Unsaflok flaw can let hackers unlock millions of hotel doors

Researchers disclosed vulnerabilities today that impact 3 million Saflok electronic RFID locks deployed in 13,000 hotels and homes worldwide, allowing the researchers to easily unlock any door in a hotel by forging a pair of keycards.
研究人员今天披露了影响全球 13,000 家酒店和家庭中部署的 300 万个 Saflok 电子 RFID 锁的漏洞，使研究人员能够通过伪造一对钥匙卡轻松解锁酒店的任何门。

The series of security flaws, dubbed “Unsaflok,” was discovered by researchers Lennert Wouters, Ian Carroll, rqu, BusesCanFly, Sam Curry, shell, and Will Caruana in September 2022.
2022 年 9 月，研究人员 Lennert Wouters、Ian Carroll、rqu、BusesCanFly、Sam Curry、shell 和 Will Caruana 发现了这一系列安全漏洞，称为“Unsaflok”。

As first reported by Wired, the researchers were invited to a private hacking event in Las Vegas, where they competed with other teams to find vulnerabilities in a hotel room and all the devices within it.
正如《连线》杂志首次报道的那样，研究人员被邀请参加拉斯维加斯的一次私人黑客活动，在那里他们与其他团队竞争，以寻找酒店房间及其内所有设备的漏洞。

Top Stories 头条新闻READ MOREEvasive Sign1 malware campaign infects 39,000WordPress sites

The team of researchers focused on finding vulnerabilities in the Saflok electronic lock for the hotel room, discovering security flaws that could open any door within the hotel.
研究小组专注于寻找酒店房间的Saflok电子锁中的漏洞，发现可能打开酒店内任何门的安全漏洞。

The researchers disclosed their findings to manufacturer Dormakaba in November 2022, allowing the vendor to work on mitigations and inform hotels of the security risk without publicizing the issue.
研究人员于 2022 年 11 月向制造商 Dormakaba 披露了他们的发现，允许供应商在不公开问题的情况下进行缓解措施并告知酒店安全风险。

However, the researchers note that the flaws have been available for over 36 years, so while there have been no confirmed cases of exploitation in the wild, the extensive exposure period increases that possibility.
然而，研究人员指出，这些缺陷已经存在了36年以上，因此，虽然没有确认的野外开发案例，但广泛的暴露期增加了这种可能性。

“While we are not aware of any real-world attacks that use these vulnerabilities, it is not impossible that these vulnerabilities are known, and have been used, by others,” explains the Unsaflok team.
“虽然我们不知道任何使用这些漏洞的真实世界攻击，但这些漏洞并非不可能被其他人知道并已被使用，”Unsaflok 团队解释说。

Today, the researchers publicly disclosed the Unsaflok vulnerabilities for the first time, warning that they impact almost 3 million doors utilizing the Saflok system.
今天，研究人员首次公开披露了 Unsaflok 漏洞，并警告说它们影响了使用 Saflok 系统的近 300 万扇门。

The Unsaflok flaws Unsaflok 缺陷

Unsaflok is a series of vulnerabilities that, when chained together, enable an attacker to unlock any room in a property using a pair of forged keycards.
Unsaflok 是一系列漏洞，当它们链接在一起时，攻击者可以使用一对伪造的钥匙卡解锁房产中的任何房间。

To initiate exploitation, the attacker only needs to read one keycard from the property, which can be the keycard from their own room.
要启动漏洞利用，攻击者只需从属性读取一张钥匙卡，该钥匙卡可以是他们自己房间的钥匙卡。

The researchers reverse-engineered Dormakaba’s front desk software and a lock programming device, learning how to spoof a working master key that could open any room on the property. To clone the cards, they had to crack Dormakaba’s key derivation function.
研究人员对Dormakaba的前台软件和锁编程设备进行了逆向工程，学习如何欺骗可以打开该物业任何房间的工作万能钥匙。为了克隆这些卡片，他们必须破解 Dormakaba 的密钥派生函数。

Forged keycards can be created using any MIFARE Classic card and any commercially available tool capable of writing data to these cards, including Poxmark3, Flipper Zero, and an NFC-capable Android smartphone.
伪造的钥匙卡可以使用任何MIFARE Classic卡和任何能够将数据写入这些卡的商用工具创建，包括Poxmark3、Flipper Zero和支持NFC的Android智能手机。

The equipment needed to create the two cards used in the attack costs less than a few hundred USD.
创建攻击中使用的两张卡所需的设备成本不到几百美元。

When exploiting the flaws, the first card rewrites the lock’s data and the second opens the lock, as demonstrated in the below video.
利用这些缺陷时，第一张卡会重写锁的数据，第二张卡会打开锁，如下面的视频所示。

