Stories
Slash Boxes
Comments

SoylentNews is people

posted by mrpg on Saturday March 23, @05:35PM   Printer-friendly
from the Smart-AI-Cloud-based-lock dept.

Arthur T Knackerbracket has processed the following story:

[...] This week, a group of white hat hackers released the research from an in-depth study into a particular set of security vulnerabilities — known as "Unsaflok," named after the Dormakaba-branded Saflok door locks that they target. The study that resulted in Unsaflok's discovery was originally conducted in a hotel in Las Vegas in 2022; a city that has seen its fair share of brutal cyberattacks like the 2022 MGM casino hack. The vulnerability the researchers discovered is equal parts dangerous and simple: All it takes is a couple of quick taps with an ordinary card key, and anyone could theoretically break into a hotel room.

Saflok locking systems are installed on hotel rooms all over the world; with around 3 million doors in 13,000 properties across 131 countries estimated to have doors installed according to the researchers' disclosed information. Even though all of these doors are in different locations and under different owners, this single exploit could take advantage of every one of them.

The vulnerability revolves around the RFID keycards that the Saflok system reads, which utilize a system called MIFARE Classic. If a hacker were to obtain any two MIFARE keycards, even just from renting out a couple of rooms in a hotel themselves, they could then use a generic RFID read-write device to instantly alter their contents. 

[...] The bad news is that, due to the complexity of the systems involved in managing hotel door locks, the process has been slow-going. In addition to individually updating the software in every single lock, all of the relevant keycards need to be reissued, and the front desk management software needs to be overhauled. As of March 2024, only around 36% of the affected Saflok systems have been replaced or updated, according to the researchers' report.


Original Submission

This discussion was created by mrpg (5708) for logged-in users only, but now has been archived. No new comments can be posted.
Display Options Threshold/Breakthrough Mark All as Read Mark All as Unread
The Fine Print: The following comments are owned by whoever posted them. We are not responsible for them in any way.
(1)
  • (Score: 3, Interesting) by looorg on Saturday March 23, @07:01PM (10 children)

    by looorg (578) on Saturday March 23, @07:01PM (#1349998)

    MIFARE Classic used in a lot of travel cards (bus, subway...) have been busted now for decades. It's a bit of a surprise they keep using it. By now they are practically asking for it.

    So just another thing to worry about in the hotel room then beyond what the previous people have been doing in the room before you and how well the room was cleaned. Hope you have a room with a door that opens inwards so you can at least put a large chair in front of the door or something, and hope there isn't a fire in the middle of the night.

    This is almost as annoying as that little slot/cardholder on the inside that you have to put your keycard in so you get power to the room. Also conveniently, for the hotel, killing all the power when you leave. No charging batteries or devices for you when not in the room. I guess it's a powersaver for them, and also a nice way of snooping and/or knowing when you are in the room or not. But it's a bit annoying.

    I have not really investigated it, have not had the toolkit and multi meter with me to so if you actually need the keycard of you could just put anything in there or bypass it with a dummycard of sorts.

    • (Score: 4, Informative) by sgleysti on Saturday March 23, @07:29PM (1 child)

      by sgleysti (56) Subscriber Badge on Saturday March 23, @07:29PM (#1350001)

      In the hotels that I've been in with the keycard activated room power switch, any card of approximately the same size worked to turn on power to the room. It was a simple mechanical switch mechanism.

      While they could get fancy with it and require the same RFID card that unlocks the room (or the cleaning staff card), that's a lot of extra cost to stop what I assume is a minority of people from bypassing the system.

      • (Score: 3, Informative) by coolgopher on Sunday March 24, @07:00AM

        by coolgopher (1157) on Sunday March 24, @07:00AM (#1350076)

        Not just a card of approximate size. A trick I picked up from housekeeping staff was that the do-not-disturb sign, despite being wider and having a rounded bottom edge, reached down just far enough to trigger the switch.

    • (Score: 2) by darkfeline on Sunday March 24, @12:06AM (2 children)

      by darkfeline (1030) on Sunday March 24, @12:06AM (#1350021) Homepage

      It also makes it a bit harder for people to forget their card when leaving as the slot is prominently at eye level next to the door., which reduces the load on staff.

      --
      Join the SDF Public Access UNIX System today!
      • (Score: 0) by Anonymous Coward on Sunday March 24, @01:20AM

        by Anonymous Coward on Sunday March 24, @01:20AM (#1350028)
        I disagree on that. If you use it as intended it actually makes forgetting the card and getting locked out more likely since you have to take it out from your pocket/wallet/purse/etc and put it in that holder. Instead of just carrying it around with your "usual stuff".
      • (Score: 2) by maxwell demon on Sunday March 24, @08:04AM

        by maxwell demon (1608) on Sunday March 24, @08:04AM (#1350080) Journal

        Quite the opposite. Without it, the probability of me forgetting my card is approximately zero as it is already in my pocket. No need to take it out. With it, I'm required to get it out if I want power.

        --
        The Tao of math: The numbers you can count are not the real numbers.
    • (Score: 0) by Anonymous Coward on Sunday March 24, @01:32AM (1 child)

      by Anonymous Coward on Sunday March 24, @01:32AM (#1350029)

      Also conveniently, for the hotel, killing all the power when you leave. No charging batteries or devices for you when not in the room.

      Does the mini fridge stay on with the card out of the slot?

      If it does, bring a suitable power strip and use it appropriately...

