Hackers’ Hotel Heist: Cheap Cloning Trick Unlocks Millions of Rooms Worldwide

Unlocking a vulnerability: Researchers crack the code on 3 million hotel keycards, exposing “Unsaflok” and leaving Dormakaba scrambling to safeguard your next stay. Cheap cloning capers could be the key to your room—and not just yours!

Hot Take:

When you thought the worst thing about hotels was the mystery stains on the carpet, enter the “Unsaflok” debacle. Picture this: a merry band of hackers, some cheap tech, and a keycard cloning party that could turn any Las Vegas escapade into “Ocean’s 14”. It’s the kind of story that makes you want to sleep with one eye open… and a chair jammed against the door.

Key Points:

  • Researchers cracked the code to clone keycards for Dormakaba’s Saflok locks, which are used in 13,000 hotels worldwide.
  • The hack was a two-step boogie: reverse-engineering front desk software and breaking the key derivation function.
  • Tools needed for this DIY security breach: a MIFARE Classic card, card-writing tool, and an NFC-enabled Android phone. Total cost? A few hundred bucks.
  • Dormakaba was alerted and is now in the midst of the world’s slowest lock-changing party.
  • Despite the vulnerability, there’s no evidence of this flaw being exploited in the wild. Yet.

Need to know more?

The Ultimate Hotel Heist (Minus Clooney)

Imagine a hacking event in Sin City where the jackpot isn't cash but security loopholes. That's where this group of tech-savvy brainiacs hit the vulnerability jackpot. They didn't need a drill or a safe cracker—just a room key, some common tech, and a pinch of genius. Their mission: create a master key to unlock the doors of thousands of hotel rooms. The heist movie tagline writes itself.

Saflok: Safe as a Chocolate Teapot

With names like Wouters, Carroll, and Curry on the job, it wasn't long before Saflok's defenses crumbled like a stale cookie. The team's hotel room turned into a makeshift lab, where they concocted the modern-day equivalent of a skeleton key. But instead of lockpicks and shady dealings, these folks used a bit of software wizardry and some off-the-shelf gadgets. It's like MacGyver meets cybersecurity, only with less hair and more keycards.

Locks Schmocks! Fancy a Hotel Tour?

Let's talk about the shopping list for this keycard cloning caper. For less than the price of a Vegas buffet, these hackers equipped themselves with a pedestrian MIFARE Classic card, a card-writer, and a smartphone. What's next, breaking into the pentagon with a toothpick and a rubber band? It's a scary thought that hotel security, which guards our snoozes and stashes our souvenirs, could be undone by what's essentially pocket change and some know-how.

Dormakaba's Damage Control Dance

Of course, Dormakaba is doing the corporate two-step now, trying to mollify the masses by replacing locks with the urgency of a sloth on a leisurely stroll. They've assured us there's no sign of these flaws being exploited by actual bad guys. That's comforting... until you remember that no evidence of exploitation doesn't mean it hasn't happened—it just means no one's been caught. It's the cybersecurity equivalent of hearing a noise downstairs and assuming it's just the house settling.

The Takeaway: Lock Your Doors (Maybe With Actual Locks)

While the company scrambles to fix these vulnerabilities, the rest of us can only marvel at the ingenuity of these researchers and perhaps question the integrity of the electronic locks that we trust with our safety. It's a stark reminder that in the world of cybersecurity, sometimes the only thing separating a secure room from an open house is a couple hundred dollars and some tech-savviness. Until those fixes are in place, you might want to consider some old-fashioned security measures—like a sturdy doorstop or a burly roommate.
Tags: Dormakaba hardware replacement, electronic lock vulnerability, hotel security breach, MIFARE Classic card, RFID keycard cloning, Saflok system flaw, Unsaflok disclosure