Comment by iancarroll
2 years ago
I worked on this research along with many others, happy to answer any questions! Our disclosure is also available at https://unsaflok.com.
2 years ago
I worked on this research along with many others, happy to answer any questions! Our disclosure is also available at https://unsaflok.com.
When do you plan to release technical details on the attack? Surely the long tail of door locks will not be replaced for a decade or more.
How did Saflok respond? Were they collaborative or did they try to threaten you / suppress the information?
They have been taking it seriously although they didn’t have any sort of formal bug bounty / security disclosure method at the time. The disclosure timeline is in our article as well!
Did you set out to find a vulnerability or just stumble on it?
If setting out to find a vulnerability, how do you get started?
What is the “open ide, write print(“hello world”)” for this kind of work?
The article explains that they were at a hackathon of sorts, where these 2 were specifically targeting the locks/passes.
I would assume reading the cards with a reader would be a great start.
This part caught my eye:
"Note that this information only applies to dormakaba Saflok systems; several other lock manufacturers use MIFARE Classic keycards and are not affected by the Unsaflok vulnerability"
So it is likely they way that Saflok implemented MIFARE Classic. Will start to read about this protocol more.
At this point, MIFARE Classic can pretty much be considered plaintext.
There are very fast card-only cloning attacks against even the newest "hardened" cards, and in many of these lock systems (no idea about Saflok in particular though), MIFARE is the only layer of cryptography, and the card only contains a bitmask of locks/doors that it should be able to open.
>There are very fast card-only cloning attacks against even the newest "hardened" cards
Do you mean for MIFARE Classic or for all RFID cards? I was not aware of any cloning attacks for types such as HID Seos.
I have an original London Underground Oyster Card which still works fine! It's MIFARE Classic according to Wikipedia, and do often wonder when TfL will cancel them.
1 reply →
If I stay at a hotel with such a lock how can I tell it's affected? If the hotel hasn't patched it can I patch my rooms door myself without causing issues to the hotel?
You can generally assume at any hotel with keycards, that any other guest who wants to can get into your room.
The only question is whether they do some hacker shit, or whether they just go to reception and say "My keycard isn't working, I'm in room 123" and reception gives them a new keycard for room 123, with no ID check and no questions asked.
Luckily thieves are relatively rare and 97% of hotel rooms just contain a suitcase of second-hand clothes.
I locked myself out of the room on several occastions, and at the very least they ask for your name and double check in the system. It's not as easy as you describe.
5 replies →
Similar to the wrench principle. [1]
[1] https://xkcd.com/538/
I think it's in the bottom of the article
Our disclosure mentions how to try and detect a vulnerable hotel, but it’s not possible to patch the lock yourself.
As an owner, these companies are scumbags. You have to deal with salesmen whose only job is to sell these at maximum price.
Thanks for doing this. Hopefully, you guys expose all other lock companies.