I work for a company that manufactures access control and communication systems. The readers we develop support a variety of ID standards, from unencrypted EM-Marin and a long time ago cracked Mifare Classic to modern Desfire EVx standards. According to our statistics, more than 95% of customers still continue to use the most insecure identifiers because of their low cost and ease of operation.
Many of the installed devices are not properly maintained, even if the manufacturers continue to support them, because you have to pay for maintenance. In addition, not all equipment can be updated remotely over the network or even have a network connection to do so remotely.
Even if your cards are encrypted, it still can't guarantee you protection, because in most cases card readers are connected to controllers (not in the case of all-in-one devices like this lock) via Wiegand protocol, which doesn't provide any data encryption, so the identifier ID is transmitted over two wires in the clear form.
> At some point, isn't there some responsibility that rests with manufacturers for choosing to continue to support known-insecure standards?
There should be. Also there should be liability for access control system customers for choosing low cost, insecure solutions. But just like in the InfoSec world, there are simply no consequences to companies that cheap out and fail at security. These companies just issue a press release saying “we take security very seriously” and continue on with their business.
It's often a compatibility thing too. Insecure standards can often coexist because they're the lowest common denominator. It's just a "password" stored and transmitted as plaintext.
A secure system would involve a PKI which increases complexity and management overhead significantly (you won't be able to just copy "passwords" from one system to another, etc).
I think the only reason why we have the amount of attention to security that we do in the software industry is because Internet enabled cheap automated large-scale attacks - enough so that even very low-value targets are well worth it.
I'm in a similar space and a lot of our customers continue to use old-school Wiegand low-frequency badges even though they're ridiculously vulnerable to replay attacks to the degree that Flipper Zero has automated it.
For a while I've had a question about hotel keycard technology, maybe you can answer.
Essentially every time I've stayed in a hotel with contactless keycards (usually in a group needing 3-5 rooms for 2-3 nights) at least one person has needed to get a keycard reissued.
What's up with that? My workplace's smartcards and my contactless bank cards keep working for years on end.
Hotel keycards usually work by having dynamic data written to them at the front desk (as the locks are often not network connected, at least in older systems, so they write things to the card like "works for room 123 until March 30th noon and the gym" or "works for room 456; sequence number 2, invalidate all prior keys").
There are two types of magnetic stripe cards available: High-coercivity (HiCo) and low-coercivity (LoCo). The field-rewritable kind used in hotels is usually LoCo, to make the writers smaller and cheaper. But that also makes the cards much more prone to accidental corruption by magnets you might have on you, like earbuds, magnetic wallets etc.
Bank cards are usually only ever programmed once (these days), i.e. when they're issued, so they're usually HiCo, making them much more robust against that. In addition to that, magnetic stripe usage has been phased out for payment cards in most countries and is getting rare even in the US, so for all you know, and depending on where you live/shop, your magnetic stripes might have already been demagnetized without any adverse effects!
Bonus trivia question: Guess which kind NYC MTA Metrocards are :)
Edit: Oh, I just saw that you asked about contactless keycards! For these I actually have no idea, and I haven't had one fail on me yet.
I just know that they often use a similar scheme ("works for rooms x, y, z, until timestamp n"), sometimes with a bit of cryptography on top (often with a single shared key across all instances of the same lock and even across hotels...) but using non-networked locks, so there can definitely be synchronization/propagation issues too.
It was programmed incorrectly and expired before it should have.
The stay was extended but the key was not updated with the new departure date.
A new key was erroneously issued for the room, someone used the new key to go into the room, saw someone was already staying in the room, and had to get keys for a different room. This would cause all old keys to stop working since every time a lock sees a new key used, it assumes a new hotel guest is staying.
I had the same experience with NFC hotel card failing after being in my pocket (next to other cards and a phone). It had to be re-programmed at the hotel's desk to work again. Puzzled me enough to search net for the answers, but to no avail.
Same as basically any physical lock can be trivially picked. Yet no one is buying office door locks based on pick-resistance. Burglars will smash their way in anyways.
>Even if your cards are encrypted, it still can't guarantee you protection, because in most cases card readers are connected to controllers (not in the case of all-in-one devices like this lock) via Wiegand protocol, which doesn't provide any data encryption, so the identifier ID is transmitted over two wires in the clear form.
It is true, seems like probably better to go back to keys and lock.
> so the identifier ID is transmitted over two wires in the clear form.
I'm much more worried about someone using to a clothes hanger looking tool [1] to break into my hotel room than someone exposing cables and reading data over the wire to unlock the door.
