Hotel Keys Under Hacking Risk: How ConvergentDS Enhances RFID Security

Illustration of person entering a room with a key card and the article title

Does your organization rely on RFID locking technology to safekeep access to rooms or housing units? You should be aware of this latest security vulnerability — and how ConvergentDS also works to identify these flaws and patch holes in RFID security.

A team of security researchers revealed last month a hotel keycard hacking technique that exploits vulnerabilities in several models of Saflok-brand RFID keycard locks sold by Swiss lock maker Dormakaba.

The security flaw means millions of hotel room doors are vulnerable to a breach — the research team reported that the affected Saflok systems are installed on 3 million doors inside 13,000 hotels and multi-family properties in 131 countries. That explains the researchers’ name for their technique: Unsaflok.

The research team says it reported the vulnerabilities to Dormakaba in September 2022 and the company started to upgrade hotel locks, but only 36% of the affected locks have been replaced or updated as of last month, the team said, prompting them to release their information publicly so guests are aware of the security concerns.

How the hack works

According to an article in Wired, the researchers said they exploited weaknesses in both Dormakaba’s encryption and its underlying RFID system: MIFARE Classic. Their technique starts with obtaining any hotel keycard, either by booking a room or grabbing one from a discard box. Then they read a code from that card with a $300 RFID read-write device, and write two new keycards. By tapping those two cards on a lock, the first tap rewrites a piece of the lock’s data, and the second tap opens it.

“Two quick taps and we open the door,” Lennert Wouters, a researcher in the Computer Security and Industrial Cryptography group at the KU Leuven University in Belgium told Wired. “And that works on every door in the hotel.”

How guests can protect themselves

The researchers say you may be able to tell if a hotel has upgraded its Saflok system if they are using MIFARE Ultralight C cards instead of MIFARE Classic. The NFC Taginfo app by NXP on Android and iOS can be used to identify the keycard type. Other lock manufacturers using MIFARE Classic keycards are not affected by the Unsaflok vulnerability.

As a backup, hotel guests shouldn’t rely on the deadbolt, which can be electronically controlled. Using the chain lock or another manual door stop could prevent someone with a hacked key card from entering.

How ConvergentDS helps keep RFID devices safe

We provide security assessments, testing, consulting, and advisory services for the hospitality industry, with a specific focus on access control for events and properties using RFID wristbands and keycards. We test the security of these devices, offering advisory solutions on how to improve and eliminate access control vulnerabilities to secure and private areas and live events. 

ConvergentDS employs a dedicated research group focused on access issues in the entertainment and hospitality industry. Similar to the Unsaflok researchers, ConvergentDS’s ethical hackers have replicated wristbands for live events, hotel keycards, and similar RFID technology.

With our experience working with clients in this space and understanding their needs, ConvergentDS identifies security threats and creates solutions using clients’ existing technology and infrastructure by changing implementation plans, saving companies money. Our services help protect the client and their customers, who put trust into the convenience of RFID keycards and wristbands, which not only can give access to specific physical areas like a hotel but can also contain data like credit card numbers for refreshment or merchandise purchases in a live event setting.

What’s the state of your RFID security?

With personally identifiable information and secure access at stake, hotel chains and event organizers need security solutions to identify and eliminate RFID vulnerabilities. Are you in need of a RFID security assessment, consultation, or update? Contact us today.

Are you experiencing a
Security Incident?

We are here to help 24/7. In addition to providing immediate assistance, Digital Silence offers a suite of remediation services designed to help organizations get back to business.