This security issue highlights the unique challenges faced by the hospitality industry in ensuring the safety and security of their guests. Lee Clark, manager of cyber threat intelligence production at the Retail and Hospitality ISAC, emphasised the importance of hotel security due to the sensitive data they hold about their guests. Hotels, especially those connected to gaming facilities, are prime targets for cyber-espionage, as they handle valuable information and host important individuals
Researchers have recently discovered a concerning security flaw in Saflok-brand RFID-based keycard locks, potentially putting millions of hotel guests at risk worldwide. This exploit, which allows hackers to gain unauthorised access to hotel rooms, was identified by a team of seven researchers who found vulnerabilities in the system.
Saflok locks have been in use for over three decades and are prevalent in over 13,000 hotels and multi-family housing environments across 131 countries, totaling more than 3 million doors. Despite the discovery of the vulnerability, the process of patching the affected locks has been slow. Dormakaba, the company behind Saflok, began rolling out a patch in November, but the update process requires individual attention for each device. As of now, only 36 percent of the affected locks have been updated or replaced.
This security issue highlights the unique challenges faced by the hospitality industry in ensuring the safety and security of their guests. Lee Clark, manager of cyber threat intelligence production at the Retail and Hospitality ISAC, emphasised the importance of hotel security due to the sensitive data they hold about their guests. Hotels, especially those connected to gaming facilities, are prime targets for cyber-espionage, as they handle valuable information and host important individuals.
To exploit the vulnerability and gain access to hotel rooms, hackers need only a few simple tools. Any keycard from the targeted property, including expired ones found in the garbage, can be used. Additionally, two MIFARE Classic keycards, the type used by Saflok, are required for rewriting purposes. Various commercially available products, such as the Proxmark3, Flipper Zero, or NFC-capable Android phones, can be utilised to rewrite the keycards.
This revelation highlights the importance of prompt action by hotel management to address security vulnerabilities and protect their guests from potential threats.