The building where I rent have doorlocks from Scantron ( https://scantron.dk/ ) they use RFID keys to open locks, and last year someone discovered a way of creating masterkeys from any key because of the weak encryption used by MiFare Classic.
It took a journalist and a lot of e-mails and calls for my landlord to understand the problem, I suspect that Scantron were also downplaying the issue towards them. They finally budged and upgraded all the locks to use a better encryption scheme and re-issue keys.
My building have 197 apartments, each of them have at least 2 keys, I have to trust all of the tenants (and their friends), in order for my apartment not to get burgled, and if I were burgled my insurance wouldn't cover because there's likely no proof of entry.
I have rented my entire life, and “change all the locks” has always been the very first thing I do. I have a couple of different size high security cylinder locks, and whilst no cylinder lock is unpickable, I’m pretty happy with mine.
Any chance you could share these e-mails? I also live in such an apartment complex and I was aware that the locks are jokes, but I didn't think it was possible to convince the building's managing company.
I had a similar situation at the apartment I used to rent. Unfortunately they didn't care to correct it, so I removed the battery from my lock and only used the physical key.
They have been taking it seriously although they didn’t have any sort of formal bug bounty / security disclosure method at the time. The disclosure timeline is in our article as well!
"Note that this information only applies to dormakaba Saflok systems; several other lock manufacturers use MIFARE Classic keycards and are not affected by the Unsaflok vulnerability"
So it is likely they way that Saflok implemented MIFARE Classic. Will start to read about this protocol more.
At this point, MIFARE Classic can pretty much be considered plaintext.
There are very fast card-only cloning attacks against even the newest "hardened" cards, and in many of these lock systems (no idea about Saflok in particular though), MIFARE is the only layer of cryptography, and the card only contains a bitmask of locks/doors that it should be able to open.
If I stay at a hotel with such a lock how can I tell it's affected? If the hotel hasn't patched it can I patch my rooms door myself without causing issues to the hotel?
You can generally assume at any hotel with keycards, that any other guest who wants to can get into your room.
The only question is whether they do some hacker shit, or whether they just go to reception and say "My keycard isn't working, I'm in room 123" and reception gives them a new keycard for room 123, with no ID check and no questions asked.
Luckily thieves are relatively rare and 97% of hotel rooms just contain a suitcase of second-hand clothes.
Often times, the hotels don't even require to turn in these cards upon checkout, so they are thrown in the trash. A nefarious actor could just pull one out of the trash and so not even have to be a guest in the hotel.
> [...] shared the full technical details of their hacking technique with Dormakaba in November 2022. [...] told by Dormakaba that, as of this month, only 36 percent of installed Safloks have been updated.
Did Dormakaba not make this a first-priority, all-out effort?
Or have 2/3 of the installations been offered a timely free fix, but are dragging their feet for some reason?
> “Our customers and partners all take security very seriously, and we are confident all reasonable steps will be taken to address this matter in a responsible way.”
That "reasonable" in a PR response is suspicious.
Wikipedia:
> dormakaba Holding AG is a global security group based in Rümlang, Switzerland. It employs more than 15,000 people in over 50 countries.
Sounds like they probably have the resources, if they have the will to solve this before potential very bad things happen to some hotel customers.
I hate to break it to anyone but most locked doors can be opened "in seconds" by a variety of means. For the most part the locked state is a signal of prohibition, rather than a meaningful enforcement thereof.
I could open any locked door at my high school by slipping my ID in the gap between the door and the frame and wedging the bolt open. I kind of suspect that forty years later, this vulnerability remains.
Former locksmith here. That is called "to flipper" a door. (Guess that is where the flipperzero name comes from)
However you can only flipper doors that are held closed by the latch bolt. If the lock deadbolt is engaged, you cannot flipper it, because the deadbolt will not budge when manipulated by a card or piece of plastic.
Technically a lock without an engaged deadbolt is not really "locked" but "closed". That being said, an unbelievable amount of people believe their doors are locked when in fact they are closed.
And especially in hotels, locked doors aren't about keeping everyone out forever (there's dozens of reasons that'd be an awful idea, from cleaning staff needing access to medical emergencies).
They're about making it inconvenient enough / loud enough to gain unauthorized access that someone is going to notice and complain to the manager.
> Most locked doors can be bypassed even faster in some other way than unlocking them. A rock through the window...
This is a bit harder when said window is only reachable from the outside, and is 78m above ground level (and all the walls are brick, so they're stronger than the wooden door).
Apparently I don't understand how hotel card keys work. I always assumed that keys were manufactured with a random UUID inside them, and then when you checked in, a random card was attached to your room and given to you.
When you try to open a door, it compares your card's ID to the room database to see if the door should open.
