Hackers Found a Way to Open Any Hotel Keycard Lock in Seconds

During the annual hacker gatherings in Las Vegas, security researchers often test the city's technology, including hotel systems. In 2022, a group was invited to hack a Vegas hotel room, aiming to find digital weaknesses in gadgets like TVs and phones. One team focused on the door lock, eventually uncovering a method to quickly open millions of hotel doors worldwide.

Ian Carroll, Lennert Wouters, and their team revealed a technique called Unsaflok, exposing flaws in Saflok-brand RFID locks used in 13,000 properties globally. By exploiting encryption weaknesses and RFID vulnerabilities, they demonstrated how to open Saflok locks in seconds with a copied keycard.

They informed Dormakaba, the lock maker, about their findings, prompting efforts to fix the issue. However, only 36% of locks have been updated so far, with a complete fix expected to take months or even years.

The hackers' method involves rewriting keycards and spoofing master keys by reverse engineering lock programming devices and hotel software. Despite Dormakaba's efforts, the vulnerability remains, leaving many properties at risk.

To check if a lock is vulnerable, guests can use an app to scan their keycard. If it's a MIFARE Classic card, the lock might still be vulnerable. Until fixed, guests are advised to take precautions, as even deadbolts controlled by the lock offer limited protection.

Wouters and Carroll stress the importance of awareness, noting that the vulnerability may have existed for years. They caution against complacency, urging guests to understand the risks and take necessary precautions.