Unsaflok Flaw Let Attackers Open Million of Doors in Seconds
Unsaflok, in Dormakaba’s Saflok electronic RFID locks used in hotels and multi-family housing, allows attackers to forge a master keycard by exploiting weaknesses in the system and then using it to unlock any door within the affected property.
The vulnerability impacts over 3 million locks across 13,000 locations globally. All Saflok models, including the Saflok MT, Quantum Series, RT Series, Saffire Series, and Confidant Series, are susceptible if they are managed by System 6000 or Ambiance software.
While the lock model can be visually identified, there is no way to determine if a specific lock has been patched.
Researchers Lennert Wouters, Ian Carroll, rqu, BusesCanFly, Sam Curry, sshell, and Will Caruana disclosed a critical vulnerability (Unsaflok) in Dormakaba’s Saflok electronic locks used in hotels and multi-family housing and by exploiting weaknesses in the system, attackers can forge a single keycard pair to unlock all doors within a facility.
More than 3 million locks across 13,000 properties in 131 countries are impacted, including Saflok MT, Quantum Series, RT Series, Saffire Series, and Confidant Series, which typically use Dormakaba’s System 6000 or Ambiance software for management.
While identifying the lock model itself is possible, there’s no visual cue to determine if a specific lock has been patched. Upgrading the system likely involves switching to MIFARE Ultralight C keycards from the vulnerable MIFARE Classic.
An NFC Taginfo app can be used to check the keycard type on compatible smartphones, and it is important to note that this vulnerability is specific to Dormakaba Saflok systems and doesn’t affect other lock manufacturers using MIFARE Classic cards, but using MIFARE Classic for security-sensitive applications is generally discouraged.
Saflok electronic locks are vulnerable to a bypass due to flaws in their MIFARE Classic keycard system, where an attacker can steal data from a legitimate keycard and use it to create forged master keycards.
The forgeries can then be written to any compatible card and used to bypass the deadbolt and enter any room on the property, as the vulnerability stems from the ability to retract the deadbolt remotely via software and the lack of strong encryption on the keycards.
While some suspicious activity might be identified by auditing entry/exit logs, the attack itself cannot be definitively proven due to the ease of forging card data, necessitating the use of additional physical security measures like chain locks to secure guest rooms.
Dormakaba’s proprietary KDF for MIFARE Classic sectors in Saflok locks relies solely on the card’s UID, making it vulnerable to cloning if the KDF is compromised but the KDF itself is not enough to create new keys and its recent public disclosure raises concerns.
Though no real-world attacks are confirmed, the possibility of past exploitation cannot be ruled out.
It was discovered that there were vulnerabilities in Saflok locks in August 2022, as they developed a proof-of-concept exploit and contacted Dormakaba, the manufacturer, in September 2022.
Over the course of multiple meetings between October 2022 and March 2024, they collaborated on a solution and Dormakaba began upgrading locks in November 2023. While full technical details are not yet public, a high-level disclosure occurred in March 2024.
Source: https://bit.ly/3uS5LZ2