[HN Gopher] Hackers found a way to open any of 3M hotel keycard ...
___________________________________________________________________
Hackers found a way to open any of 3M hotel keycard locks
Author : jasoncartwright
Score : 172 points
Date : 2024-03-21 14:57 UTC (8 hours ago)
(HTM) web link (www.wired.com)
(TXT) w3m dump (www.wired.com)
| tromp wrote:
| https://archive.is/a7ntC
| mint2 wrote:
| Okay that title was confusing, the 3M is quantity not the company
| 3M's locks. The locks are not build by 3M or a subsidiary.
| mikestew wrote:
| It would be nice if the title could get changed, as per below,
| because it confused me, too:
|
| https://corporatefinanceinstitute.com/resources/fixed-income...
| Shog9 wrote:
| The original title sez "millions" and is clearly distinct
| from both "Minnesota mining and manufacturing" and
| "millimeters".
| rad_gruchalski wrote:
| Yes, because the millimeter is "mm", a meter is "m" and "M"
| means mega (for example MPa for megapascal) in SI.
| TylerE wrote:
| It's especially confusing because 3M _does_ make almost every
| thing under the sun, from respirators to electrical tape to
| medical equipment and supplies. No locks as far as I can find
| though.
| lozf wrote:
| But with a roll of 3M Gaffa Tape, you can secure an hotel
| room door such that those inside inside the room can't open
| it without help from outside.
|
| * other brands of very sticky strong tape are available.
| aqfamnzc wrote:
| How?
| alephnerd wrote:
| Just tape the victims to a bed and relive Gerald's Game
| golergka wrote:
| You could, of course, still open it with 3M Glass Bubbles
| or explosives from other brands.
| ale42 wrote:
| Since when are glass bubbles explosive?
| toss1 wrote:
| Yes, please change it to 3MM, which also abbreviates to "3
| million". My first impression was strongly that 3M had some
| lock system that was now compromised, not that it was referring
| to 3 million locks in the wild.
|
| Also perhaps consider expanding the headline character limit
| above 80, or maybe not count numbers in the total.
| dylan604 wrote:
| it would take all of about 3 seconds to realize why an
| unlimited character count would break the site's layout and
| know that it will never happen.
|
| i do agree that the "don't editorialize" and strict char
| count are very contradictory, but suggesting that the site
| changes because of it is also naive at best.
| stavros wrote:
| It took about 1 second to realize that "80 characters" and
| "unlimited" aren't the only two options.
| toss1 wrote:
| Exactly; thank you.
|
| I was _definitely NOT_ thinking of unlimited.
|
| I was thinking of 80chars, but excluding numerals (123,
| etc) and number text ("thousand", "million" etc.) and
| maybe a few other items excluded from the count, with a
| maximum of 100, or whatever number actually will not
| break the layout.
|
| I've found it frustrating trying to fit in 80chars, and
| e.g., finding that ampersand gets expanded so it actually
| counts more than "and", so it is not a single-rule 80
| chars; perhaps a few more sophisticated rules might help.
| Just a suggestion.
| aqfamnzc wrote:
| Not that it really matters, but I found it interesting
| thinking of ways this could be broken...
| million million million million million million million
| million million million million million million million
| million million million million million million million
| million million million million million million million
| million million million million million million million
| million million million million million million million
| million million million million million million million
| million million million million million million million
| million million million million million million million
| million million million million million million million
| million million million million million million million
| million million million million million million million
| million million million million million million million
| million million million million million million million
| million million million million million million million
| million million million million million million million
| million million million million million million million
| million million million million million
| toss1 wrote:
| you missed the
|
| >>"with a maximum of 100,"
| brianleb wrote:
| Actually, I believe what you want is 3mm, which I believe
| they use in accounting. Lowercase m in this instance would
| stand for milli-, as in thousand. So 3mm would be 3 thousand
| thousand. 3M is technically correct, though confusing in this
| specific case. Capital M would indicate Mega, as in the
| progression from kilobit to megabit to gigabit.
| neilv wrote:
| 3mm hotel keycard form factor.
| lowbloodsugar wrote:
| 3MM is three million, for US accountants and thus engineers
| writing docs for VPs. 3mm is three millimeters.
| Yizahi wrote:
| Gamers just write it as 3kk. (PS: never seen MM used as a
| "million" even in my two decades on the internet)
| kukkamario wrote:
| Eh... Haven't seen anyone using 3kk to abbreviate 3M. 3M
| is common and B for billion. Those are also used in many
| games to shorten currencies.
