A flaw in widely-used Saflok RFID hotel room locks is causing concern because bad actors can easily exploit the vulnerability to forge cards and then have unauthorized access to other rooms. Hackers obtaining a keycard from a targeted hotel can use a $300 RFID read-write device to clone two keys – one that can be tapped on a lock to rewrite some of its data and the other that opens the reprogrammed lock. Perpetrators can even use keycards that have been discarded because their data is still viable for the hack.
Hotel keycards have a magnetic strip that contains coded data about the guest and allows them access to their room via a door lock that is triggered when the strip is verified by the door card reader. Keycards with RFID (Radio Frequency Identification) technology fall into the category of contactless smart cards because they are programmed to trigger locks from a short distance and don’t require a swiping motion; just a tap.
Dormakaba, the Swiss manufacturer of the affected Saflok line of RFID locks has acknowledged that the issue is associated with both the algorithm used to generate MIFARE Classic cards (an older version of keycards) and the secondary encryption algorithm used to secure the underlying card data. The company has issued remediation measures but they must be implemented on a hotel-by-hotel basis, which could take years. Each vulnerable property needs to update or replace their front desk management system then reprogram the lock on each door of the hotel.
What can travelers do to protect themselves?
Here are a few security tips to address hotel keycard vulnerability:
Never leave your keycard unattended.
Use the additional locks for the room. (e.g., chain lock and/or deadbolt)
Consider packing a portable door lock that can be quickly installed on the inside of a hotel room door to provide an extra layer of security. They typically work by inserting a metal piece into the door jamb and then securing it with a latch or handle.
Always practice security awareness and stay alert to your surroundings.
Even though most keycards are programmed with time sensitive data, don’t leave your keycard in the room or with the hotel when you checkout; destroy it yourself (render the magnetic strip useless).