Okay that title was confusing, the 3M is quantity not the company 3M’s locks. The locks are not build by 3M or a subsidiary.
I work for a company that manufactures access control and communication systems. The readers we develop support a variety of ID standards, from unencrypted EM-Marin and a long time ago cracked Mifare Classic to modern Desfire EVx standards. According to our statistics, more than 95% of customers still continue to use the most insecure identifiers because of their low cost and ease of operation.
Many of the installed devices are not properly maintained, even if the manufacturers continue to support them, because you have to pay for maintenance. In addition, not all equipment can be updated remotely over the network or even have a network connection to do so remotely.
Even if your cards are encrypted, it still can't guarantee you protection, because in most cases card readers are connected to controllers (not in the case of all-in-one devices like this lock) via Wiegand protocol, which doesn't provide any data encryption, so the identifier ID is transmitted over two wires in the clear form.
For a while I've had a question about hotel keycard technology, maybe you can answer.
Essentially every time I've stayed in a hotel with contactless keycards (usually in a group needing 3-5 rooms for 2-3 nights) at least one person has needed to get a keycard reissued.
What's up with that? My workplace's smartcards and my contactless bank cards keep working for years on end.
Hotel keycards usually work by having dynamic data written to them at the front desk (as the locks are often not network connected, at least in older systems, so they write things to the card like "works for room 123 until March 30th noon and the gym" or "works for room 456; sequence number 2, invalidate all prior keys").
There are two types of magnetic stripe cards available: High-coercivity (HiCo) and low-coercivity (LoCo). The field-rewritable kind used in hotels is usually LoCo, to make the writers smaller and cheaper. But that also makes the cards much more prone to accidental corruption by magnets you might have on you, like earbuds, magnetic wallets etc.
Bank cards are usually only ever programmed once (these days), i.e. when they're issued, so they're usually HiCo, making them much more robust against that. In addition to that, magnetic stripe usage has been phased out for payment cards in most countries and is getting rare even in the US, so for all you know, and depending on where you live/shop, your magnetic stripes might have already been demagnetized without any adverse effects!
Bonus trivia question: Guess which kind NYC MTA Metrocards are :)
Edit: Oh, I just saw that you asked about contactless keycards! For these I actually have no idea, and I haven't had one fail on me yet.
I just know that they often use a similar scheme ("works for rooms x, y, z, until timestamp n"), sometimes with a bit of cryptography on top (often with a single shared key across all instances of the same lock and even across hotels...) but using non-networked locks, so there can definitely be synchronization/propagation issues too.
I used to work as maintenance on a big chain hotel and we had magstripe card locks, I don’t think strong security is their primary goal as in a hotel the staff can enter any room at any time, the cards me and my team had were “god mode” we could open any door at any time even when locked from inside. If the lock didn’t work “firmware problems, dead batteries, stuck mechanism” we had another device that worked by removing a cover and connecting with a wire, this was also used for testing and FW updates.
the cards me and my team had were “god mode” we could open any door at any time even when locked from inside.
That is just bad management. The whole point of the interior deadbolt lock in a hotel room door is so no one can accidentally walk in on you thinking it is an empty room.
An emergency keycard that can open a hotel room locked from the inside is only supposed to be kept at the front desk for use during an emergency, mostly by police or firefighters so they do not break down the door and cause tens of thousands of dollars of damage. And its presence and use should be constantly accounted for.
Many U.S. hotels changed that after the Mandalay Bay hotel incident in October 2017. A guest can no longer assume that their deadbolted hotel room door will only be opened in an emergency. Routinely, hotel staff (not accompanied by police) may knock and then immediately open a guest's door for what they consider a "welfare check" (e.g., guest has had a Do Not Disturb sign for 2 days). And, yes, guests may be strongly opposed to this for a variety of reasons (in the room but undressed, etc.) but it often is part of a hotel's normal operating practices. One of many references: https://www.reddit.com/r/askhotels/comments/vaxae2/comment/i...
Many U.S. hotels changed that after the Mandalay Bay hotel incident in October 2017. A guest can no longer assume that their deadbolted hotel room door will only be opened in an emergency.
I don't see the connection. The Mandalay Bay incident was an emergency, and the door was forced. What needed to change?
I believe the above poster is saying that hotels want their staff to periodically barge in with little warning just to catch the rare moment when there's an alarming array of guns or a dead person or something other than recreational amounts of drugs laying in plain sight.
It would be very shitty policy to "barge in with little warning". Rooms are checked regularly, but there should be quite a bit of knocking, and in the event it is deadbolted and the hotel guest refuses to open the door, or arrange a time the room can be inspected, then hotel management should be convened. Only after initial contact has been made and the hotel guest unreasonably refuses to allow access for an unreasonable period of time should hotel management "barge" in, or call the police.
Yes, a hotel room should be checked regularly, at a minimum of once per week if not more frequently. And that should have always been the case due to pest control, not due to possibility of a crazy shooter.
In any case, I would classify a guest refusing to open the door for a room check as outline in the rental agreement as an emergency (which should simply state once every x days or per management’s discretion).
It could be up to hotel management to go in without police, but I would certainly not give any line level employee an emergency key card to carry around at all times for that scenario. And I would also expect a manager to take on that task themselves.
> cause tens of thousands of dollars of damage
This is surely overstated. I am sure firefighters are trained to do the least amount of damage when forcing a hotel door open. I guess a handheld electric saw could do the trick in less than one minute.Um, no they’re trained to get in as fast as possible. Life >> cost of any door.
Any non ancient hotel will have metal fire doors that cost near a thousand themselves, plus the metal framing and whatnot.