| squigz wrote:
| This seems to be a (IRL) cultural thing - the vast
| majority of people I play EVE with use k/m/b/t, but a
| small percent does use k/kk/kkk
| toss1 wrote:
| Interesting, I'd seen it as "MM", as in "Thousand Thousand"
| in Roman numerals.
|
| Of course lowercase "mm" is most recognizable as
| millimeter, so that would be confusing in a different way.
| exe34 wrote:
| Maybe 3M should rename themselves to something less
| confusing.
| toss1 wrote:
| They were originally "Minnesota Mining and Manufacturing
| Co."
|
| Seems the 3M branding has worked quite well...
| landosaari wrote:
| "In business news, 3M and M&M have merged to form, get
| this, Ultradyne Systems." Simpsons S14E12 [0]
|
| [0] https://www.springfieldspringfield.co.uk/view_episode_s
| cript...
| mikewarot wrote:
| 3 millimeters is a really small lock.
| samstave wrote:
| I think its the lock found on most kids' diaries!
| amlib wrote:
| It's the World's tiniest open-source lock.
| hulitu wrote:
| mm is milimeters. MM does not exist.
| samstave wrote:
| MM = 1,000 * 1,000 == 1,000,000 <- thats where MM comes
| from Roman numerals.
|
| jeasus christ:
|
| https://corporatefinanceinstitute.com/resources/fixed-
| income...
|
| Seems like you engineers have been behind code and not
| having to defend your project budgets to CFOs and
| stakeholders often.
| devindotcom wrote:
| MM is 2,000 in Roman numeral notation, not a million.
| wongarsu wrote:
| Yeah, but finance people (way after the roman times)
| adopted M as a suffix for thousands, and once you treat
| it as a suffix or prefix it made sense (to them) to use
| MM for million. You sometimes see the same done in
| engineering-adjacent contexts with SI prefixes, like
| using kk for million.
| rescbr wrote:
| The finance people that I know uses K for thousands and
| MM for million.
| yodon wrote:
| Tech and science use K for thousand and M for million.
|
| Using K and MM in finance reduces the odds of an
| incorrect interpretation of a single M.
| maratc wrote:
| So MMXXIV = 1,000 * 1,000 * 10 * 10 * 1 * 4?
| araes wrote:
| How about "Hackers Found a Way to Open Any of 3 Million Hotel
| Keycard Locks in Seconds" its only 75 characters. Nobody has
| to guess about abbreviations or whether it's really Latin or
| mm.
| swader999 wrote:
| Many 3M adhesives would hold the hotel doors closed.
| mindslight wrote:
| Or just drop all the clickbait crap from the headline -
| "Hackers", "any", "3 million" and "in seconds" are all just
| fluff meant to create an emotional response. Change the
| subject to where the responsibility lies, the locks
| themselves or the lock manufacturer, and add "major brand" or
| "widely deployed" if it's necessary to separately indicate
| notoriety.
| dpsych wrote:
| Does 3M stand for 3 musketeers?
| ShamelessC wrote:
| While I agree, I think you underestimated how much this comment
| thread would wind up somewhat derailing conversation about the
| actual article. Dear lord people it's a simple disambiguation -
| there's no need for upwards of 40 comments about it.
| dimask wrote:
| Well it is apparent that so many people got confused (me
| included) that it deservedly became part of the conversation.
| ada1981 wrote:
| It should be 3MM
| dboreham wrote:
| Presumably with Scotch Tape or Post-it Notes.
| barbazoo wrote:
| Not that kind of "3M" :)
| Symbiote wrote:
| > They warn that the deadbolt on the room is also controlled by
| the keycard lock, so it doesn't provide an extra safeguard.
|
| That is the biggest surprise to me. I had assumed getting around
| the deadbolt would require a locksmith or breaking the door.
| (What's the point of it otherwise?)
| swells34 wrote:
| Good feels and security theater
| westmeal wrote:
| A lot of hotels I've been to also have a latch you can
| physically lock the door with which would prevent someone from
| actually entering, but I bet you may be able to slowly pry that
| open with a jig of some sort.
| Onawa wrote:
| https://foleybelsawlocksmithing.com/products/hotel-door-
| hing...
| drspacemonkey wrote:
| It's called a "swing bar". It's easy to open from tho2e
| outside with some duct tape and a rubber band, unfortunately.
| Plenty of easy instructions on YouTube.
