A group of security researchers has uncovered a concerning security flaw in certain hotel keycard systems. Nicknamed ‘Unsaflok’, their technique uses vulnerabilities in a specific brand of RFID-based keycard locks commonly used in hotels worldwide to ‘trick’ a smartlock into opening for an unauthorized user. Exploiting this security weakness means that anyone with the right equipment could break in and rob hotel guests.

How does the hack work?

The Unsaflok technique exploits weaknesses in encryption protocols and RFID technology used by these keycard systems. By obtaining any keycard from a target hotel and using a relatively affordable RFID read-write device, hackers create two keycards. Tapping the first card overwrites certain settings stored in the target lock itself. The second then unlocks the door, allowing the hacker to gain access. Shockingly, this process takes less than 30 seconds.

Even more concerning is that the compromised cards will also unlock the door’s deadbolt.

Am I in danger?

Clearly this is a serious problem, particularly when you realize that the affected locks are installed on millions of hotel room doors across the world. The security of guest rooms, hotel property, and guest safety could be threatened. And all it takes is two taps of compromised keycards.

The hacking group who ‘discovered’ this technique have chosen not to publicly disclose full details of the exploit. Instead they have worked with the manufacturer of the affected door locks to develop a fix which has proven to be effective.

There is one potential problem however – every single door lock must be visited and updated. Each affected hotel will also need to upgrade their keycard management system software.

While the manufacturer is actively working on mitigating these vulnerabilities, only a fraction of installed systems have been updated. Hotels and their guests continue to be at risk until the updates have been rolled out.

How can I protect myself against Unsaflok?

Whenever you check into a hotel for the first time, take a look at the lock on your door. If there is a wavy line across the round RFID reader, the lock may be vulnerable. You may also consider using a security tool like the NFC Taginfo app which can “read” your keycard and identify if it is still vulnerable to Unsaflok-like attacks. 

You should also follow the usual precautionary measures such as securing valuables in the hotel safe. When you are inside your room, use any additional door locks and chains if they are provided. And if your keycard is lost or stolen, report the incident to hotel reception as soon as possible.

The Unsaflok revelation serves as a reminder of the evolving nature of cybersecurity threats. It should also remind travelers of the importance of remaining vigilant to avoid becoming the victim of crime.

Read also: Data Privacy: A Guide for Individuals & Families