Unsaflok Flaws Allow Unlocking Saflok Door Locks With Forged Cards

Researchers have identified a set of vulnerabilities in the Saflok door locks that threaten hotel rooms’ security. Named ‘Unsaflok,’ the security flaws let an adversary to unlock Saflok RFID locks with forged cards.

‘Unsaflok’ Security Flaws Riddle Saflok Door Locks

After working hard for a year and a half, a team of researchers has now disclosed Unsaflok – a set of security flaws affecting the Saflok door locks.

According to the details shared via a dedicated web page, Unsaflok vulnerabilities exist due to the inherent flaws in Saflok’s encryption (the Key Derivation Function (KDF)) and the MIFARE Classic RFID system used in the locks. An attacker may exploit the flaw by reading specific codes from a target hotel’s keycard and writing two of their keycards. Once done, placing the two cards back-to-back on the lock’s scanner causes the first keycard to rewrite a certain code, and the second opens the lock. An adversary may do so via a $300 RFID read-write device, preparing the two keycards for tricking the target door locks.

The researchers have demonstrated the attack in a separate video, showing how an adversary may render the locks useless by exploiting Unsaflok flaws.

These vulnerabilities affect all Saflok locks launched since 1988. That means the hotels and other Saflok consumers have been using vulnerable Saflok locks all along. The researchers haven’t detected any exploitation attempts yet but don’t rule out such a threat.

Patches Released But Need Aggressive User Input

According to Wired, the researchers began working on this subject following an invitation to hack a Vegas hotel room. Consequently, they found and reported the vulnerabilities to dormakaba—Saflok vendors—in September 2022.

Following their report, the vendors began working on a fix, eventually deploying the updates to hotels in November 2023. Until March 2024, roughly 36% of the affected locks received the update. And now, the researchers decided to go ahead with the disclosure to inform the users about the potential threat.

Nonetheless, given the extensive use of Saflok locks, the vulnerabilities affect over 13,000 RFID locks installed across various hotels and homes globally. This requires immediate attention from all users to address the matter by updating the lock software or replacing the locks. Until the matter gets largely addressed, the researchers have decided to hold the PoC release.

Let us know your thoughts in the comments.

Related posts

Water Facilities Must Secure Exposed HMIs – Warns CISA

Microsoft December Patch Tuesday Arrived With 70+ Bug Fixes

NachoVPN Attack Risks Corporate VPN Clients