Unsaflok: vulnerable locks on three million hotel room doors

dormakaba Saflok locks — used on around three million doors across 13,000 hotels — are vulnerable to an attack that involves forging electronic keycards.

Unsaflok: how to forge keycards for Saflok locks

A group of researchers has published information about the so-called Unsaflok attack, which exploits a number of vulnerabilities in the company dormakaba’s Saflok hotel door locks. We explain how this attack works, why it’s dangerous, and how hotel owners and guests can protect themselves against it.

How the Unsaflok attack works

The most important thing to know about the Unsaflok attack is that it permits the forging of keycards for electronic Saflok locks, which are widely used in hotels around the world. All an attacker needs is a RFID key from a targeted hotel where these locks are installed. Getting hold of one is easy: for example, the keycard to the attacker’s own room would suffice. Data obtained from this card would be enough to program a keycard so it can open any door in the hotel.

No particularly exotic equipment is required for this either: to read legitimate keycards and also forge keycards, an attacker can use a laptop with an RFID card reader/writer connected to it. Even a regular Android smartphone with NFC can do the trick.

One of the possible setups for the Unsaflok attack

A laptop with a contactless smart-card reader/writer can be used to forge keycards. However, a regular Android smartphone with NFC would also do. Source

Various hacking tools that work with RFID — such as the popular Flipper Zero or the somewhat more exotic Proxmark3 — can also be used for the Unsaflok attack.

It turns out the researchers discovered the possibility of attacking Saflok locks back in 2022. However, adhering to responsible vulnerability disclosure procedures, they gave the manufacturer considerable time to develop protective measures and begin updating the locks. To protect the safety of hotels and their guests, full details of the attack mechanism as well as the proof-of-concept have not yet been published. The researchers promise to share more details about Unsaflok in the future.

Which locks are vulnerable to the Unsaflok attack

According to researchers, all locks using the dormakaba Saflok system are vulnerable to the attack, including (but not limited to) the RT Series, MT Series, Quantum Series, Saffire Series, and Confidant Series. According to the dormakaba website, Saflok locks have been manufactured since 1988 — for more than 30 years.

Saflok RT series hotel lock

The Saflok RT series is one of the most common types of dormakaba Saflok locks. Source

How common are these locks? As the researchers themselves say, vulnerable Saflok locks are used in over 13,000 hotels in 131 countries worldwide — installed on around three million doors. If data is to be believed stating that there are a total of 17.5 million hotel rooms in the world, it turns out that roughly one in six hotel locks is vulnerable to the Unsaflok attack.

dormakaba developed an update that protects against the Unsaflok attack and began updating the locks in November 2023. However, we’re talking about thousands of hotels and millions of locks, each of which must be individually updated or completely replaced, as well as vast quantities of related equipment. Therefore, the update process takes a considerably long time. According to the researchers, by March 2024, 36% of the vulnerable locks had been updated.

Safety tips for guests

Saflok locks are easy to recognize — the most popular series, which you’re most likely to encounter in hotels, were shown in the illustrations above. And here you can see what the other models of vulnerable locks look like.

However, it’s not possible to distinguish a vulnerable lock from an already updated one by appearance, as outwardly they look exactly the same. However, the type of keycard can help with that: if the hotel uses MIFARE Classic keycards with Saflok locks, then these locks are still vulnerable to the Unsaflok attack. If the hotel has already switched to MIFARE Ultralight C keycards, this is a sign that the locks have been updated. You can determine the keycard type by using the NFC TagInfo by NXP app (Android, iOS).

The researchers emphasize that the mere use of MIFARE Classic keycards doesn’t necessarily mean that the hotel’s locks are insecure — other lock systems that use these same cards haven’t been found to have problems. The danger lies specifically in the combination of MIFARE Classic cards and Saflok locks. If you come across this combo, be aware that the lock may not provide reliable protection against unauthorized entry into the given room.

It’s worth noting that the internal latch in Saflok locks is also electronically controlled and can be opened with a keycard — including a forged one. Therefore, it’s pointless using it to protect against intrusion. Instead, you should lock the door with a chain, or a separate deadbolt if there is one.

Safety tips for hotel owners

The researchers note that they aren’t aware of any real-life cases of the Unsaflok attack being used against hotels. However, they don’t rule out the possibility that someone had already discovered the vulnerabilities in Saflok locks before them — after all, these locks have been on the market for several decades.

Therefore, it’s quite possible that malicious actors are already using this attack to break into hotel rooms, and since such an intrusion looks the same as legitimate use of the lock, it’s not so easy to notice a break-in.

The researchers mention that it’s possible to detect an Unsaflok attack by examining the entry/exit logs using the Saflok HH6 programmer: due to the nature of the vulnerability, entry with a forged key for all doors might be attributed to an “incorrect keycard or incorrect employee”.

And of course, the main advice: eliminate the vulnerabilities in your dormakaba Saflok locks so as not to put your clients and their property at risk. As you might guess, this means updating your locks as soon as possible. For questions regarding updating Saflok locks, contact the manufacturer’s technical support service.