Is that... not how it works? Because that seems simpler than anything that involves encryption, or actually writing shit to the card.
The card machine at the front desk writes a message onto the card, which says: Hey, lock #301, this card is authorised to open you as of timestamp X, and all cards before timestamp X are now invalid. Most older e-locks are powered by a 9V battery and are not wired to a central server.
The more pertinent matter is that it took this long for RFID exploits to start catching the public eye. RFID is the least secure communication protocol that could be used for locks. At the very least we should have NFC be the standard.
Someone with the intent and know-how to crack RFID readers could put together a hardware tool to do so. Does the Flipper Zero provide such a tool? Yeah. Does the responsibility of following ethics fall with the user? Debatable, but I think absolutely yes.
If one carries around a lockpicking set and learns how to use it, they can go right ahead, correct? We accept the fact that people exist that can pick locks and yet 80% of states allow possession and use of lockpicking tools in a legal manner.
It's not just that RFID isn't very secure, it's that a lot of locks are using the worst possible implementations. Just checking the ID of the RFID chip against a whitelist is an astonishingly common method. Not only makes that access cards easy to clone and provides no cryptographic security at all, if you bulk buy access cards you often get sequentially numbered cards ...
RFID just means radio frequency identification. It does not imply any particular standard. NFC can be a type of RFID system. Even saying NFC isn't necessarily implying any particular system of protection, basic NFC has no real protection out of the box and would require the higher-level protocols to actually provide any kind of encryption or relay protection or the like. An NFC-based system of RFID can also be incredibly insecure.
Saying "RFID is insecure, use NFC" is like saying "radio is insecure, use WiFi." NFC is a subset of the concept of RFID, much the same way WiFi is a subset of digital radio protocols.
RFID is just a bidirectional link between the reader and the card. The security depends on what you send over that link. RFID in itself doesn't imply security or insecurity.
Feels like a very US-specific mentality. Back in the UK carrying lockpicking tools outside your home without good reason is "going equipped" and a crime in itself, and that's generally supported.
While my instinct is to do the same, depending on what jurisdiction you travel to, you might be liable for damages if staff tries to open the door and decide to break in because you were in the shower or sleeping on ambien or something like that.
People think that they are mysterious things that are secure because they aren't able to see what they mean. But in reality, they are all still just a machine-readable number.
(even if a rolling key, challenge-response or pubkey authentication is supported, we're often still just using a single number, but my point is more about the perceived obscurity for the public)
It really depends. There are some contactless tags that really do nothing other than transmit a static identification number which is trivially spoofable, but many systems today use cryptography (again, some long cracked and horribly outdated, but others quite strong).
I have a contactless card that runs GPG as a Java Card applet and creates 4096-bit RSA signatures. That's pretty secure!
It seems irresponsible that it took dormakaba more than a year to fix a single lock. And even now, 1.5 years after the initial disclosure, still only around a third have been updated.
Going to go against the grain and say thank you to devices like the Flipper Zero for getting vulnerabilities like this out into the public eye for scrutiny.
> Dormakaba started selling Saflok locks in 1988, which means that vulnerable locks have been in use for over 36 years.
Ok, my eyebrows are up. Authentication has grown so much as a field since then that I'm having trouble with the idea that this flaw has always been present. In fact, Saflok predates MIFARE Classic by at least five years. Perhaps all will become clear if a full technical disclosure is ever made available, but it seems like the authors are making an overstatement here.
Our understanding is that the magnetic stripe version of Saflok (which indeed predates MIFARE Classic) is vulnerable to the same issues, just in a different card format.
> They warn that the deadbolt on the room is also controlled by the keycard lock, so it doesn't provide an extra safeguard.
That is the biggest surprise to me. I had assumed getting around the deadbolt would require a locksmith or breaking the door. (What's the point of it otherwise?)
A lot of hotels I've been to also have a latch you can physically lock the door with which would prevent someone from actually entering, but I bet you may be able to slowly pry that open with a jig of some sort.
It's called a "swing bar". It's easy to open from tho2e outside with some duct tape and a rubber band, unfortunately. Plenty of easy instructions on YouTube.
By exploiting weaknesses in both Dormakaba's encryption and the underlying RFID system Dormakaba uses, known as MIFARE Classic, Carroll and Wouters have demonstrated just how easily they can open a Saflok keycard lock.
> "their attack could be pulled off with little more than a $300 Proxmark RFID read-write device and a couple of blank RFID cards, an Android phone, or a Flipper Zero radio hacking tool."
It's especially confusing because 3M does make almost every thing under the sun, from respirators to electrical tape to medical equipment and supplies. No locks as far as I can find though.
