Hotel room locks at risk with inexpensive door-hacking kit

March 24, 2024
1 min read

TLDR:

Millions of hotel room locks are vulnerable to a cheap-kit exploit called “Unsaflok,” affecting popular keycard locks made by dormakaba. This exploit allows miscreants to easily slip into locked rooms in properties across 131 countries. The vulnerabilities have been present for over 36 years, with only 36% of affected locks upgraded so far. Hotels need to upgrade door locks, hotel software, keycard encoders, and keycards to mitigate the risk. There’s no evidence of historical intrusions, but researchers are withholding full details of the exploit to prevent widespread intrusion attempts while upgrades are in progress.

Security researchers discovered an exploit that affects around 3 million hotel locks in 131 countries, allowing intruders to break into locked rooms with commercially available equipment. The vulnerability affects Saflok keycard locks made by dormakaba, commonly used in hotels worldwide.

The researchers responsible for the discovery, who reported the vulnerabilities in September 2022, revealed that dormakaba started working on a fix in November 2023, more than a year later. However, the upgrade process is slow, with only 36% of affected locks upgraded so far. Hotels need to upgrade various components, including door locks, hotel software, keycard encoders, and keycards to prevent unauthorized access.

While there is no available evidence of historical intrusions using this exploit, the vulnerabilities have been present for over 36 years, leaving a significant window of opportunity for exploitation. The researchers are withholding full details of the exploit to prevent widespread intrusions until hotels complete the necessary upgrades.

Latest from Blog

EU push for unified incident report rules

TLDR: The Federation of European Risk Management Associations (FERMA) is urging the EU to harmonize cyber incident reporting requirements ahead of new legislation. Upcoming legislation such as the NIS2 Directive, DORA, and