The cops or firefighters are not going to spend time cutting, they are going to bust it open with a battering ram which will ruin everything, requiring reframing, new door, new thresholds, new frames, new locks ($2k), and maybe flooring too.
And then add in opportunity cost from not being able to rent the room during repair, which would take weeks due to those materials not being available at Home Depot.
I would budget at least $10k, and I bet it would not exceed $20k, but either way, using a battering ram on a hotel door is very costly.
When I worked mainteince on a big chain hotel in a major college town, we had a mark 2.0 crowbar if the key card didn't work. The real fun one was the flippy locks that you could kinda pop by slapping the non-working key card in, and slamming the door. The card would flex and spring the lock back. Then you could use the crowbar again. It wasn't too slow, but it was very loud.
They told me couldn't whistle and spin the crowbar nonchalantly before casually popping open doors that had a dead battery in front of the guest waiting to stay in that same hotel.
we had a mark 2.0 crowbar
What were the improvements over "crowbar classic"?
That reminds me of the old “bump key” vuln in physical locks with tumblers
Shouldn't that be other way around? Keycard only holding the simple numeric id, which is burned into silicone chip on it and impossible to modify, and the reader at the door, connected to hotel central system checks what privileges that particular keycard grants?
You could force or deny service on a lock that just checked a simple ID.
Wouldn't that only be for poor implementations?
If the reader had a decently secure channel to the central auth piece, then it shouldn't (in theory) matter how simple or complex the id would be. (?)
In the days before cheap, low-power radio networks a "central system" would have meant dedicated wiring to each door lock. So it would have been much more expensive to install than a standalone battery powered unit mounted directly on the door.
the reader at the door, connected to hotel central system
That’s very often not the case, though, especially in retrofitted installations.
Locks are sometimes offline and even battery powered (and I suspect they can even report a dying battery to the front desk by setting the appropriate flag on keycards as they’re being read).
That doesn't stop someone else from flashing a reprogrammable keycard with the id.
Guess which kind NYC MTA Metrocards are :)
None anymore! They're being phased out as we speak. They were supposed to be end of life last year, though they pushed back end of life EoY 2024, because the MTA is never on time, all the time.
And I’ll be swiping until the day they remove the readers if they don’t introduce monthly capping via OMNY!
The Metrocard is actually a quite elegant and resilient/decentralized system, given the technology that was available when it was introduced. OMNY depends on a network connection being (almost) always available.
OMNY has had automatic fare cap for 2 years?
Not monthly, though. If you take the subway every day, a monthly Metrocard is cheaper.
At least with old fashioned keys you can't easily give out a duplicate. I was once in bed, late at night, lights out, when someone let themselves into my room - a rather drunk guy demanding to know what I was doing in his room. The desk clerk had got his room number wrong and given him another card to mine. It all worked out OK, but under other circumstances I could imagine that it might not.
What's up with that?
It was programmed incorrectly and expired before it should have.
The stay was extended but the key was not updated with the new departure date.
A new key was erroneously issued for the room, someone used the new key to go into the room, saw someone was already staying in the room, and had to get keys for a different room. This would cause all old keys to stop working since every time a lock sees a new key used, it assumes a new hotel guest is staying.
Or it lost its data for whatever reason.
there you go. make a fake coil card and tell the door you're staying for 25 years and a new guest ...get in and own the room
Until the next guest arrives, card saying they are staying until next monday and clear all previous keys.
My brain was ANDing the first three paragraphs until I got to the OR in the last paragraph, wondering why in the world those otherwise discrete scenarios would have a combinatorial effect. I'm wired to look ahead to determine AND versus OR with a comma-delimited series, but not with a paragraph-delimited series. It's a cool pattern but very unexpected, and I'm not sure you could successfully tack on other thoughts before or after the series, because what would delimit those from the series without overloading the meaning of a paragraph separation?
Given a need for multi-sentence items within a series, I go for bullet points. Hyphen character to start each point if no rich UL formatting is available.
I had the same experience with NFC hotel card failing after being in my pocket (next to other cards and a phone). It had to be re-programmed at the hotel's desk to work again. Puzzled me enough to search net for the answers, but to no avail.
It's the phone. Have had this happen multiple times with just the card and my phone. Not sure if it's doing some kind of NFC ping on the phone or if there's just enough of a magnetic field around it or what, but I reliably locked myself out of my room the first week doing field work this year by putting my phone and my hotel card in the same pocket.
At some point, isn't there some responsibility that rests with manufacturers for choosing to continue to support known-insecure standards?
How many browsers do you think support the TLS_NULL_WITH_NULL_NULL cipher?
Browser manufacturers normally don't have contracts that binds them to supply product X for Y years.
Heh, You mean IE6 and ActiveX controls :D
It's often a compatibility thing too. Insecure standards can often coexist because they're the lowest common denominator. It's just a "password" stored and transmitted as plaintext.
A secure system would involve a PKI which increases complexity and management overhead significantly (you won't be able to just copy "passwords" from one system to another, etc).
Compat is a factor and valid in some instances. It's not valid at all in this case. The old systems are wholly insecure, and should not be offered at all.
This is just some faceless corp being cheap and ignoring the consequences, not their problem.
At some point, isn't there some responsibility that rests with manufacturers for choosing to continue to support known-insecure standards?
There should be. Also there should be liability for access control system customers for choosing low cost, insecure solutions. But just like in the InfoSec world, there are simply no consequences to companies that cheap out and fail at security. These companies just issue a press release saying “we take security very seriously” and continue on with their business.