While I agree, I think you underestimated how much this comment thread would wind up somewhat derailing conversation about the actual article. Dear lord people it's a simple disambiguation - there's no need for upwards of 40 comments about it.
Yes, please change it to 3MM, which also abbreviates to "3 million". My first impression was strongly that 3M had some lock system that was now compromised, not that it was referring to 3 million locks in the wild.
Also perhaps consider expanding the headline character limit above 80, or maybe not count numbers in the total.
How about "Hackers Found a Way to Open Any of 3 Million Hotel Keycard Locks in Seconds" its only 75 characters. Nobody has to guess about abbreviations or whether it's really Latin or mm.
Or just drop all the clickbait crap from the headline - "Hackers", "any", "3 million" and "in seconds" are all just fluff meant to create an emotional response. Change the subject to where the responsibility lies, the locks themselves or the lock manufacturer, and add "major brand" or "widely deployed" if it's necessary to separately indicate notoriety.
Actually, I believe what you want is 3mm, which I believe they use in accounting. Lowercase m in this instance would stand for milli-, as in thousand. So 3mm would be 3 thousand thousand. 3M is technically correct, though confusing in this specific case. Capital M would indicate Mega, as in the progression from kilobit to megabit to gigabit.
it would take all of about 3 seconds to realize why an unlimited character count would break the site's layout and know that it will never happen.
i do agree that the "don't editorialize" and strict char count are very contradictory, but suggesting that the site changes because of it is also naive at best.
I work for a company that manufactures access control and communication systems. The readers we develop support a variety of ID standards, from unencrypted EM-Marin and a long time ago cracked Mifare Classic to modern Desfire EVx standards. According to our statistics, more than 95% of customers still continue to use the most insecure identifiers because of their low cost and ease of operation.
Many of the installed devices are not properly maintained, even if the manufacturers continue to support them, because you have to pay for maintenance. In addition, not all equipment can be updated remotely over the network or even have a network connection to do so remotely.
Even if your cards are encrypted, it still can't guarantee you protection, because in most cases card readers are connected to controllers (not in the case of all-in-one devices like this lock) via Wiegand protocol, which doesn't provide any data encryption, so the identifier ID is transmitted over two wires in the clear form.
At some point, isn't there some responsibility that rests with manufacturers for choosing to continue to support known-insecure standards?
How many browsers do you think support the TLS_NULL_WITH_NULL_NULL cipher?
> At some point, isn't there some responsibility that rests with manufacturers for choosing to continue to support known-insecure standards?
There should be. Also there should be liability for access control system customers for choosing low cost, insecure solutions. But just like in the InfoSec world, there are simply no consequences to companies that cheap out and fail at security. These companies just issue a press release saying “we take security very seriously” and continue on with their business.
It's often a compatibility thing too. Insecure standards can often coexist because they're the lowest common denominator. It's just a "password" stored and transmitted as plaintext.
A secure system would involve a PKI which increases complexity and management overhead significantly (you won't be able to just copy "passwords" from one system to another, etc).
1 reply →
Browser manufacturers normally don't have contracts that binds them to supply product X for Y years.
1 reply →
I think the only reason why we have the amount of attention to security that we do in the software industry is because Internet enabled cheap automated large-scale attacks - enough so that even very low-value targets are well worth it.
I'm in a similar space and a lot of our customers continue to use old-school Wiegand low-frequency badges even though they're ridiculously vulnerable to replay attacks to the degree that Flipper Zero has automated it.
For a while I've had a question about hotel keycard technology, maybe you can answer.
Essentially every time I've stayed in a hotel with contactless keycards (usually in a group needing 3-5 rooms for 2-3 nights) at least one person has needed to get a keycard reissued.
What's up with that? My workplace's smartcards and my contactless bank cards keep working for years on end.
Hotel keycards usually work by having dynamic data written to them at the front desk (as the locks are often not network connected, at least in older systems, so they write things to the card like "works for room 123 until March 30th noon and the gym" or "works for room 456; sequence number 2, invalidate all prior keys").
There are two types of magnetic stripe cards available: High-coercivity (HiCo) and low-coercivity (LoCo). The field-rewritable kind used in hotels is usually LoCo, to make the writers smaller and cheaper. But that also makes the cards much more prone to accidental corruption by magnets you might have on you, like earbuds, magnetic wallets etc.
Bank cards are usually only ever programmed once (these days), i.e. when they're issued, so they're usually HiCo, making them much more robust against that. In addition to that, magnetic stripe usage has been phased out for payment cards in most countries and is getting rare even in the US, so for all you know, and depending on where you live/shop, your magnetic stripes might have already been demagnetized without any adverse effects!
