Security Breach: Simple Hack Unlocks Millions of Hotel Room Doors Globally

Never rely just on your hotel room’s primary lock when you’re inside. Always bolt the door. And don’t leave valuables in your room when you can avoid it.

We’ve always known that some hotels don’t do a good job tracking their master keys, that people can get your room key just by asking, and that some housekeepers find valuables too tempting.

But we now know that it’s possible to open over 3 million hotel doors worldwide with just two taps. One of the people that figured out how to do it is the founder of airline award search tool Seats.aero.

Two years ago a group was invited to hack a brand of hotel door lock in Las Vegas. What one team found was flaws in the RFID-based keycard locks by Dormakaba, a leading Swiss lock manufacturer. This vulnerability affects Saflok systems installed in doors across 131 countries. There’s a fix rolling out, but it’ll take months or even years to be in place worldwide.

Their method involves acquiring a hotel’s keycard, using it with a specialized RFID device to read and then duplicate a crucial code, which then enables the creation of functional keycards capable of unlocking the doors with just two simple taps.

By exploiting weaknesses in both Dormakaba’s encryption and the underlying RFID system Dormakaba uses, known as MIFARE Classic, Carroll and Wouters have demonstrated just how easily they can open a Saflok keycard lock. Their technique starts with obtaining any keycard from a target hotel—say, by booking a room there or grabbing a keycard out of a box of used ones—then reading a certain code from that card with a $300 RFID read-write device, and finally writing two keycards of their own. When they merely tap those two cards on a lock, the first rewrites a certain piece of the lock’s data, and the second opens it.

“Two quick taps and we open the door,” says Wouters, a researcher in the Computer Security and Industrial Cryptography group at the KU Leuven University in Belgium. “And that works on every door in the hotel.”

Wired has the details on how the hotel room door lock hack works. This video from Ian Carroll shows it being used:

The company has notified hotels of the vulnerability, guiding them through the process of securing or replacing the compromised locks. Updating management software at the front desk and reprogramming locks is usually sufficient (rather than wholesale replacement) for locks installed in the past eight years. However many Saflok lock systems remains unupdated.

(HT: Jonathan W.)

About Gary Leff

Gary Leff is one of the foremost experts in the field of miles, points, and frequent business travel - a topic he has covered since 2002. Co-founder of frequent flyer community InsideFlyer.com, emcee of the Freddie Awards, and named one of the "World's Top Travel Experts" by Conde' Nast Traveler (2010-Present) Gary has been a guest on most major news media, profiled in several top print publications, and published broadly on the topic of consumer loyalty. More About Gary »

More articles by Gary Leff »

Comments

  1. Come on how about linking to the guy’s site like you do to that dot me site

    Brilliant mind he is – shows in the clean elegance of his award tool

  2. The MIFARE Classic has been known compromised since at least 2008 (https://en.wikipedia.org/wiki/MIFARE#Security). In my opinion, deploying any new system with MIFARE Classic is negligent.

    That said, updating systems takes forever. The MBTA (Boston transit agency) still has not replaced the MIFARE Classic-based system, although is (slowly, slowly) in the process of doing so (with a 2025 target now, slipped from 2021). They have deployed some countermeasures like central tracking of card values.

  3. The latch bar can be opened from the outside without too much effort. True, it won’t be completely quiet so I use it.

Leave a Reply

Your email address will not be published. Required fields are marked *