Security News > 2024 > March > Security Vulnerability in Saflok’s RFID-Based Keycard Locks

Security Vulnerability in Saflok’s RFID-Based Keycard Locks
2024-03-27 11:01

The technique is a collection of security vulnerabilities that would allow a hacker to almost instantly open several models of Saflok-brand RFID-based keycard locks sold by the Swiss lock maker Dormakaba.

By exploiting weaknesses in both Dormakaba's encryption and the underlying RFID system Dormakaba uses, known as MIFARE Classic, Carroll and Wouters have demonstrated just how easily they can open a Saflok keycard lock.

Their technique starts with obtaining any keycard from a target hotel-say, by booking a room there or grabbing a keycard out of a box of used ones-then reading a certain code from that card with a $300 RFID read-write device, and finally writing two keycards of their own.

Dormakaba says that it's been working since early last year to make hotels that use Saflok aware of their security flaws and to help them fix or replace the vulnerable locks.

For many of the Saflok systems sold in the last eight years, there's no hardware replacement necessary for each individual lock.

Given that the locks aren't connected to the internet and some older locks will still need a hardware upgrade, they say the full fix will still likely take months longer to roll out, at the very least.


News URL

https://www.schneier.com/blog/archives/2024/03/security-vulnerability-in-safloks-rfid-based-keycard-locks.html