Bonus trivia question: Guess which kind NYC MTA Metrocards are :)
Edit: Oh, I just saw that you asked about contactless keycards! For these I actually have no idea, and I haven't had one fail on me yet.
I just know that they often use a similar scheme ("works for rooms x, y, z, until timestamp n"), sometimes with a bit of cryptography on top (often with a single shared key across all instances of the same lock and even across hotels...) but using non-networked locks, so there can definitely be synchronization/propagation issues too.
26 replies →
> What's up with that?
It was programmed incorrectly and expired before it should have.
The stay was extended but the key was not updated with the new departure date.
A new key was erroneously issued for the room, someone used the new key to go into the room, saw someone was already staying in the room, and had to get keys for a different room. This would cause all old keys to stop working since every time a lock sees a new key used, it assumes a new hotel guest is staying.
Or it lost its data for whatever reason.
3 replies →
I had the same experience with NFC hotel card failing after being in my pocket (next to other cards and a phone). It had to be re-programmed at the hotel's desk to work again. Puzzled me enough to search net for the answers, but to no avail.
1 reply →
Same as basically any physical lock can be trivially picked. Yet no one is buying office door locks based on pick-resistance. Burglars will smash their way in anyways.
>Even if your cards are encrypted, it still can't guarantee you protection, because in most cases card readers are connected to controllers (not in the case of all-in-one devices like this lock) via Wiegand protocol, which doesn't provide any data encryption, so the identifier ID is transmitted over two wires in the clear form.
It is true, seems like probably better to go back to keys and lock.
Unfortunately most physical keys also transmit their bitting in the clear
> so the identifier ID is transmitted over two wires in the clear form.
I'm much more worried about someone using to a clothes hanger looking tool [1] to break into my hotel room than someone exposing cables and reading data over the wire to unlock the door.
[1] https://www.youtube.com/watch?v=-3G9pyvCBcM
The building where I rent have doorlocks from Scantron ( https://scantron.dk/ ) they use RFID keys to open locks, and last year someone discovered a way of creating masterkeys from any key because of the weak encryption used by MiFare Classic.
It took a journalist and a lot of e-mails and calls for my landlord to understand the problem, I suspect that Scantron were also downplaying the issue towards them. They finally budged and upgraded all the locks to use a better encryption scheme and re-issue keys.
My building have 197 apartments, each of them have at least 2 keys, I have to trust all of the tenants (and their friends), in order for my apartment not to get burgled, and if I were burgled my insurance wouldn't cover because there's likely no proof of entry.
I have rented my entire life, and “change all the locks” has always been the very first thing I do. I have a couple of different size high security cylinder locks, and whilst no cylinder lock is unpickable, I’m pretty happy with mine.
Interesting, because many renters (myself included) would not be permitted to change the locks.
19 replies →
Any chance you could share these e-mails? I also live in such an apartment complex and I was aware that the locks are jokes, but I didn't think it was possible to convince the building's managing company.
I had a similar situation at the apartment I used to rent. Unfortunately they didn't care to correct it, so I removed the battery from my lock and only used the physical key.
My fob copy still works there last I checked...
I worked on this research along with many others, happy to answer any questions! Our disclosure is also available at https://unsaflok.com.
When do you plan to release technical details on the attack? Surely the long tail of door locks will not be replaced for a decade or more.
How did Saflok respond? Were they collaborative or did they try to threaten you / suppress the information?
They have been taking it seriously although they didn’t have any sort of formal bug bounty / security disclosure method at the time. The disclosure timeline is in our article as well!
Did you set out to find a vulnerability or just stumble on it?
If setting out to find a vulnerability, how do you get started?
What is the “open ide, write print(“hello world”)” for this kind of work?
The article explains that they were at a hackathon of sorts, where these 2 were specifically targeting the locks/passes.
I would assume reading the cards with a reader would be a great start.
This part caught my eye:
"Note that this information only applies to dormakaba Saflok systems; several other lock manufacturers use MIFARE Classic keycards and are not affected by the Unsaflok vulnerability"
So it is likely they way that Saflok implemented MIFARE Classic. Will start to read about this protocol more.
At this point, MIFARE Classic can pretty much be considered plaintext.
There are very fast card-only cloning attacks against even the newest "hardened" cards, and in many of these lock systems (no idea about Saflok in particular though), MIFARE is the only layer of cryptography, and the card only contains a bitmask of locks/doors that it should be able to open.
3 replies →
If I stay at a hotel with such a lock how can I tell it's affected? If the hotel hasn't patched it can I patch my rooms door myself without causing issues to the hotel?