| fitchjo wrote:
| I assume/hope the newer versions in hotels that are a little
| l bracket that flips are little harder to get open?
| Kye wrote:
| There are tools specifically designed to open these. At best,
| they make an attempt to break in more conspicuous.
| dylan604 wrote:
| > (What's the point of it otherwise?)
|
| How else would the hotel staff enter the room when the current
| occupant is locked in the room, but dead or some lesser medical
| emergency condition?
| Symbiote wrote:
| Being dead isn't urgent, they could call a locksmith.
|
| A medical emergency would justify breaking the door.
|
| The same applies to my apartment door.
| dylan604 wrote:
| Imagine how much faster it would be with an emergency key
| unlocking the security deadbolt rather than just the door
| lock. Housekeeping keys do not have the ability to unlock
| the security bolt, but management does that can used by the
| appropriate emergency responders. Police doing an
| investigation with a warrant would be appropriate, but a
| cop with a hunch would not
| urbandw311er wrote:
| It only becomes non-urgent once you can get in the room to
| confirm they're dead.
| wongarsu wrote:
| Once the hotel is big enough this will occur so frequently
| that all those locksmith bills and new doors incur a
| notable cost, enough that for your next lock system you
| choose something that lets hotel employees override the
| deadbolt. Most customers won't care or notice, and those
| that do are offset by those that got inconvenienced by
| someone breaking down the door next to them.
| sandworm101 wrote:
| >> I had assumed getting around the deadbolt would require a
| locksmith or breaking the door.
|
| Look into what happens when someone pulls a fire alarm. Some
| building-wide lock systems will actively unlock doors during a
| fire scenario.
| Cheer2171 wrote:
| People lock themselves in hotel rooms and refuse to leave more
| often than you'd think.
| iancarroll wrote:
| I worked on this research along with many others, happy to answer
| any questions! Our disclosure is also available at
| https://unsaflok.com.
| ildjarn wrote:
| Did you set out to find a vulnerability or just stumble on it?
|
| If setting out to find a vulnerability, how do you get started?
|
| What is the "open ide, write print("hello world")" for this
| kind of work?
| aftbit wrote:
| When do you plan to release technical details on the attack?
| Surely the long tail of door locks will not be replaced for a
| decade or more.
| rwmj wrote:
| How did Saflok respond? Were they collaborative or did they try
| to threaten you / suppress the information?
| kidbomb wrote:
| This part caught my eye:
|
| "Note that this information only applies to dormakaba Saflok
| systems; several other lock manufacturers use MIFARE Classic
| keycards and are not affected by the Unsaflok vulnerability"
|
| So it is likely they way that Saflok implemented MIFARE
| Classic. Will start to read about this protocol more.
| lxgr wrote:
| At this point, MIFARE Classic can pretty much be considered
| plaintext.
|
| There are very fast card-only cloning attacks against even
| the newest "hardened" cards, and in many of these lock
| systems (no idea about Saflok in particular though), MIFARE
| is the only layer of cryptography, and the card only contains
| a bitmask of locks/doors that it should be able to open.
| rwmj wrote:
| I have an original London Underground Oyster Card which
| still works fine! It's MIFARE Classic according to
| Wikipedia, and do often wonder when TfL will cancel them.
| lxgr wrote:
| They'll probably keep it around either indefinitely, or
| will replace it with a fully account-based scheme where
| there's nothing stored on the card itself (i.e. no
| stored-value balance) other than an authentication key
| for the card number.
|
| That's the model they already use for bank (credit and
| debit) cards too, so they need the backend to manage a
| deferred account-based system anyway. That's also what
| the MTA in New York does: They've never supported stored-
| value cards, and their new physical OMNY cards are
| effectively just a weird type of closed-loop EMV payment
| card.
| sschueller wrote:
| If I stay at a hotel with such a lock how can I tell it's
| affected? If the hotel hasn't patched it can I patch my rooms
| door myself without causing issues to the hotel?
| gabrielsroka wrote:
| I think it's in the bottom of the article
| michaelt wrote:
| You can generally assume at any hotel with keycards, that any
| other guest who wants to can get into your room.
|
| The only question is whether they do some hacker shit, or
| whether they just go to reception and say "My keycard isn't
| working, I'm in room 123" and reception gives them a new
| keycard for room 123, with no ID check and no questions
| asked.
|
| Luckily thieves are relatively rare and 97% of hotel rooms
| just contain a suitcase of second-hand clothes.
| jules-jules wrote:
| I locked myself out of the room on several occastions, and
| at the very least they ask for your name and double check
| in the system. It's not as easy as you describe.