The researchers have not provided any further technical details at this time to give time for the various properties to upgrade their systems.
研究人员目前没有提供任何进一步的技术细节，以便有时间让各种属性升级他们的系统。

A wide impact 影响广泛

The Unsaflok flaws impact multiple Saflok models, including the Saflok MT, the Quantum Series, the RT Series, the Saffire Series, and the Confidant Series, managed by the System 6000 or Ambiance software.
Unsaflok 缺陷会影响多个 Saflok 型号，包括 Saflok MT、Quantum 系列、RT 系列、Saffire 系列和 Confidant 系列，由 System 6000 或 Ambiance 软件管理。

The affected models are used in three million doors on 13,000 properties in 131 countries, and while the manufacturer is actively working to mitigate the flaw, the process is complicated and time-consuming.
受影响的模型用于 131 个国家/地区 13,000 处房产的 300 万扇门，虽然制造商正在积极努力减轻缺陷，但该过程既复杂又耗时。

The researchers say that Dormakaba started replacing/upgrading impacted locks in November 2023, which also requires reissuing all cards and upgrading their encoders. As of March 2024, 64% of the locks remain vulnerable.
研究人员表示，Dormakaba 于 2023 年 11 月开始更换/升级受影响的锁，这也需要重新发行所有卡并升级其编码器。截至 2024 年 3 月，64% 的锁仍然容易受到攻击。

“We are disclosing limited information on the vulnerability now to ensure hotel staff and guests are aware of the potential security concern,” reads the post by the researchers.
“我们现在披露有关该漏洞的有限信息，以确保酒店员工和客人意识到潜在的安全问题，”研究人员在帖子中写道。

“It will take an extended period of time for the majority of hotels to be upgraded.”
“大多数酒店升级需要很长一段时间。

It is further noted that malicious keycards can override the deadbolt, so that security measure isn’t enough to prevent unauthorized entry.
需要进一步指出的是，恶意钥匙卡可以覆盖门栓，因此安全措施不足以防止未经授权的进入。

Hotel staff might be able to detect occurrences of active exploitation by auditing the lock’s entry/exit logs. However, that data may still be insufficient to detect unauthorized access accurately.
酒店工作人员可能能够通过审核锁的进出日志来检测主动利用的情况。但是，这些数据可能仍然不足以准确检测未经授权的访问。

Guests can determine if the locks on their rooms are vulnerable by using the NFC Taginfo app (Android, iOS) to check their keycard type from their phone. MIFARE Classic cards indicate a likely vulnerability.
客人可以使用 NFC Taginfo 应用程序（Android、iOS）从手机上检查他们的钥匙卡类型，以确定他们房间的锁是否容易受到攻击。MIFARE Classic 卡表示可能存在漏洞。

The researchers promised to share the full details of the Unsaflok attack in the future when the remediation effort reaches satisfactory levels.
研究人员承诺，当补救工作达到令人满意的水平时，将在未来分享Unsaflok攻击的全部细节。

Update 3/22 – Dormakaba shared the following statement with BleepingComputer:
3/22 更新 – Dormakaba 与 BleepingComputer 分享了以下声明：

On March 21, 2024, dormakaba published information regarding a security vulnerability associated with both the key derivation algorithm used to generate MIFARE Classic® keys and the secondary encryption algorithm used to secure the underlaying card data. This vulnerability affects Saflok systems (System 6000™, Ambiance™, and Community™).
2024 年 3 月 21 日，dormakaba 发布了有关与用于生成 MIFARE Classic® 密钥的密钥派生算法和用于保护底层卡数据的辅助加密算法相关的安全漏洞的信息。此漏洞影响 Saflok 系统（System 6000™、Ambiance™ 和 Community™）。

As soon as we were made aware of the vulnerability by a group of external security researchers, we initiated a comprehensive investigation, prioritized developing and rolling out a mitigation solution, and worked to communicate with customers systematically. We are not aware of any reported instances of this issue being exploited to date.
一旦我们被一组外部安全研究人员发现该漏洞，我们立即启动了全面调查，优先开发和推出缓解解决方案，并努力与客户进行系统沟通。到目前为止，我们尚未发现任何关于此问题的报告实例被利用。

Per the principles of responsible disclosure, we are collaborating with the researchers to provide a broader alert to highlight how existing risks with legacy RFID technology are evolving, so that others can take precautionary steps.
根据负责任的披露原则，我们正在与研究人员合作，提供更广泛的警报，以强调传统RFID技术的现有风险是如何演变的，以便其他人可以采取预防措施。

原文始发于Bill Toulas：Unsaflok flaw can let hackers unlock millions of hotel doors