You can generally assume at any hotel with keycards, that any other guest who wants to can get into your room.
The only question is whether they do some hacker shit, or whether they just go to reception and say "My keycard isn't working, I'm in room 123" and reception gives them a new keycard for room 123, with no ID check and no questions asked.
Luckily thieves are relatively rare and 97% of hotel rooms just contain a suitcase of second-hand clothes.
7 replies →
I think it's in the bottom of the article
Our disclosure mentions how to try and detect a vulnerable hotel, but it’s not possible to patch the lock yourself.
As an owner, these companies are scumbags. You have to deal with salesmen whose only job is to sell these at maximum price.
Thanks for doing this. Hopefully, you guys expose all other lock companies.
> An attacker only needs to read one keycard from the property to perform the attack against any door in the property
That’s a pretty serious vulnerability, pretty much all it takes is to be a guest at a hotel
Often times, the hotels don't even require to turn in these cards upon checkout, so they are thrown in the trash. A nefarious actor could just pull one out of the trash and so not even have to be a guest in the hotel.
> [...] shared the full technical details of their hacking technique with Dormakaba in November 2022. [...] told by Dormakaba that, as of this month, only 36 percent of installed Safloks have been updated.
Did Dormakaba not make this a first-priority, all-out effort?
Or have 2/3 of the installations been offered a timely free fix, but are dragging their feet for some reason?
> “Our customers and partners all take security very seriously, and we are confident all reasonable steps will be taken to address this matter in a responsible way.”
That "reasonable" in a PR response is suspicious.
Wikipedia:
> dormakaba Holding AG is a global security group based in Rümlang, Switzerland. It employs more than 15,000 people in over 50 countries.
Sounds like they probably have the resources, if they have the will to solve this before potential very bad things happen to some hotel customers.
> publicly traded on the SIX Swiss Exchange.
https://www.google.com/finance/quote/DOKA:SWX?comparison=IND...
https://www.google.com/finance/quote/DOKA:SWX?comparison=IND...
Hotel and hotel safe locks have always been of dubious security.
https://archive.is/a7ntC
I hate to break it to anyone but most locked doors can be opened "in seconds" by a variety of means. For the most part the locked state is a signal of prohibition, rather than a meaningful enforcement thereof.
I could open any locked door at my high school by slipping my ID in the gap between the door and the frame and wedging the bolt open. I kind of suspect that forty years later, this vulnerability remains.
Former locksmith here. That is called "to flipper" a door. (Guess that is where the flipperzero name comes from)
However you can only flipper doors that are held closed by the latch bolt. If the lock deadbolt is engaged, you cannot flipper it, because the deadbolt will not budge when manipulated by a card or piece of plastic.
Technically a lock without an engaged deadbolt is not really "locked" but "closed". That being said, an unbelievable amount of people believe their doors are locked when in fact they are closed.
"Locked doors only stop honest people" -Abe Lincoln
And especially in hotels, locked doors aren't about keeping everyone out forever (there's dozens of reasons that'd be an awful idea, from cleaning staff needing access to medical emergencies).
They're about making it inconvenient enough / loud enough to gain unauthorized access that someone is going to notice and complain to the manager.
Even then, some of those means are noisy, require special equipment or skills or make it obvious a break in happened.
Most locked doors can be bypassed even faster in some other way than unlocking them. A rock through the window...
> Most locked doors can be bypassed even faster in some other way than unlocking them. A rock through the window...
This is a bit harder when said window is only reachable from the outside, and is 78m above ground level (and all the walls are brick, so they're stronger than the wooden door).
Locks that most people are willing to spend the money to buy are purely there to keep honest people honest.
Apparently I don't understand how hotel card keys work. I always assumed that keys were manufactured with a random UUID inside them, and then when you checked in, a random card was attached to your room and given to you.
When you try to open a door, it compares your card's ID to the room database to see if the door should open.
Is that... not how it works? Because that seems simpler than anything that involves encryption, or actually writing shit to the card.
The card machine at the front desk writes a message onto the card, which says: Hey, lock #301, this card is authorised to open you as of timestamp X, and all cards before timestamp X are now invalid. Most older e-locks are powered by a 9V battery and are not wired to a central server.
The locks don't have network connectivity, so they have no way to check. Access has to be managed by key expiry and replacement.
There are network-connected systems but they can be considerably more expensive to install.
Having doors not work because the network is unavailable or the database is corrupted sounds neither simpler nor better.
Well, valid key IDs could be pushed to the locks, and remembered for a short time.
UUID can be cloned (with modified cards). This could make a clone attack even easier since you don't need Key A/B to read the contents.
