An ordinary Android smartphone can pick almost any lock in a hotel room

Hackers Ian Carroll and Lennert Wouters have brought the issue of hotel room security to the public’s attention. Back in 2022, the Unsaflok group provided Dormakaba with compelling information about a vulnerability in its door locks.

Back in 2012, at the Black Hat hacker conference in Las Vegas, an anonymous cybersecurity expert reported a vulnerability in Onity’s locks. It was related to the use of RFID tags, but the technology was not widely used at the time, so the company’s management decided to do nothing about it. Hackers reacted accordingly – they waited and made sure nothing was done, and then started breaking into the locks out of “sporting interest”.

In the case of Dormakaba, the situation may repeat itself. The vulnerability allows locks to be opened using fake RFID keys. Or, if you have an Android smartphone with an NFC module and the corresponding software, you can trick the system even without direct contact with it. Fixing the vulnerability wouldn’t be difficult if not for the financial factor – it would require reprogramming several million locks around the world.

At the moment, according to public information, about 36% of Dormakaba locks have received the update. The rest are located in places where the devices are not connected to the Internet and therefore cannot be controlled remotely. This requires sending technical support staff directly to each lock to install the update, which is not possible.

Read also: A new-generation supersonic commercial airplane has made its first test flight