| Retr0id wrote:
| A little social engineering would sort that out
| michaelt wrote:
| Perhaps you're staying at better hotels than I am?
|
| In my experience, keycards fail so often that the hotel
| workers don't bat an eyelid when you say your card has
| failed, they just make you a new one.
| pajko wrote:
| Just like microcorruption in real life :)
|
| https://microcorruption.com/map
| NooneAtAll3 wrote:
| I love these asm hacking challenges
| jerpint wrote:
| > An attacker only needs to read one keycard from the property to
| perform the attack against any door in the property
|
| That's a pretty serious vulnerability, pretty much all it takes
| is to be a guest at a hotel
| duderific wrote:
| Often times, the hotels don't even require to turn in these
| cards upon checkout, so they are thrown in the trash. A
| nefarious actor could just pull one out of the trash and so not
| even have to be a guest in the hotel.
| nerevarthelame wrote:
| It seems irresponsible that it took dormakaba more than a year to
| fix a single lock. And even now, 1.5 years after the initial
| disclosure, still only around a third have been updated.
| jeffbee wrote:
| I hate to break it to anyone but most locked doors can be opened
| "in seconds" by a variety of means. For the most part the locked
| state is a signal of prohibition, rather than a meaningful
| enforcement thereof.
| SquirrelOnFire wrote:
| "Locked doors only stop honest people" -Abe Lincoln
| dhosek wrote:
| I could open any locked door at my high school by slipping my
| ID in the gap between the door and the frame and wedging the
| bolt open. I kind of suspect that forty years later, this
| vulnerability remains.
| bluGill wrote:
| Most locked doors can be bypassed even faster in some other way
| than unlocking them. A rock through the window...
| cesarb wrote:
| > Most locked doors can be bypassed even faster in some other
| way than unlocking them. A rock through the window...
|
| This is a bit harder when said window is only reachable from
| the outside, and is 78m above ground level (and all the walls
| are brick, so they're stronger than the wooden door).
| shadowgovt wrote:
| And especially in hotels, locked doors aren't about keeping
| everyone out forever (there's dozens of reasons that'd be an
| awful idea, from cleaning staff needing access to medical
| emergencies).
|
| They're about making it inconvenient enough / loud enough to
| gain unauthorized access that someone is going to notice and
| complain to the manager.
| jowea wrote:
| Even then, some of those means are noisy, require special
| equipment or skills or make it obvious a break in happened.
| kawsper wrote:
| The building where I rent have doorlocks from Scantron (
| https://scantron.dk/ ) they use RFID keys to open locks, and last
| year someone discovered a way of creating masterkeys from any key
| because of the weak encryption used by MiFare Classic.
|
| It took a journalist and a lot of e-mails and calls for my
| landlord to understand the problem, I suspect that Scantron were
| also downplaying the issue towards them. They finally budged and
| upgraded all the locks to use a better encryption scheme and re-
| issue keys.
|
| My building have 197 apartments, each of them have at least 2
| keys, I have to trust all of the tenants (and their friends), in
| order for my apartment not to get burgled, and if I were burgled
| my insurance wouldn't cover because there's likely no proof of
| entry.
| mdekkers wrote:
| I have rented my entire life, and "change all the locks" has
| always been the very first thing I do. I have a couple of
| different size high security cylinder locks, and whilst no
| cylinder lock is unpickable, I'm pretty happy with mine.
| NeoTar wrote:
| Interesting, because many renters (myself included) would not
| be permitted to change the locks.
| lxgr wrote:
| This is quite different around the world. I've rented both
| at places where I could bring my own security locks and
| others where the landlord pretty much insisted in having a
| copy of all keys so they could enter in an emergency (e.g.
| a water leak) without breaking down the front door.
| Turing_Machine wrote:
| Maybe operating on the "easier to ask forgiveness than
| permission" principle?
|
| I think landlords have to give you notice before entering
| your unit in most areas.
|
| Swapping locks is maybe a ten minute job (probably less if
| you've done it a lot).
|
| There's nothing to stop a tenant from swapping out the
| locks, then swapping the landlord's locks back in before a
| scheduled visit.
| vdqtp3 wrote:
| I agree, I have never rented anywhere where I was permitted
| to change the locks.
|
| I have changed the locks everywhere I have rented.
| ratg13 wrote:
| > _"Oops forgot to tell you.. was I not allowed to do
| that?"_
|
| The only way they would ever find out is if they were
| trying to enter your place unannounced.