I just imagined that cloning would not be a big deal considering the short life of a typical hotel stay.
1 reply →
I wonder if it's possible to answer pubkey challenges without electricity
High-end JavaCards can do this. A few have RFID/NFC interfaces, but they are expensive.
https://www.cardlogix.com/product-tag/ecdsa/
It would mean that the door's reader is connected to the network. Is it?
Seems like it's only a matter of time before someone writes a Flipper Zero script to do this.
The more pertinent matter is that it took this long for RFID exploits to start catching the public eye. RFID is the least secure communication protocol that could be used for locks. At the very least we should have NFC be the standard.
Someone with the intent and know-how to crack RFID readers could put together a hardware tool to do so. Does the Flipper Zero provide such a tool? Yeah. Does the responsibility of following ethics fall with the user? Debatable, but I think absolutely yes.
If one carries around a lockpicking set and learns how to use it, they can go right ahead, correct? We accept the fact that people exist that can pick locks and yet 80% of states allow possession and use of lockpicking tools in a legal manner.
It's not just that RFID isn't very secure, it's that a lot of locks are using the worst possible implementations. Just checking the ID of the RFID chip against a whitelist is an astonishingly common method. Not only makes that access cards easy to clone and provides no cryptographic security at all, if you bulk buy access cards you often get sequentially numbered cards ...
3 replies →
RFID just means radio frequency identification. It does not imply any particular standard. NFC can be a type of RFID system. Even saying NFC isn't necessarily implying any particular system of protection, basic NFC has no real protection out of the box and would require the higher-level protocols to actually provide any kind of encryption or relay protection or the like. An NFC-based system of RFID can also be incredibly insecure.
Saying "RFID is insecure, use NFC" is like saying "radio is insecure, use WiFi." NFC is a subset of the concept of RFID, much the same way WiFi is a subset of digital radio protocols.
4 replies →
RFID is just a bidirectional link between the reader and the card. The security depends on what you send over that link. RFID in itself doesn't imply security or insecurity.
Feels like a very US-specific mentality. Back in the UK carrying lockpicking tools outside your home without good reason is "going equipped" and a crime in itself, and that's generally supported.
5 replies →
I travel with a door jammer.
Most hotel door locks I’ve seen are designed to be opened from the outside.
A door jammer wedges the door shut. With it, I sleep better at night.
While my instinct is to do the same, depending on what jurisdiction you travel to, you might be liable for damages if staff tries to open the door and decide to break in because you were in the shower or sleeping on ambien or something like that.
RFID and NFC are the new Magstripe and Barcodes.
People think that they are mysterious things that are secure because they aren't able to see what they mean. But in reality, they are all still just a machine-readable number.
(even if a rolling key, challenge-response or pubkey authentication is supported, we're often still just using a single number, but my point is more about the perceived obscurity for the public)
It really depends. There are some contactless tags that really do nothing other than transmit a static identification number which is trivially spoofable, but many systems today use cryptography (again, some long cracked and horribly outdated, but others quite strong).
I have a contactless card that runs GPG as a Java Card applet and creates 4096-bit RSA signatures. That's pretty secure!
DESFire based systems, HID iClass SE (properly installed where the reader only accepts the SE credential) are generally pretty secure.
It seems irresponsible that it took dormakaba more than a year to fix a single lock. And even now, 1.5 years after the initial disclosure, still only around a third have been updated.
Going to go against the grain and say thank you to devices like the Flipper Zero for getting vulnerabilities like this out into the public eye for scrutiny.
Not really against the grain here :)
https://archive.is/gifH6
> Dormakaba started selling Saflok locks in 1988, which means that vulnerable locks have been in use for over 36 years.
Ok, my eyebrows are up. Authentication has grown so much as a field since then that I'm having trouble with the idea that this flaw has always been present. In fact, Saflok predates MIFARE Classic by at least five years. Perhaps all will become clear if a full technical disclosure is ever made available, but it seems like the authors are making an overstatement here.
https://unsaflok.com/
Our understanding is that the magnetic stripe version of Saflok (which indeed predates MIFARE Classic) is vulnerable to the same issues, just in a different card format.
Physical security is what you need.
Buy this strap for your door lock while you're inside.
https://www.youtube.com/watch?v=EoWGgH1YBC0
https://www.redteamtools.com/super_grip_deadbolt_strap
> They warn that the deadbolt on the room is also controlled by the keycard lock, so it doesn't provide an extra safeguard.
That is the biggest surprise to me. I had assumed getting around the deadbolt would require a locksmith or breaking the door. (What's the point of it otherwise?)
People lock themselves in hotel rooms and refuse to leave more often than you'd think.