I think the only reason why we have the amount of attention to security that we do in the software industry is because Internet enabled cheap automated large-scale attacks - enough so that even very low-value targets are well worth it.
Even if your cards are encrypted, it still can't guarantee you protection, because in most cases card readers are connected to controllers (not in the case of all-in-one devices like this lock) via Wiegand protocol, which doesn't provide any data encryption, so the identifier ID is transmitted over two wires in the clear form.
It is true, seems like probably better to go back to keys and lock.
Unfortunately most physical keys also transmit their bitting in the clear
so the identifier ID is transmitted over two wires in the clear form.
I'm much more worried about someone using to a clothes hanger looking tool [1] to break into my hotel room than someone exposing cables and reading data over the wire to unlock the door.
I'm in a similar space and a lot of our customers continue to use old-school Wiegand low-frequency badges even though they're ridiculously vulnerable to replay attacks to the degree that Flipper Zero has automated it.
Same as basically any physical lock can be trivially picked. Yet no one is buying office door locks based on pick-resistance. Burglars will smash their way in anyways.
The building where I rent have doorlocks from Scantron ( https://scantron.dk/ ) they use RFID keys to open locks, and last year someone discovered a way of creating masterkeys from any key because of the weak encryption used by MiFare Classic.
It took a journalist and a lot of e-mails and calls for my landlord to understand the problem, I suspect that Scantron were also downplaying the issue towards them. They finally budged and upgraded all the locks to use a better encryption scheme and re-issue keys.
My building have 197 apartments, each of them have at least 2 keys, I have to trust all of the tenants (and their friends), in order for my apartment not to get burgled, and if I were burgled my insurance wouldn't cover because there's likely no proof of entry.
I have rented my entire life, and “change all the locks” has always been the very first thing I do. I have a couple of different size high security cylinder locks, and whilst no cylinder lock is unpickable, I’m pretty happy with mine.
Interesting, because many renters (myself included) would not be permitted to change the locks.
Maybe operating on the "easier to ask forgiveness than permission" principle?
I think landlords have to give you notice before entering your unit in most areas.
Swapping locks is maybe a ten minute job (probably less if you've done it a lot).
There's nothing to stop a tenant from swapping out the locks, then swapping the landlord's locks back in before a scheduled visit.
The bigger problem is for the unscheduled emergency entry when a fire/water pipe broke and they have to bust the door down. Then you get to pay for replacing anything that was destroyed in the process, and your appartment is completely open until it gets fixed.
...And you might also get to pay for the water/fire damage to other appartments because it took longer to get into the appartment due to something you did.
Yeah, you gotta determine what is more likely
1) the landlord didn't change the locks between tenants AND there's a great "key copying conspiracy."
Or
2) There's an emergency requiring your landlord/maintenance to enter the premise when you aren't home.
I know which one I find more likely, but you do you.
OTOH Probably most landlords won't mind you changing the locks as long as you give them a copy of the key.
We just had #2 in our house happen two days ago so yes.
To be clear, I think #2 is much more likely.
I agree, I have never rented anywhere where I was permitted to change the locks.
I have changed the locks everywhere I have rented.
Interesting, when you did so did you know that you were assuming liability for the damage caused by the landlord being unable to access the property in an emergency?
I’m curious which type of emergency ?
In my country, a landlord have zero right to access a rented property. Even keeping a copy of the key is forbidden. Emergencies are for firemen and police and they basically don’t care about your lock if you don’t answer.
When you say you weren't permitted, are you referring to the absence of any language on the topic, or the presence of language saying that you shall not? Assuming the former, proceeding to do it doesn't seem noteworthy.
“Oops forgot to tell you.. was I not allowed to do that?”
The only way they would ever find out is if they were trying to enter your place unannounced.
And even then "You had trouble getting in? Oh yeah, the lock is sometimes really sticky. If it's jammed, it helps if you lean on the door while trying to turn the key, then let off the pressure while you're twisting the key. What did you need to get in for? Shouldn't you have called first? I'll be back around {30-60 mins after your excepted arrival time} and can let you in then." (meanwhile swap the original barrel back in before they show up again)
Now that busted pipe to the hot water heater has been pumping water into the unit for an extra hour, and you’re on the hook for changing the lock in violation of your lease. But cool story about the cylinder.
Pretty much everywhere in Europe it is a legal right to be able to do so.
Not in Sweden.
Change the cylinder. Put the old one back, when your rental period ends. Takes 10 mins to replace the cylinder.
One rental apartment where I'd changed the lock core, one day the nice handyman admired the fancy Mul-T-Lock style key while I was letting him in, and later remarked about it to landlord.
So I had to put the old cylinder back in, because of condo rules about the property management company needing keys.
(Though I later learned that the property management company might not have been able to find my unit's key if they ever wanted to. One day, the fire department was at the building, trying to get into a different unit, which had an alarm sounding, but they found that the key box was empty. I was there, so I called the management company, but they refused to send a runner with the key. Even after I handed my phone to the firefighter in charge, and he identified himself and asked them again. :)
This is quite different around the world. I've rented both at places where I could bring my own security locks and others where the landlord pretty much insisted in having a copy of all keys so they could enter in an emergency (e.g. a water leak) without breaking down the front door.
What about giving a copy of the new key to the landlord? It's not as secure as keeping the key to yourself of course, but at least it eliminates the likelihood of prior tenants having a copy which is usually the primary threat.
I’m in Europe, but the first thing I said to the renters of my Grandmother’s house was “here’s the keys, these are all the copies, but feel free to change the lock if it makes you feel more comfortable”.
People need to feel safe in their own homes.
Any chance you could share these e-mails? I also live in such an apartment complex and I was aware that the locks are jokes, but I didn't think it was possible to convince the building's managing company.