| vizzah wrote:
| Change the cylinder. Put the old one back, when your rental
| period ends. Takes 10 mins to replace the cylinder.
| wickedsickeune wrote:
| Any chance you could share these e-mails? I also live in such
| an apartment complex and I was aware that the locks are jokes,
| but I didn't think it was possible to convince the building's
| managing company.
| samcheng wrote:
| Seems like it's only a matter of time before someone writes a
| Flipper Zero script to do this.
| datameta wrote:
| The more pertinent matter is that it took this long for RFID
| exploits to start catching the public eye. RFID is the least
| secure communication protocol that could be used for locks. At
| the very least we should have NFC be the standard.
|
| Someone with the intent and know-how to crack RFID readers
| could put together a hardware tool to do so. Does the Flipper
| Zero provide such a tool? Yeah. Does the responsibility of
| following ethics fall with the user? Debatable, but I think
| absolutely yes.
|
| If one carries around a lockpicking set and learns how to use
| it, they can go right ahead, correct? We accept the fact that
| people exist that can pick locks and yet 80% of states allow
| possession and use of lockpicking tools in a legal manner.
| wongarsu wrote:
| It's not just that RFID isn't very secure, it's that a lot of
| locks are using the worst possible implementations. Just
| checking the ID of the RFID chip against a whitelist is an
| astonishingly common method. Not only makes that access cards
| easy to clone and provides no cryptographic security at all,
| if you bulk buy access cards you often get sequentially
| numbered cards ...
| rescbr wrote:
| OTOH I can use my credit card to open my door - and this is
| even advertised as a feature by the manufacturer!
| OkGoDoIt wrote:
| Which lock do you have? I've been wanting to get one with
| this functionality but I've never successfully found a
| smart lock that works like that.
| Nextgrid wrote:
| RFID is just a bidirectional link between the reader and the
| card. The security depends on what you send over that link.
| RFID in itself doesn't imply security or insecurity.
| vel0city wrote:
| RFID just means radio frequency identification. It does not
| imply any particular standard. NFC _can be_ a type of RFID
| system. Even saying NFC isn 't necessarily implying any
| particular system of protection, basic NFC has no real
| protection out of the box and would require the higher-level
| protocols to actually provide any kind of encryption or relay
| protection or the like. An NFC-based system of RFID can also
| be incredibly insecure.
|
| Saying "RFID is insecure, use NFC" is like saying "radio is
| insecure, use WiFi." NFC is a subset of the concept of RFID,
| much the same way WiFi is a subset of digital radio
| protocols.
| datameta wrote:
| In my opinion it's clear that NFC is indeed designed with a
| higher focus on security than general RFID applications. In
| fact it emphasizes secure data exchange by design. Yes it
| is a subset of RFID technology operating at 13.56 MHz.
| Because NFC enables encrypted communication over very short
| distances (typically less than 4 cm), it is more
| challenging for unauthorized interception to happen. Also
| NFC supports two-way communication, which allows for more
| dynamic and secure interactions between devices, such as
| payment systems or secure access controls.
|
| RFID, while versatile and utilized across a range of
| applications from inventory management to access control,
| does not inherently prioritize security to the same extent.
| Its broader application spectrum means that specific
| security measures can vary significantly based on the use
| case and the design of the RFID system. For example,
| passive RFID tags, which are widely used due to their cost-
| effectiveness and simplicity, can be read from distances up
| to several meters, potentially exposing them to
| unauthorized scans. Active RFID tags offer longer read
| ranges and can incorporate additional security features,
| but their cost and complexity limit their use to specific
| applications.
|
| Therefore, when comparing the security aspects directly,
| NFC's design principles inherently prioritize secure
| exchanges, leveraging close proximity communication and
| encryption standards that are well-suited for transactions
| and sensitive data exchanges. This focus on security,
| combined with the technology's adaptability for consumer
| use (e.g., smartphones for payments), underscores NFC's
| advantage in scenarios where security is paramount.
|
| Most hotels use non-NFC RFID and on top of that most use
| passive tags. So it is certainly an inherent security flaw
| of hotel door locks. Unfortunately non-meatspace security
| is also drastically in need of choosing more effective
| already existing measures.
| lmm wrote:
| Feels like a very US-specific mentality. Back in the UK
| carrying lockpicking tools outside your home without good
| reason is "going equipped" and a crime in itself, and that's
| generally supported.