      • (Score: 0) by Anonymous Coward on Sunday March 24, @04:24AM

        by Anonymous Coward on Sunday March 24, @04:24AM (#1350052)

        I've been in several hotel rooms where the mini fridge does NOT stay powered! I've been in rooms more recently where it was obvious that this kind of system was built into the hotel, but it was no longer being used (probably for reasons like the fridge not staying on). Next to the door was the slot, but it had a card inserted and a note that said "Do NOT remove card from slot" or something to that effect.

    • (Score: 3, Interesting) by Rosco P. Coltrane on Sunday March 24, @08:14AM (1 child)

      by Rosco P. Coltrane (4757) on Sunday March 24, @08:14AM (#1350082)

      MIFARE Classic used in a lot of travel cards (bus, subway...) have been busted now for decades. It's a bit of a surprise they keep using it

      Not really. There are still hundreds of millions of dumb, completely insecure low-frequency and high-frequency Wiegand readers for EM41xx, HITAG, Indala, NTAG216, Mifare Ultralight or - of course - Mifare Classic tags "securing" buildings around the world.

      The inertia in that industry is tremendous: as long as nobody breaks in and shit doesn't get stolen, nobody upgrades existing installations because it costs money, and it's a lot of aggravation to distribute new tags. Up-to-date installation are only installed in new constructions.

      Personally, I find it very convenient because I have several dumb RFID implants [dangerousthings.com] in my hands into which I have cloned existing "security" tags I've been given, such as the one to get into the building at work, get into the gym I patronize or unlock my front door. I could clone them because most access controls still use clonable tags.

      It's really only when money is directly involved that RFID transponders follow the latest and greatest security. Like payment cards or public transport cards. Those cards hold people's money, so it would create quite a stink if someone had their money stolen easily. But access control? Site owners figure - incorrectly - that it's low risk, so they forget about it and hope for the best.

      • (Score: 2) by gnuman on Sunday March 24, @06:32PM

        by gnuman (5013) on Sunday March 24, @06:32PM (#1350116)

        But access control? Site owners figure - incorrectly - that it's low risk, so they forget about it and hope for the best.

        They figure correctly. It's a low risk. If you want to verify things it's now easier to use facial recognition to match the card to user than it is to take the effort to secure the key -- keys can be 'borrowed' so you need security outside of the key to secure the system. Just making the key harder to copy is not going to drastically improve your system.

    • (Score: 3, Informative) by Unixnut on Sunday March 24, @11:16AM

      by Unixnut (5779) on Sunday March 24, @11:16AM (#1350087)

      If you worry about people entering your hotel room then I'm sorry to say it has always been trivially possible to do so. From the days of the "punch type" door cards, to magstripe to RFID, the systems were always trivial to bypass, and that is not including the fact:
              (a) every hotel has a master key that all of the cleaning staff have, and
              (b) almost all the doors have an emergency override to unlock them even without a key.
      I don't know how secure the pre electronic lock doors were, but I am sure they too had a master key.

      Hotel rooms were never considered safe from third party access. This is why hotel rooms provide safes, so when you leave the room any valuables you don't take with you go in the safe (which generally are more secure than the room itself).

      As Hotel rooms were never considered fully private, there is no need to install expensive security on the door locks. After all, what is the point of providing secure locks when the entire cleaning staff, as well most employees, have a master key that unlocks all the doors? Hotel lock systems are there to deter casual snoopers. Not anyone who actually wants to put effort into gaining access to your room.

      In fact having key cards easily clonable is very useful as it means if guests lose their key cards you can clone them a new one at reception. All the staff have to do is put in your hotel room number, press a button and tap a blank key card on the device, and there we go, valid key for the room.

  • (Score: 2) by JoeMerchant on Saturday March 23, @07:58PM (1 child)

    by JoeMerchant (3937) on Saturday March 23, @07:58PM (#1350005)

    Since the days of Goldfinger when James Bond illustrated the maids' key opening all the rooms, for any sufficiently brash and charming agent...

    Mag-stripe keycards are laughably hackable / copyable with the simplest of equipment. Modern key-cards may be a little better, but ultimately the front desk and the maids (and anyone they give access to) have full access...

    As far as cool goes, there was a generation of plastic hole-punched keycards I encountered in Denmark back around 1989... they were pretty sweet, I think they had a 6x6 matrix of possible holes for 2^36 possible combinations (no doubt also equipped with skeleton key codes). Super-copyable in this day and age of digital cameras on everybody's phone, but they were 100% mechanical and always worked really well when I used them.

    --
    🌻🌻 [google.com]
    • (Score: 3, Interesting) by Anonymous Coward on Saturday March 23, @10:42PM

      by Anonymous Coward on Saturday March 23, @10:42PM (#1350014)

      > plastic hole-punched keycards

      There was a controlled photocopy machine at college, c.1980, with a similar system. With a little practice it turned out to be possible to borrow the card from an admin, insert the card, hit the copy button, whip out the card and place on the platen...and presto, now you have a copy of the card!

  • (Score: 1, Informative) by Anonymous Coward on Sunday March 24, @02:19AM

    by Anonymous Coward on Sunday March 24, @02:19AM (#1350038)
    I'm already well aware that cleaning and other staff have access to the rooms.

    Plus I've observed some of them do their work... Most of them don't clean the room they just tidy it. Often the same hands used to touch dirty stuff are used to touch your sheets and pillows etc. They're often low paid undereducated undertrained workers in a rush to tidy lots of rooms within a short time.

    If some thief comes into my hotel room there'll be nothing really valuable to steal. If they want to steal stuff they should go to someone else's room where there are laptops, passports, jewelry, money, etc. And hotel safes aren't that safe - staff and guests forget passcodes etc...
(1)