I had a similar situation at the apartment I used to rent. Unfortunately they didn't care to correct it, so I removed the battery from my lock and only used the physical key.
My fob copy still works there last I checked...
I worked on this research along with many others, happy to answer any questions! Our disclosure is also available at https://unsaflok.com.
If I stay at a hotel with such a lock how can I tell it's affected? If the hotel hasn't patched it can I patch my rooms door myself without causing issues to the hotel?
You can generally assume at any hotel with keycards, that any other guest who wants to can get into your room.
The only question is whether they do some hacker shit, or whether they just go to reception and say "My keycard isn't working, I'm in room 123" and reception gives them a new keycard for room 123, with no ID check and no questions asked.
Luckily thieves are relatively rare and 97% of hotel rooms just contain a suitcase of second-hand clothes.
I locked myself out of the room on several occastions, and at the very least they ask for your name and double check in the system. It's not as easy as you describe.
Perhaps you're staying at better hotels than I am?
In my experience, keycards fail so often that the hotel workers don't bat an eyelid when you say your card has failed, they just make you a new one.
Names are not generally considered secret. It will be relatively easy for someone to social engineer the name for a room either with the desk or with you (calling the room).
I was traveling a lot for work at one point, and I decided to test this out. I would ask for a new key at every hotel I stayed at, and make a point to not tell them my name unless they asked. They almost never did.
I have often either locked myself out of a hotel room or demagnetized my key. I have never been asked my name or been verified in any way (different clerk than the one I checked in with, etc).
While I'm sure some hotels (maybe more upscale ones?) do verification, it is far from universal in the USA.
A little social engineering would sort that out
Similar to the wrench principle. [1]
Our disclosure mentions how to try and detect a vulnerable hotel, but it’s not possible to patch the lock yourself.
I think it's in the bottom of the article
This part caught my eye:
"Note that this information only applies to dormakaba Saflok systems; several other lock manufacturers use MIFARE Classic keycards and are not affected by the Unsaflok vulnerability"
So it is likely they way that Saflok implemented MIFARE Classic. Will start to read about this protocol more.
At this point, MIFARE Classic can pretty much be considered plaintext.
There are very fast card-only cloning attacks against even the newest "hardened" cards, and in many of these lock systems (no idea about Saflok in particular though), MIFARE is the only layer of cryptography, and the card only contains a bitmask of locks/doors that it should be able to open.
I have an original London Underground Oyster Card which still works fine! It's MIFARE Classic according to Wikipedia, and do often wonder when TfL will cancel them.
They'll probably keep it around either indefinitely, or will replace it with a fully account-based scheme where there's nothing stored on the card itself (i.e. no stored-value balance) other than an authentication key for the card number.
That's the model they already use for bank (credit and debit) cards too, so they need the backend to manage a deferred account-based system anyway. That's also what the MTA in New York does: They've never supported stored-value cards, and their new physical OMNY cards are effectively just a weird type of closed-loop EMV payment card.
There are very fast card-only cloning attacks against even the newest "hardened" cards
Do you mean for MIFARE Classic or for all RFID cards? I was not aware of any cloning attacks for types such as HID Seos.
How did Saflok respond? Were they collaborative or did they try to threaten you / suppress the information?
They have been taking it seriously although they didn’t have any sort of formal bug bounty / security disclosure method at the time. The disclosure timeline is in our article as well!
Did you set out to find a vulnerability or just stumble on it?
If setting out to find a vulnerability, how do you get started?
What is the “open ide, write print(“hello world”)” for this kind of work?
The article explains that they were at a hackathon of sorts, where these 2 were specifically targeting the locks/passes.
I would assume reading the cards with a reader would be a great start.
When do you plan to release technical details on the attack? Surely the long tail of door locks will not be replaced for a decade or more.
Seems like it's only a matter of time before someone writes a Flipper Zero script to do this.
The more pertinent matter is that it took this long for RFID exploits to start catching the public eye. RFID is the least secure communication protocol that could be used for locks. At the very least we should have NFC be the standard.
Someone with the intent and know-how to crack RFID readers could put together a hardware tool to do so. Does the Flipper Zero provide such a tool? Yeah. Does the responsibility of following ethics fall with the user? Debatable, but I think absolutely yes.
If one carries around a lockpicking set and learns how to use it, they can go right ahead, correct? We accept the fact that people exist that can pick locks and yet 80% of states allow possession and use of lockpicking tools in a legal manner.
Feels like a very US-specific mentality. Back in the UK carrying lockpicking tools outside your home without good reason is "going equipped" and a crime in itself, and that's generally supported.
I don't have a formed opinion on available lockpicking kits other than if you make them contraband they will still be available in different ways and that measure will have the opposite effect.
But a lockpicking kit has one purpose, it's picking locks. A Flipper Zero type device has plenty of legitimate, legal, personal uses in an IoT equipped home.
The Flipper Zero being banned will lead to a flood of copies, not to mention black market OEM versions.
if you make them contraband they will still be available in different ways and that measure will have the opposite effect.
Banning things doesn't make them impossible to get hold of but it does make it harder/more costly, which is all that any anti-crime measure can hope to achieve. Why do you say the opposite effect? This isn't like alcohol (or even, to an extent, weed) where a majority of ordinary decent people use it occasionally and want it to be available. Most people have never owned or used lockpicks and don't see any reason to have them if you're not a criminal. (And, sadly, that's probably also true of a flipper zero).
UK is notoriously prohibitive of things that could be used in crimes; I mean, we're talking about a country where a screwdriver is potentially an "offensive weapon" if carried without a "legitimate purpose".
