When thousands of security researchers descend on Las Vegas every August for what’s known as the “hacker summer camp,” the back-to-back Black Hat and Defcon hacker conferences, it’s a given that some of them will experiment with hacking the infrastructure. of Vegas itself, the city’s vast array of casino and hospitality technology. But a select group of researchers was present at a private event in 2022 invited to hack into a Vegas hotel room and compete in a suite full of laptops and cans of Red Bull to find digital vulnerabilities in all the room’s gadgets, from the TV to the bedside VoIP phone.
Those days, a team of hackers focused on the lock on the room’s door, perhaps the most sensitive piece of technology of all. Now, more than a year and a half later, they’re finally bringing the results of that work to light: a technique they discovered that allows an intruder to open one of millions of hotel rooms worldwide in seconds, with just two taps.
Today Ian Carroll, Lennert Wouters and a team of other security researchers unveil a hotel keycard hacking technique they call Dissolve. The technique is a collection of security vulnerabilities that allows a hacker to almost instantly open several models of RFID key card locks from the Saflok brand, sold by Swiss lockmaker Dormakaba. Saflok systems are installed on 3 million doors worldwide, in 13,000 properties in 131 countries.
By exploiting weaknesses in both Dormakaba’s encryption and the underlying RFID system that Dormakaba uses, known as MIFARE Classic, Carroll and Wouters demonstrated how easily they can open a Saflok key card lock. Their technique starts with obtaining a key card from a target hotel – for example, by booking a room there or taking a key card from a box of used ones – and then reading a certain code from that card with an RFID read-write device from $300, and finally writing two custom keycards. When they just tap those two cards on a lock, the first rewrites a certain piece of the lock’s data, and the second opens it.
“Two quick taps and we open the door,” says Wouters, a researcher at the Computer Security and Industrial Cryptography group at KU Leuven University in Belgium. “And that works on every door in the hotel.”
A video in which the researchers demonstrate their lock-hacking technique. (The light pattern shown on the lock was redacted at one point at the researchers’ request to avoid revealing a detail of their technique that they had agreed with Dormakaba not to make public.)Video: Ian Caroll
Wouters and Carroll, an independent security researcher and founder of travel website Seats.aero, shared the full technical details of their hacking technique with Dormakaba in November 2022. Dormakaba says it has been working since early last year to make hotels using Saflok aware of their security flaws and to help them repair or replace the vulnerable locks. Many of the Saflok systems sold over the past eight years do not require hardware replacement for each individual lock. Instead, hotels only need to update or replace the front desk management system and have a technician perform a relatively quick reprogramming of each lock, door by door.
Wouters and Carroll say that Dormakaba still told them that as of this month, only 36 percent of installed Safloks have been updated. Since the locks are not connected to the internet and some older locks still need a hardware upgrade, they say it will take at least months longer to roll out the full solution. For some older installations it can take years.
“We have been working closely with our partners to identify and implement an immediate fix for this vulnerability, along with a longer-term fix,” Dormakaba wrote to WIRED in a statement, though it declined to detail what those “immediate restriction” could be. “Our customers and partners all take safety very seriously and we are confident that all reasonable steps will be taken to address this matter in a responsible manner.”