In an alarming revelation for travelers, a recent investigation has uncovered a critical security flaw that puts over 3 million hotel rooms at risk worldwide. Dubbed “Unsaflok,” this hacking technique exploits vulnerabilities in the RFID-based keycard locks manufactured by the Swiss company Dormakaba, known for their Saflok brand systems. According to a detailed report by Wired, this breach could allow unauthorized access to rooms across 13,000 properties in 131 countries with startling ease and speed.
Security researchers, brought into a Las Vegas hotel for a routine digital security check, demonstrated how the Unsaflok method works by manipulating the encryption and RFID technology of the keycards. The process begins with obtaining a hotel keycard, which can be as simple as keeping a card from a previous stay or picking one from a discarded pile at the hotel. Using an RFID read-write device, hackers can then clone the card twice. By tapping these cloned cards against the lock, the first alters specific lock data, while the second triggers the lock to open, all within seconds.
“We’ve essentially found a master key for millions of hotel rooms,” Lennert Wouters, a member of the research team from KU Leuven University’s Computer Security and Industrial Cryptography group, explained to Wired. “Two quick taps and we open the door. And that works on every door in the hotel.”
Dormakaba has acknowledged the issue and is actively working on a fix, which involves updating the front desk management system and reprogramming or replacing the affected locks. However, progress has been slow, with only 36 percent of Saflok systems updated to date. The company emphasizes its commitment to resolving the issue, stating, “We have worked closely with our partners to identify and implement an immediate mitigation for this vulnerability, along with a longer-term solution.”
This incident raises significant concerns about the digital security practices in the hospitality industry and the urgency with which such vulnerabilities are addressed. For travelers, the revelation is a stark reminder of the potential risks that come with the convenience of digital access systems, underscoring the need for hotels to prioritize and expedite security updates to protect their guests.