However, that is a fairly extreme case, and most countries don't have such laws on the books (or if they do, what's illegal is "possession with intent").
US lockpicking enthusiasts tend to know their states' laws (see e.g. https://www.toool.us/lockpicking-laws.php)
In general it's probably okay to bring your picks somewhere in most parts of the country if you're a hobbyist.
In general it's a bad idea to carry picks if you're doing anything that a prosecutor could construe as breaking into a building to steal things. This is an area to be particularly aware of for urban exploration, where trespassing is bad but burglary with burglarious tools is like felony bad.
As long as we are talking about specific markets, I have a couple of stories.
In the United States, postal services have access to clusters of mailboxes and some common areas where mailman can leave mail and parcels, which can be entryways or some kind of storage rooms in them, for example, so that the owners can pick them up when they get home. These rooms are locked with padlocks made by several local companies. Once a key is inserted and turned in the lock, it can only be retrieved by turning it in the opposite direction to the default position, but even then they manage to forget them in the locks.
A customer from the USA came to us and asked us to combine this padlock with an intercom system we are developing to signal the administrator that the letter carrier came, opened/closed the lock or forgot the key in it. Nobody wants to switch to RFID, of course, or else the employees of the lock manufacturing company will have nothing to eat, so we had to enlarge the intercom vertically in order to build into it a lock whose transom will close a group of contacts on the panel, letting us know that something is going on. On the edge, lmao.
In the UK, mailmen are treated very differently - the intercoms have a special button on the intercom which, when pressed, will open the door so that the mailman can enter and drop off the mail without having to carry keys or RFID identifiers. Normally this button is set for some working hours, for example from 9 to 5 and of course anyone can press it and get into the premises.
RFID just means radio frequency identification. It does not imply any particular standard. NFC can be a type of RFID system. Even saying NFC isn't necessarily implying any particular system of protection, basic NFC has no real protection out of the box and would require the higher-level protocols to actually provide any kind of encryption or relay protection or the like. An NFC-based system of RFID can also be incredibly insecure.
Saying "RFID is insecure, use NFC" is like saying "radio is insecure, use WiFi." NFC is a subset of the concept of RFID, much the same way WiFi is a subset of digital radio protocols.
In my opinion it's clear that NFC is indeed designed with a higher focus on security than general RFID applications. In fact it emphasizes secure data exchange by design. Yes it is a subset of RFID technology operating at 13.56 MHz. Because NFC enables encrypted communication over very short distances (typically less than 4 cm), it is more challenging for unauthorized interception to happen. Also NFC supports two-way communication, which allows for more dynamic and secure interactions between devices, such as payment systems or secure access controls.
RFID, while versatile and utilized across a range of applications from inventory management to access control, does not inherently prioritize security to the same extent. Its broader application spectrum means that specific security measures can vary significantly based on the use case and the design of the RFID system. For example, passive RFID tags, which are widely used due to their cost-effectiveness and simplicity, can be read from distances up to several meters, potentially exposing them to unauthorized scans. Active RFID tags offer longer read ranges and can incorporate additional security features, but their cost and complexity limit their use to specific applications.
Therefore, when comparing the security aspects directly, NFC's design principles inherently prioritize secure exchanges, leveraging close proximity communication and encryption standards that are well-suited for transactions and sensitive data exchanges. This focus on security, combined with the technology's adaptability for consumer use (e.g., smartphones for payments), underscores NFC's advantage in scenarios where security is paramount.
Most hotels use non-NFC RFID and on top of that most use passive tags. So it is certainly an inherent security flaw of hotel door locks. Unfortunately non-meatspace security is also drastically in need of choosing more effective already existing measures.
You keep suggesting NFC has a lot of security concepts baked in, but it's not really true. The base standards of NFC provide no encryption concepts. It provides no protection against sniffing. It provides no authentication. It provides no relay protection. The only "security" you get is it's designed for near communication, but you can absolutely read and write NFC tags from a distance with the right hardware.
Base NFC has almost no security and relies on protocols on top to be secure. For example, Amibos use NFC and are trivially duplicated with cheap writable NFC tags. Contactless credit cards aren't secure because they do NFC, they're secure because NFC allows for an EMV transaction, it's the EMV handshake that handles all the security.
Once again, suggesting NFC just has a lot of security by default is acting like WiFi is always secure. But even worse, because at least WiFi standards have encryption and what not built in and optional, NFC doesn't even provide that.
And then you point out passive tags as if that's a thing that makes RFID less secure (ignoring NFC used for identification is RFID) but then I guess don't realize NFC allows for passive tags as well. I don't need to change batteries on my Amibos or the NFC stickers I put on the Wi-Fi info around the house.
You could build a key card system with NFC that has the same or worse system as older key card platforms. It being NFC gives you absolutely no additional benefit.
I think both our views are valid within their contexts, with the key difference being the distinction between NFC's base capabilities and the security measures actually implemented in NFC applications (where often upper layer protocols like in credit cards, are doing the heavy lifting for security). Since this discussion centers around real world incidence, you're right to point out that NFC does not inherently mean the application will be secure.
I actually will also correct myself about saying that NFC is shorter range than RFID. Both HF and LF have about the same range. UHF has a range on the order of 10m but is almost never if at all used for high volume applications like hotel door locks. I do however disagree with your rejection of the colloquial usage of RFID to exclude NFC. In everyday conversation, I believe it is understood that NFC is a subset.
