Never rely just on your hotel room’s primary lock when you’re inside. Always bolt the door. And don’t leave valuables in your room when you can avoid it.
We’ve always known that some hotels don’t do a good job tracking their master keys, that people can get your room key just by asking, and that some housekeepers find valuables too tempting.
But we now know that it’s possible to open over 3 million hotel doors worldwide with just two taps. One of the people that figured out how to do it is the founder of airline award search tool Seats.aero.
Two years ago a group was invited to hack a brand of hotel door lock in Las Vegas. What one team found was flaws in the RFID-based keycard locks by Dormakaba, a leading Swiss lock manufacturer. This vulnerability affects Saflok systems installed in doors across 131 countries. There’s a fix rolling out, but it’ll take months or even years to be in place worldwide.
Their method involves acquiring a hotel’s keycard, using it with a specialized RFID device to read and then duplicate a crucial code, which then enables the creation of functional keycards capable of unlocking the doors with just two simple taps.
By exploiting weaknesses in both Dormakaba’s encryption and the underlying RFID system Dormakaba uses, known as MIFARE Classic, Carroll and Wouters have demonstrated just how easily they can open a Saflok keycard lock. Their technique starts with obtaining any keycard from a target hotel—say, by booking a room there or grabbing a keycard out of a box of used ones—then reading a certain code from that card with a $300 RFID read-write device, and finally writing two keycards of their own. When they merely tap those two cards on a lock, the first rewrites a certain piece of the lock’s data, and the second opens it.
“Two quick taps and we open the door,” says Wouters, a researcher in the Computer Security and Industrial Cryptography group at the KU Leuven University in Belgium. “And that works on every door in the hotel.”
Wired has the details on how the hotel room door lock hack works. This video from Ian Carroll shows it being used:
The company has notified hotels of the vulnerability, guiding them through the process of securing or replacing the compromised locks. Updating management software at the front desk and reprogramming locks is usually sufficient (rather than wholesale replacement) for locks installed in the past eight years. However many Saflok lock systems remains unupdated.
(HT: Jonathan W.)
Come on how about linking to the guy’s site like you do to that dot me site
Brilliant mind he is – shows in the clean elegance of his award tool
@Greg I’ve linked to seats.aero but this post wasn’t about seats.aero, read this and tell me i haven’t spoken out for him: https://viewfromthewing.com/navigating-the-gray-zone-air-canadas-lawsuit-and-the-future-of-award-search-tools/
The MIFARE Classic has been known compromised since at least 2008 (https://en.wikipedia.org/wiki/MIFARE#Security). In my opinion, deploying any new system with MIFARE Classic is negligent.
That said, updating systems takes forever. The MBTA (Boston transit agency) still has not replaced the MIFARE Classic-based system, although is (slowly, slowly) in the process of doing so (with a 2025 target now, slipped from 2021). They have deployed some countermeasures like central tracking of card values.
The latch bar can be opened from the outside without too much effort. True, it won’t be completely quiet so I use it.
Yes you made a good case for him re the lawsuit
Another reason to not stay in hotel rooms.
Another reason to take a cheap rubber door stop with you.