Unsaflok - Hacking Millions of Hotel Locks and Electronic Access Control Systems

Learn about critical security vulnerabilities discovered in dormakaba Saflok electronic hotel locks through this DEF CON 32 conference presentation. Explore how researchers reverse engineered the proprietary key derivation function and encryption algorithm used in MIFARE Classic cards, enabling the creation of forged keycards capable of bypassing security measures. Discover the process of compromising over three million deployed locks, where a single low-privilege guest card could be exploited to create forged keys that deactivate deadbolts and grant access to any room in a property. Gain insights into the responsible disclosure process with dormakaba initiated in September 2022, understand the implemented mitigation strategies, and learn practical methods to verify if hotel room locks have been patched for enhanced security. Compare this research with previous electronic lock vulnerabilities discovered in Onity and Vingcard systems, highlighting the ongoing challenges in hospitality sector security.