The main point I'm trying to make is essentially targeted at this line of logic:
NFC's design principles inherently prioritize secure exchanges
NFC's design principles inherently has absolutely zero security. It doesn't prioritize secure exchanges, at all. The fact secure exchanges can happen over NFC in incidental to NFC existing. Any secure exchange that happens over NFC happens because the higher-level application brought its own security.
It's like UDP. Sure, you can do a secure exchange of data using it like QUIC or encrypted RTP, but UDP doesn't give you anything other than a way to send that data along.
Which then compared to just an overall massively wide topic like "RFID", which encompasses dozens (hundreds?) of other technologies, some of which do actually prioritize secure (or at least attempted to secure) handshakes throughout the entire stack.
And range of an RF thing is largely just based around typical hardware. If you wanted to you could build an antenna array to pick up an NFC tag from dozens of meters away. WiFi might only be designed to work around the house, but with a clear line of sight, decent RF conditions, and the right antennas you can send it miles.
Generally speaking, you shouldn't expect any kind of security doing things with NFC. Because, NFC has no security inherent to the protocol.
It's not just that RFID isn't very secure, it's that a lot of locks are using the worst possible implementations. Just checking the ID of the RFID chip against a whitelist is an astonishingly common method. Not only makes that access cards easy to clone and provides no cryptographic security at all, if you bulk buy access cards you often get sequentially numbered cards ...
OTOH I can use my credit card to open my door - and this is even advertised as a feature by the manufacturer!
Which lock do you have? I’ve been wanting to get one with this functionality but I’ve never successfully found a smart lock that works like that.
Mine is an Yale YMF-30
RFID is just a bidirectional link between the reader and the card. The security depends on what you send over that link. RFID in itself doesn't imply security or insecurity.
They warn that the deadbolt on the room is also controlled by the keycard lock, so it doesn't provide an extra safeguard.
That is the biggest surprise to me. I had assumed getting around the deadbolt would require a locksmith or breaking the door. (What's the point of it otherwise?)
(What's the point of it otherwise?)
How else would the hotel staff enter the room when the current occupant is locked in the room, but dead or some lesser medical emergency condition?
Being dead isn't urgent, they could call a locksmith.
A medical emergency would justify breaking the door.
The same applies to my apartment door.
It only becomes non-urgent once you can get in the room to confirm they’re dead.
Schrödinger's Hotel Guest.
Once the hotel is big enough this will occur so frequently that all those locksmith bills and new doors incur a notable cost, enough that for your next lock system you choose something that lets hotel employees override the deadbolt. Most customers won't care or notice, and those that do are offset by those that got inconvenienced by someone breaking down the door next to them.
Imagine how much faster it would be with an emergency key unlocking the security deadbolt rather than just the door lock. Housekeeping keys do not have the ability to unlock the security bolt, but management does that can used by the appropriate emergency responders. Police doing an investigation with a warrant would be appropriate, but a cop with a hunch would not
A lot of hotels I've been to also have a latch you can physically lock the door with which would prevent someone from actually entering, but I bet you may be able to slowly pry that open with a jig of some sort.
I assume/hope the newer versions in hotels that are a little l bracket that flips are little harder to get open?
It's called a "swing bar". It's easy to open from tho2e outside with some duct tape and a rubber band, unfortunately. Plenty of easy instructions on YouTube.
There are tools specifically designed to open these. At best, they make an attempt to break in more conspicuous.
Good feels and security theater
> I had assumed getting around the deadbolt would require a locksmith or breaking the door.
Look into what happens when someone pulls a fire alarm. Some building-wide lock systems will actively unlock doors during a fire scenario.
People lock themselves in hotel rooms and refuse to leave more often than you'd think.
Apparently I don't understand how hotel card keys work. I always assumed that keys were manufactured with a random UUID inside them, and then when you checked in, a random card was attached to your room and given to you.
When you try to open a door, it compares your card's ID to the room database to see if the door should open.
Is that... not how it works? Because that seems simpler than anything that involves encryption, or actually writing shit to the card.
UUID can be cloned (with modified cards). This could make a clone attack even easier since you don't need Key A/B to read the contents.
I just imagined that cloning would not be a big deal considering the short life of a typical hotel stay.
You still need to tell the door somehow that the UUID you have now is valid for X days.
Encrypting this information on the card itself is essier
Having doors not work because the network is unavailable or the database is corrupted sounds neither simpler nor better.
Well, valid key IDs could be pushed to the locks, and remembered for a short time.
I wonder if it's possible to answer pubkey challenges without electricity
High-end JavaCards can do this. A few have RFID/NFC interfaces, but they are expensive.
It would mean that the door's reader is connected to the network. Is it?
The locks don't have network connectivity, so they have no way to check. Access has to be managed by key expiry and replacement.
There are network-connected systems but they can be considerably more expensive to install.
The card machine at the front desk writes a message onto the card, which says: Hey, lock #301, this card is authorised to open you as of timestamp X, and all cards before timestamp X are now invalid. Most older e-locks are powered by a 9V battery and are not wired to a central server.
I hate to break it to anyone but most locked doors can be opened "in seconds" by a variety of means. For the most part the locked state is a signal of prohibition, rather than a meaningful enforcement thereof.
I could open any locked door at my high school by slipping my ID in the gap between the door and the frame and wedging the bolt open. I kind of suspect that forty years later, this vulnerability remains.
Former locksmith here. That is called "to flipper" a door. (Guess that is where the flipperzero name comes from)
However you can only flipper doors that are held closed by the latch bolt. If the lock deadbolt is engaged, you cannot flipper it, because the deadbolt will not budge when manipulated by a card or piece of plastic.
Technically a lock without an engaged deadbolt is not really "locked" but "closed". That being said, an unbelievable amount of people believe their doors are locked when in fact they are closed.
