A stock image of a keycard lock.Photo:Getty
Getty
Hackers have discovered a technique that would enable intruders to unlock any of millions of hotel rooms around the world in just seconds.
Saflok keycard systems are installed on roughly 3 million doors worldwide at 13,000 properties in 131 countries, per the outlet.
Carroll and Wouters' technique begins with obtaining any keycard from a target hotel, reading a certain code from that card using an RFID read-write device (easily purchased for $300), and then writing two keycards of their own. When they tap those two cards on a lock, the first one rewrites a piece of the lock’s data and the second card opens it, according to Wired.
“Two quick taps and we open the door,” Wouters, a researcher in the Computer Security and Industrial Cryptography group at Belgium’s KU Leuven University, told Wired. “And that works on every door in the hotel.”
He and Carroll, an independent security researcher and founder of the travel website Seats.aero, shared their hacking technique with Dormakaba in November 2022. For about a year now, the company has been working to alert hotels that use Saflok of the system’s security flaws and help them fix or replace their locks.
For the majority of Saflok systems sold in the past eight years, no hardware replacement is necessary for each individual lock, according to Wired. To fix the issue, hotels only need to update or replace their front desk management system and bring in a technician to manually reprogram each door lock.
Never miss a story — sign up forPEOPLE’s free daily newsletterto stay up-to-date on the best of what PEOPLE has to offer, from celebrity news to compelling human interest stories.
Dormakaba told PEOPLE in a statement that the company published detailed information about the security vulnerability on March 20.
“We are not aware of any reported instances of this issue being exploited to date,” the statement continued. “Per the principles of responsible disclosure, we are collaborating with the researchers to provide a broader alert to highlight how existing risks with legacy RFID technology are evolving, so that others can take precautionary steps.”
In the meantime, Wouters and Carroll say they hope to warn the public about the hacking technique.
“We’re trying to find the middle ground of helping Dormakaba to fix it quickly, but also telling the guests about it," Carroll told Wired. “If someone else reverse engineers this today and starts exploiting it before people are aware, that might be an even bigger problem.”
“If someone locks the deadbolt, they’re still not protected,” Carroll told the outlet.
source: people.com
