The process works like this. The hackers obtain a keycard for any room from the target hotel. This can be done by booking a room or swiping a used one. Using an RFID writer-reader (which might cost $300), a code is read from the card, and two keycards are created. When the two cards are tapped on the lock, the first one rewrites part of the lock’s data and the second one opens the door.
From L to R, the Saflok MT and Saflok RT Plus are the two most impacted locks
However, if you have an Android phone that supports Near-Field Communication (NFC), the two keycards can be replaced by the Android phone. Download a signal-emitting app and the phone can be used to emit a signal that will be used instead of the two keycards to unlock the door.
Back in 2012 at the Black Hat conference in Vegas, a hacker described a hack that could exploit a vulnerability found in 10 million locks made by a company called Onity. The latter refused to pay to update the locks leaving it to the hotels to make any changes. That was a bad move as criminals started using the exploit to break into hotel rooms and rob the guests.
This time, the Unsaflok team decided not to reveal their entire hack to the public. Hacker Ian Carroll said, “We’re trying to find the middle ground of helping Dormakaba to fix it quickly, but also telling the guests about it. If someone else reverse engineers this today and starts exploiting it before people are aware, that might be an even bigger problem.”
Dormakaba told Wired, “We have worked closely with our partners to identify and implement an immediate mitigation for this vulnerability, along with a longer-term solution. Our customers and partners all take security very seriously, and we are confident all reasonable steps will be taken to address this matter in a responsible way.”