Most locked doors can be bypassed even faster in some other way than unlocking them. A rock through the window...
Most locked doors can be bypassed even faster in some other way than unlocking them. A rock through the window...
This is a bit harder when said window is only reachable from the outside, and is 78m above ground level (and all the walls are brick, so they're stronger than the wooden door).
And especially in hotels, locked doors aren't about keeping everyone out forever (there's dozens of reasons that'd be an awful idea, from cleaning staff needing access to medical emergencies).
They're about making it inconvenient enough / loud enough to gain unauthorized access that someone is going to notice and complain to the manager.
Even then, some of those means are noisy, require special equipment or skills or make it obvious a break in happened.
Locks that most people are willing to spend the money to buy are purely there to keep honest people honest.
"Locked doors only stop honest people" -Abe Lincoln
RFID and NFC are the new Magstripe and Barcodes.
People think that they are mysterious things that are secure because they aren't able to see what they mean. But in reality, they are all still just a machine-readable number.
(even if a rolling key, challenge-response or pubkey authentication is supported, we're often still just using a single number, but my point is more about the perceived obscurity for the public)
It really depends. There are some contactless tags that really do nothing other than transmit a static identification number which is trivially spoofable, but many systems today use cryptography (again, some long cracked and horribly outdated, but others quite strong).
I have a contactless card that runs GPG as a Java Card applet and creates 4096-bit RSA signatures. That's pretty secure!
DESFire based systems, HID iClass SE (properly installed where the reader only accepts the SE credential) are generally pretty secure.
Dormakaba started selling Saflok locks in 1988, which means that vulnerable locks have been in use for over 36 years.
Ok, my eyebrows are up. Authentication has grown so much as a field since then that I'm having trouble with the idea that this flaw has always been present. In fact, Saflok predates MIFARE Classic by at least five years. Perhaps all will become clear if a full technical disclosure is ever made available, but it seems like the authors are making an overstatement here.
Our understanding is that the magnetic stripe version of Saflok (which indeed predates MIFARE Classic) is vulnerable to the same issues, just in a different card format.
I travel with a door jammer.
Most hotel door locks I’ve seen are designed to be opened from the outside.
A door jammer wedges the door shut. With it, I sleep better at night.
While my instinct is to do the same, depending on what jurisdiction you travel to, you might be liable for damages if staff tries to open the door and decide to break in because you were in the shower or sleeping on ambien or something like that.
Just like microcorruption in real life :)
I love these asm hacking challenges
[...] shared the full technical details of their hacking technique with Dormakaba in November 2022. [...] told by Dormakaba that, as of this month, only 36 percent of installed Safloks have been updated.
Did Dormakaba not make this a first-priority, all-out effort?
Or have 2/3 of the installations been offered a timely free fix, but are dragging their feet for some reason?
“Our customers and partners all take security very seriously, and we are confident all reasonable steps will be taken to address this matter in a responsible way.”
That "reasonable" in a PR response is suspicious.
Wikipedia:
dormakaba Holding AG is a global security group based in Rümlang, Switzerland. It employs more than 15,000 people in over 50 countries.
Sounds like they probably have the resources, if they have the will to solve this before potential very bad things happen to some hotel customers.
publicly traded on the SIX Swiss Exchange.
https://www.google.com/finance/quote/DOKA:SWX?comparison=IND...
https://www.google.com/finance/quote/DOKA:SWX?comparison=IND...
Hotel and hotel safe locks have always been of dubious security.
An attacker only needs to read one keycard from the property to perform the attack against any door in the property
That’s a pretty serious vulnerability, pretty much all it takes is to be a guest at a hotel
Often times, the hotels don't even require to turn in these cards upon checkout, so they are thrown in the trash. A nefarious actor could just pull one out of the trash and so not even have to be a guest in the hotel.
Another strike against the Flipper Zero!
"their attack could be pulled off with little more than a $300 Proxmark RFID read-write device and a couple of blank RFID cards, an Android phone, or a Flipper Zero radio hacking tool."
And Android, and EBay, and Proxmark...
Presumably with Scotch Tape or Post-it Notes.
Not that kind of "3M" :)
Going to go against the grain and say thank you to devices like the Flipper Zero for getting vulnerabilities like this out into the public eye for scrutiny.
Not really against the grain here :)
I always stay cautious and take additional measures to secure belongings while staying at a hotel
It seems irresponsible that it took dormakaba more than a year to fix a single lock. And even now, 1.5 years after the initial disclosure, still only around a third have been updated.
Physical security is what you need.
Buy this strap for your door lock while you're inside.
By exploiting weaknesses in both Dormakaba's encryption and the underlying RFID system Dormakaba uses, known as MIFARE Classic, Carroll and Wouters have demonstrated just how easily they can open a Saflok keycard lock.
Yes, please change it to 3MM, which also abbreviates to "3 million". My first impression was strongly that 3M had some lock system that was now compromised, not that it was referring to 3 million locks in the wild.
Also perhaps consider expanding the headline character limit above 80, or maybe not count numbers in the total.
mm is milimeters. MM does not exist.
MM = 1,000 * 1,000 == 1,000,000 <- thats where MM comes from Roman numerals.
jeasus christ:
https://corporatefinanceinstitute.com/resources/fixed-income...
Seems like you engineers have been behind code and not having to defend your project budgets to CFOs and stakeholders often.
MM is 2,000 in Roman numeral notation, not a million.
Yeah, but finance people (way after the roman times) adopted M as a suffix for thousands, and once you treat it as a suffix or prefix it made sense (to them) to use MM for million. You sometimes see the same done in engineering-adjacent contexts with SI prefixes, like using kk for million.
