock’s key card. The data is reprogrammed and another opens it by cracking Dormakaba’s key derivation function. (KDF) encryption system.
“Two quick knocks and the door opened,” Waters said.
Another key step involved reverse engineering the lock-programming devices Dormakaba distributed to hotels and the front-end software used to manage key cards, allowing researchers to spoof a working master key that could be used to unlock any room.
There are currently no confirmed cases of these exploits being exploited in the wild, although the researchers do not rule out the possibility that the vulnerabilities have been discovered or exploited by others.
“By auditing the lock’s entry/exit logs, it may be possible to detect certain attacks,” they added. “Hotel staff could audit this via the HH6 device and look for suspicious entry/exit records. Due to the vulnerability, entry/exit records /out of record may be attributed to incorrect key card or staff.”
This disclosure comes against the backdrop of the discovery of three critical security vulnerabilities in electronic logging devices (ELDs) commonly used in the trucking industry that could potentially be weaponized to achieve unauthorized control of vehicle systems and manipulate them at will. Data and vehicle operations.
Even more worryingly, one of the flaws could pave the way for the worm to self-spread among trucks, potentially causing massive disruptions to commercial fleets and leading to serious safety consequences.