A lot of hotels I've been to also have a latch you can physically lock the door with which would prevent someone from actually entering, but I bet you may be able to slowly pry that open with a jig of some sort.
https://foleybelsawlocksmithing.com/products/hotel-door-hing...
It's called a "swing bar". It's easy to open from tho2e outside with some duct tape and a rubber band, unfortunately. Plenty of easy instructions on YouTube.
I assume/hope the newer versions in hotels that are a little l bracket that flips are little harder to get open?
There are tools specifically designed to open these. At best, they make an attempt to break in more conspicuous.
>> I had assumed getting around the deadbolt would require a locksmith or breaking the door.
Look into what happens when someone pulls a fire alarm. Some building-wide lock systems will actively unlock doors during a fire scenario.
Good feels and security theater
> (What's the point of it otherwise?)
How else would the hotel staff enter the room when the current occupant is locked in the room, but dead or some lesser medical emergency condition?
Being dead isn't urgent, they could call a locksmith.
A medical emergency would justify breaking the door.
The same applies to my apartment door.
4 replies →
Presumably with Scotch Tape or Post-it Notes.
Not that kind of "3M" :)
Somewhat related questions:
How can I use an Android phone as a room keycard? Is there an app for reading a card and acting as a tag?
How can I use an iPhone as a room keycard? Why can't I easily add it to Wallet? Is there another app for that?
https://archive.ph/PypxP
Just like microcorruption in real life :)
https://microcorruption.com/map
I love these asm hacking challenges
I always stay cautious and take additional measures to secure belongings while staying at a hotel
By exploiting weaknesses in both Dormakaba's encryption and the underlying RFID system Dormakaba uses, known as MIFARE Classic, Carroll and Wouters have demonstrated just how easily they can open a Saflok keycard lock.
Another strike against the Flipper Zero!
> "their attack could be pulled off with little more than a $300 Proxmark RFID read-write device and a couple of blank RFID cards, an Android phone, or a Flipper Zero radio hacking tool."
And Android, and EBay, and Proxmark...
Okay that title was confusing, the 3M is quantity not the company 3M’s locks. The locks are not build by 3M or a subsidiary.
It's especially confusing because 3M does make almost every thing under the sun, from respirators to electrical tape to medical equipment and supplies. No locks as far as I can find though.
But with a roll of 3M Gaffa Tape, you can secure an hotel room door such that those inside inside the room can't open it without help from outside.
* other brands of very sticky strong tape are available.
7 replies →
It would be nice if the title could get changed, as per below, because it confused me, too:
https://corporatefinanceinstitute.com/resources/fixed-income...
The original title sez "millions" and is clearly distinct from both "Minnesota mining and manufacturing" and "millimeters".
2 replies →
While I agree, I think you underestimated how much this comment thread would wind up somewhat derailing conversation about the actual article. Dear lord people it's a simple disambiguation - there's no need for upwards of 40 comments about it.
Well it is apparent that so many people got confused (me included) that it deservedly became part of the conversation.
Yes, please change it to 3MM, which also abbreviates to "3 million". My first impression was strongly that 3M had some lock system that was now compromised, not that it was referring to 3 million locks in the wild.
Also perhaps consider expanding the headline character limit above 80, or maybe not count numbers in the total.
How about "Hackers Found a Way to Open Any of 3 Million Hotel Keycard Locks in Seconds" its only 75 characters. Nobody has to guess about abbreviations or whether it's really Latin or mm.
Or just drop all the clickbait crap from the headline - "Hackers", "any", "3 million" and "in seconds" are all just fluff meant to create an emotional response. Change the subject to where the responsibility lies, the locks themselves or the lock manufacturer, and add "major brand" or "widely deployed" if it's necessary to separately indicate notoriety.
3 millimeters is a really small lock.
2 replies →
Actually, I believe what you want is 3mm, which I believe they use in accounting. Lowercase m in this instance would stand for milli-, as in thousand. So 3mm would be 3 thousand thousand. 3M is technically correct, though confusing in this specific case. Capital M would indicate Mega, as in the progression from kilobit to megabit to gigabit.
7 replies →
it would take all of about 3 seconds to realize why an unlimited character count would break the site's layout and know that it will never happen.
i do agree that the "don't editorialize" and strict char count are very contradictory, but suggesting that the site changes because of it is also naive at best.
4 replies →
mm is milimeters. MM does not exist.
7 replies →
Maybe 3M should rename themselves to something less confusing.
2 replies →
Many 3M adhesives would hold the hotel doors closed.
Does 3M stand for 3 musketeers?
It should be 3MM
[flagged]
[dead]