The finance people that I know uses K for thousands and MM for million.
Tech and science use K for thousand and M for million.
Using K and MM in finance reduces the odds of an incorrect interpretation of a single M.
Sweden faint memory of using ' and " for accounting. 1' is 1 000, 1" is 1 000 000. Or something like that, didn't spend much time on it.
So MMXXIV = 1,000 * 1,000 * 10 * 10 * 1 * 4?
Actually, I believe what you want is 3mm, which I believe they use in accounting. Lowercase m in this instance would stand for milli-, as in thousand. So 3mm would be 3 thousand thousand. 3M is technically correct, though confusing in this specific case. Capital M would indicate Mega, as in the progression from kilobit to megabit to gigabit.
Gamers just write it as 3kk. (PS: never seen MM used as a "million" even in my two decades on the internet)
Eh... Haven't seen anyone using 3kk to abbreviate 3M. 3M is common and B for billion. Those are also used in many games to shorten currencies.
This seems to be a (IRL) cultural thing - the vast majority of people I play EVE with use k/m/b/t, but a small percent does use k/kk/kkk
Afaik it came from the first Korean MMOs, like Lineage. Maybe even earlier, but I saw such format there first.
Interesting, I'd seen it as "MM", as in "Thousand Thousand" in Roman numerals.
Of course lowercase "mm" is most recognizable as millimeter, so that would be confusing in a different way.
3mm hotel keycard form factor.
3MM is three million, for US accountants and thus engineers writing docs for VPs. 3mm is three millimeters.
it would take all of about 3 seconds to realize why an unlimited character count would break the site's layout and know that it will never happen.
i do agree that the "don't editorialize" and strict char count are very contradictory, but suggesting that the site changes because of it is also naive at best.
It took about 1 second to realize that "80 characters" and "unlimited" aren't the only two options.
Exactly; thank you.
I was definitely NOT thinking of unlimited.
I was thinking of 80chars, but excluding numerals (123, etc) and number text ("thousand", "million" etc.) and maybe a few other items excluded from the count, with a maximum of 100, or whatever number actually will not break the layout.
I've found it frustrating trying to fit in 80chars, and e.g., finding that ampersand gets expanded so it actually counts more than "and", so it is not a single-rule 80 chars; perhaps a few more sophisticated rules might help. Just a suggestion.
Not that it really matters, but I found it interesting thinking of ways this could be broken...
you missed the
3 millimeters is a really small lock.
I think its the lock found on most kids' diaries!
It's the World's tiniest open-source lock.
Maybe 3M should rename themselves to something less confusing.
They were originally "Minnesota Mining and Manufacturing Co."
Seems the 3M branding has worked quite well...
"In business news, 3M and M&M have merged to form, get this, Ultradyne Systems." Simpsons S14E12 [0]
[0] https://www.springfieldspringfield.co.uk/view_episode_script...
Many 3M adhesives would hold the hotel doors closed.
Or just drop all the clickbait crap from the headline - "Hackers", "any", "3 million" and "in seconds" are all just fluff meant to create an emotional response. Change the subject to where the responsibility lies, the locks themselves or the lock manufacturer, and add "major brand" or "widely deployed" if it's necessary to separately indicate notoriety.
How about "Hackers Found a Way to Open Any of 3 Million Hotel Keycard Locks in Seconds" its only 75 characters. Nobody has to guess about abbreviations or whether it's really Latin or mm.
It's especially confusing because 3M does make almost every thing under the sun, from respirators to electrical tape to medical equipment and supplies. No locks as far as I can find though.
But with a roll of 3M Gaffa Tape, you can secure an hotel room door such that those inside inside the room can't open it without help from outside.
* other brands of very sticky strong tape are available.
You could, of course, still open it with 3M Glass Bubbles or explosives from other brands.
Since when are glass bubbles explosive?
3M product brochure: https://multimedia.3m.com/mws/media/1226911O/glass-bubbles-f...
See page 64: https://www.austinpowder.com/wp-content/uploads/2019/01/The-...
Not explosive in and of themselves, but a component in modern industrial explosives. As a sensitizer and a density modifier.
Thanks! I was not aware of their use in explosives, I thought to their use as a filling/density modifier in polymers.
How?
Apply tape to the door and frame length-ways at the top and all the way down the opening edge. Layer it up with some overlap to re-enforce both whats on the door, and the door frame.
Do likewise at the bottom edge, adding a seal to the floor / carpet. Don't be frugal (these are drunk roadies in full prank mode)... use your imagination ;)
Just tape the victims to a bed and relive Gerald's Game
It would be nice if the title could get changed, as per below, because it confused me, too:
https://corporatefinanceinstitute.com/resources/fixed-income...
The original title sez "millions" and is clearly distinct from both "Minnesota mining and manufacturing" and "millimeters".
Yes, because the millimeter is “mm”, a meter is “m” and “M” means mega (for example MPa for megapascal) in SI.
The gp here was referencing a weird little bit of accountant jargon that uses a corruption of roman numerals to indicate million as a product of thousands. It's a terrible idea, but crops up in software circles occasionally due to the number of folks stuck writing financial software.
AFAIK, even accountants are slowly moving away from it for ... Obvious reasons.
While I agree, I think you underestimated how much this comment thread would wind up somewhat derailing conversation about the actual article. Dear lord people it's a simple disambiguation - there's no need for upwards of 40 comments about it.
Well it is apparent that so many people got confused (me included) that it deservedly became part of the conversation.
Does 3M stand for 3 musketeers?
It should be 3MM