Priya Patel
TLDR:
- Unsaflok flaw in Dormakaba’s Saflok electronic locks allows attackers to forge master keycards to open any door
- Over 3 million locks across 13,000 locations globally are affected by this vulnerability
Unsaflok, a critical vulnerability in Dormakaba’s Saflok electronic RFID locks used in hotels and multi-family housing, allows attackers to exploit weaknesses in the system and create a master keycard to open any door within an affected property. The vulnerability impacts over 3 million locks across 13,000 locations globally, including various Saflok models managed by System 6000 or Ambiance software. While the lock model can be identified visually, there is no way to determine if a specific lock has been patched.
The vulnerability stems from flaws in the MIFARE Classic keycard system, enabling attackers to create forged master keycards by stealing data from legitimate keycards. The forgeries can be used to bypass deadbolts and access any room on a property. Dormakaba has been working on upgrading locks since November 2023 after the discovery of vulnerabilities in August 2022. While full technical details are not disclosed, a high-level disclosure was made in March 2024.
To mitigate the risk posed by the Unsaflok flaw, users are advised to switch to MIFARE Ultralight C keycards from the vulnerable MIFARE Classic and use additional physical security measures to secure guest rooms. While no real-world attacks have been confirmed, the possibility of past exploitation cannot be ruled out, urging the need for immediate action and awareness in safeguarding electronic locks against potential threats.
