Android phones supporting a specific feature can open 3 million hotel rooms in 161 countries

Back in 2022 in Las Vegas at a private event, researchers were asked to hack into a Las Vegas hotel room, and in addition to seeing if they could get past the digital door lock, they attempted to find vulnerabilities in other gadgets in the room. One group of researchers focused on getting the hotel room door to open. Now, in 2024, it turns out that a method was discovered that would allow those with an Android phone to open millions of hotel rooms worldwide in just seconds.

According to Wired, a team of security researchers are unveiling a hotel keycard hack they call Unsaflok. This vulnerability affects the Saflok electronic RFID locks made by a company called Dormakaba. The hack can be used to unlock over three million hotel rooms found in over 13,000 properties located in 161 countries. The researchers took advantage of flaws in Dormakaba's encryption and its RFID system.

The process works like this. The hackers obtain a keycard for any room from the target hotel. This can be done by booking a room or swiping a used one. Using an RFID writer-reader (which might cost $300), a code is read from the card, and two keycards are created. When the two cards are tapped on the lock, the first one rewrites part of the lock's data and the second one opens the door.

However, if you have an Android phone that supports Near-Field Communication (NFC), the two keycards can be replaced by the Android phone. Download a signal-emitting app and the phone can be used to emit a signal that will be used instead of the two keycards to unlock the door.

Back in 2012 at the Black Hat conference in Vegas, a hacker described a hack that could exploit a vulnerability found in 10 million locks made by a company called Onity. The latter refused to pay to update the locks leaving it to the hotels to make any changes. That was a bad move as criminals started using the exploit to break into hotel rooms and rob the guests.

This time, the Unsaflok team decided not to reveal their entire hack to the public. Hacker Ian Carroll said, "We're trying to find the middle ground of helping Dormakaba to fix it quickly, but also telling the guests about it. If someone else reverse engineers this today and starts exploiting it before people are aware, that might be an even bigger problem."

Dormakaba told Wired, "We have worked closely with our partners to identify and implement an immediate mitigation for this vulnerability, along with a longer-term solution. Our customers and partners all take security very seriously, and we are confident all reasonable steps will be taken to address this matter in a responsible way."