RFID Security in Housing and Hotels: Unsaflok Expanded

Faculty Mentor Name

Catalina Aranzazu-Suescun, Luis Felipe Zapata-Rivera

Format Preference

Poster

Abstract

At DEFCON 32, the largest national cybersecurity conference, a security research team presented a vulnerability called “Unsaflok,” involving a major security flaw in the largest brand of Radio Frequency Identification (RFID) locks used in housing and hotels. Used in many housing complexes and nearly all hotels that utilize RFID-based locks, Saflok by Dormakaba was the industry standard for RFID locks since its founding, with no substantial exploits or vulnerabilities having been discovered until 36 years later.

The reason the Unsaflok vulnerability is such a huge problem is that it allows an attacker to create their own fake RFID tags, using only their provided key, that could open any RFID lock on the entire property. This includes other apartments, hotel rooms, housekeeping rooms, administrative rooms, and even Fire Access Control Panel (FACP) rooms if they are protected by an RFID lock. Though Dormakaba has since upgraded its systems to a higher RFID security standard, it has recently been discovered that these new systems are also vulnerable.

Dormakaba uses RFID tags to keep track of privilege levels, set the date and time during which the tag is active, manage the check-in/checkout time of guests and residents, and prevent the reading or cloning of the tags. If an attacker finds a way to manipulate this data, they can change their privilege level, extend the time their key remains active, make their key override the deadbolt, or even resequence the lock to invalidate all other keys.

Building on the research conducted by the Unsaflok team and with the severity of the vulnerabilities in mind, our focus in this work will be on the reverse engineering of the Saflok HH6 NFC encoder and the construction of a Saflok system that is invulnerable to current and known possible attacks.

Share

COinS
 

RFID Security in Housing and Hotels: Unsaflok Expanded

At DEFCON 32, the largest national cybersecurity conference, a security research team presented a vulnerability called “Unsaflok,” involving a major security flaw in the largest brand of Radio Frequency Identification (RFID) locks used in housing and hotels. Used in many housing complexes and nearly all hotels that utilize RFID-based locks, Saflok by Dormakaba was the industry standard for RFID locks since its founding, with no substantial exploits or vulnerabilities having been discovered until 36 years later.

The reason the Unsaflok vulnerability is such a huge problem is that it allows an attacker to create their own fake RFID tags, using only their provided key, that could open any RFID lock on the entire property. This includes other apartments, hotel rooms, housekeeping rooms, administrative rooms, and even Fire Access Control Panel (FACP) rooms if they are protected by an RFID lock. Though Dormakaba has since upgraded its systems to a higher RFID security standard, it has recently been discovered that these new systems are also vulnerable.

Dormakaba uses RFID tags to keep track of privilege levels, set the date and time during which the tag is active, manage the check-in/checkout time of guests and residents, and prevent the reading or cloning of the tags. If an attacker finds a way to manipulate this data, they can change their privilege level, extend the time their key remains active, make their key override the deadbolt, or even resequence the lock to invalidate all other keys.

Building on the research conducted by the Unsaflok team and with the severity of the vulnerabilities in mind, our focus in this work will be on the reverse engineering of the Saflok HH6 NFC encoder and the construction of a Saflok system that is invulnerable to current and known possible attacks.