A newly revealed vulnerability in a specific brand of hotel guestroom door locks highlights both the complications and flawed assumptions in the digital security of hotels.
Wired recently reported that a team of IT security researchers found a vulnerability in the Saflok brand of hotel guestroom door locks. The hack opens several models of the Saflok RFID-based keycard door locks. The article states there are more than 3 million doors that use these locks in 13,000 hotels across 131 countries.
Researchers discovered that hackers can use an RFID read-write device to essentially rewire a door lock and create a master hotel room keycard to open any door using a Saflok.
The researchers tested the vulnerabilities using a lock programming device provided by the manufacturer, Dormakaba, as well as a copy of the front desk software used to manage keycards.
The company has developed a solution and is working with its hotel clients to implement it, but the process takes time.
Dormakaba did not respond to a request for comment for this story.
Ted Harrington, executive partner at IT consultancy firm Independent Security Evaluators, said the research revealed flaws in the assumption that this type of breach is prevented by limiting access to a hotel's software and devices.
“The assumption that no one could get their hands on it is in fact a flawed assumption, and that’s actually what these researchers demonstrated,” he said. “You could go get them secondhand on eBay. You can ask for them, especially if you are presenting yourself in the context of research. There's other reasons why someone might give one up. It can even be stolen.”
It's not a simple hack, but it’s also not impossible, he said.
Thinking Like an Attacker
When he was part of a Hospitality Technology Next Generation workgroup on door lock security, Harrington said he walked his hotelier and vendor colleagues through a situation to assess a threat model and determine what they all wanted to protect.
Guest safety was the first priority, but the list grew as they talked about what someone trying to enter a room would be targeting.
“That was a fruitful exercise because now everyone was starting to really think about how an attacker thinks about this system,” he said.
Guestroom door lock vulnerabilities are not just a guest safety issue, which of course is significant, he said.
“[That] overlooks all the other problems that hoteliers also care about,” including guest privacy, guests’ possessions as well as the hotel’s property in the room, he said.
What’s different about this attack compared to others is it requires someone to physically be at the targeted hotel, instead of remotely hacking into a hotel company’s systems, Harrington said.
For many potential hackers, that’s going to be an unacceptable requirement, he said. Hackers who use this method could low-skilled, low-intelligence petty thieves; or sophisticated, well-resourced attackers who may be targeting an individual guest. The latter might also sell the hacking technology and knowledge to the former.
“I wouldn’t want to come across that person in that hotel,” he said.
Some casual hackers might try to exploit these vulnerabilities to try to gain notoriety among their peers, which likely would have a minimal impact on guests, he said. Another type could be activists, also known in this field as hacktivists, who might use this as a way to embarrass a hotel company or property.
A nation state or even an organized crime group could be motivated to access rooms of specific individuals, including titans of industries, heads of state or other political leaders, he said. Having access to a room belonging to a high-value individual could provide opportunities to influence, manipulate or otherwise monetize their target.
Stalkers are another group who would want access to a specific guest’s room, he said.
Thinking Ahead
A mistake many companies make in their approach to security is trying to make it easier, faster and cheaper, Harrington said. They often lean on automation more than human effort.
“What this story demonstrated is why tools alone are insufficient,” he said. “What these researchers did was they demonstrated that you need to actually chain exploits together. They found a vulnerability in how to rewrite the lock and a vulnerability in how to duplicate the key. Those are two different things, and then they figured out how to combine those two issues.”
At least for the foreseeable future, that’s only something that a human can do, he said. Right now, there are no tools that could figure out these two things individually and combine them.
This sends a message to not just lock manufacturers but anyone making tech for hotels and other industries, he said. Attackers will figure out how to combine multiple issues that individually might not cause a problem but together could be catastrophic.
Another thing to keep in mind is the flawed assumption over access, Harrington said. Most people in the hotel industry assume no one will get their hands on essential systems unless they work at a hotel.
“We have to realize that those assumptions can be flawed, and when they are flawed, that’s where vulnerabilities exist. That’s the value of working with security consultants, doing security testing and working with security researchers,” he said.
The Liability Question
If a hotel guest is assaulted, robbed or otherwise the victim of a crime due to such a hack, they could likely sue every party associated with the event, said Sandy Garfinkel, attorney and co-chair of McNees Wallace & Nurick’s privacy and data security group.
That could include the hotel’s owner, possibly the brand and likely the lock manufacturer, he said.
“In this, all liability boils down to is whether somebody owes somebody else a duty, whether the duty was breached by that person or party and whether that breach proximately caused harm to the plaintiff suing,” he said.
In this hypothetical situation, the guest could show harm, such as injuries or loss of property, he said. What's tougher to determine is whether there’s a duty.
A guest staying at a hotel essentially has a contract with the hotel, he said. One duty that could be implied is that any door lock provided would be secure enough to keep unauthorized people out of the room.
For the hotel, there is at least an implied promise to keep guests and their property safe, he said.
“I think a court would tend to find if you check into a hotel and there’s a lock, you’re free to assume that’s going to be effective,” he said. “If it fails to be effective, that’s a breach of duty.”
A hotel owner who purchased the locks also assumed the locks would be effective and would likely go to the manufacturer for coverage of its liability, Garfinkel said.
“The defendant can plead in a co-defendant or turn around and say, ‘You’re under the contract. You have to indemnify me for this because you broke your promise of effectiveness,’” he said.
A possible mitigating circumstance is that if everyone had reason to believe the lock worked correctly before, it could be argued no one could have reasonably known the lock could be hacked in such a way, he said. That could mean no duty was breached.
In the Saflok situation, researchers discovered the vulnerability and informed the manufacturer in 2022, he said. By now, one could expect word got around the hotel industry about a problem with the brand of locks.
It raises the question of how long it should take to come up with a software solution or replace the hardware, he said. A manufacturer that comes up with a solution after learning of the problem isn’t admitting liability, he added.
Garfinkel said he has counseled clients in data security and the hotel industry that nothing will ever be foolproof.
“The dream of complete protection is just a pipe dream,” he said. “There are always going to be vulnerabilities.”
The best any business or industry can do is to try to be as state of the art as possible, he said. That way, if they do end up in court, it can be argued they were the most reasonably prepared they could have been in trying to prevent the problem.