| datameta wrote:
| I don't have a formed opinion on available lockpicking kits
| other than if you make them contraband they will still be
| available in different ways and that measure will have the
| opposite effect.
|
| But a lockpicking kit has one purpose, it's picking locks.
| A Flipper Zero type device has plenty of legitimate, legal,
| personal uses in an IoT equipped home.
|
| The Flipper Zero being banned will lead to a flood of
| copies, not to mention black market OEM versions.
| jdalgetty wrote:
| Another strike against the Flipper Zero!
| brevitea wrote:
| > "their attack could be pulled off with little more than a
| $300 Proxmark RFID read-write device and a couple of blank RFID
| cards, an Android phone, or a Flipper Zero radio hacking tool."
|
| And Android, and EBay, and Proxmark...
| dmpanch wrote:
| I work for a company that manufactures access control and
| communication systems. The readers we develop support a variety
| of ID standards, from unencrypted EM-Marin and a long time ago
| cracked Mifare Classic to modern Desfire EVx standards. According
| to our statistics, more than 95% of customers still continue to
| use the most insecure identifiers because of their low cost and
| ease of operation.
|
| Many of the installed devices are not properly maintained, even
| if the manufacturers continue to support them, because you have
| to pay for maintenance. In addition, not all equipment can be
| updated remotely over the network or even have a network
| connection to do so remotely.
|
| Even if your cards are encrypted, it still can't guarantee you
| protection, because in most cases card readers are connected to
| controllers (not in the case of all-in-one devices like this
| lock) via Wiegand protocol, which doesn't provide any data
| encryption, so the identifier ID is transmitted over two wires in
| the clear form.
| lol768 wrote:
| At some point, isn't there some responsibility that rests with
| manufacturers for choosing to continue to support known-
| insecure standards?
|
| How many browsers do you think support the
| TLS_NULL_WITH_NULL_NULL cipher?
| Nextgrid wrote:
| It's often a compatibility thing too. Insecure standards can
| often coexist because they're the lowest common denominator.
| It's just a "password" stored and transmitted as plaintext.
|
| A secure system would involve a PKI which increases
| complexity and management overhead significantly (you won't
| be able to just copy "passwords" from one system to another,
| etc).
| noselasd wrote:
| Browser manufacturers normally don't have contracts that
| binds them to supply product X for Y years.
| michaelt wrote:
| For a while I've had a question about hotel keycard technology,
| maybe you can answer.
|
| Essentially every time I've stayed in a hotel with contactless
| keycards (usually in a group needing 3-5 rooms for 2-3 nights)
| at least one person has needed to get a keycard reissued.
|
| What's up with that? My workplace's smartcards and my
| contactless bank cards keep working for years on end.
| lxgr wrote:
| Hotel keycards usually work by having dynamic data written to
| them at the front desk (as the locks are often not network
| connected, at least in older systems, so they write things to
| the card like "works for room 123 until March 30th noon and
| the gym" or "works for room 456; sequence number 2,
| invalidate all prior keys").
|
| There are two types of magnetic stripe cards available: High-
| coercivity (HiCo) and low-coercivity (LoCo). The field-
| rewritable kind used in hotels is usually LoCo, to make the
| writers smaller and cheaper. But that also makes the cards
| much more prone to accidental corruption by magnets you might
| have on you, like earbuds, magnetic wallets etc.
|
| Bank cards are usually only ever programmed once (these
| days), i.e. when they're issued, so they're usually HiCo,
| making them much more robust against that. In addition to
| that, magnetic stripe usage has been phased out for payment
| cards in most countries and is getting rare even in the US,
| so for all you know, and depending on where you live/shop,
| your magnetic stripes might have already been demagnetized
| without any adverse effects!
|
| Bonus trivia question: Guess which kind NYC MTA Metrocards
| are :)
|
| Edit: Oh, I just saw that you asked about contactless
| keycards! For these I actually have no idea, and I haven't
| had one fail on me yet.
|
| I just know that they often use a similar scheme ("works for
| rooms x, y, z, until timestamp n"), sometimes with a bit of
| cryptography on top (often with a single shared key across
| all instances of the same lock and even across hotels...) but
| using non-networked locks, so there can definitely be
| synchronization/propagation issues too.
| neuralRiot wrote:
| I used to work as maintenance on a big chain hotel and we
| had magstripe card locks, I don't think strong security is
| their primary goal as in a hotel the staff can enter any
| room at any time, the cards me and my team had were "god
| mode" we could open any door at any time even when locked
| from inside. If the lock didn't work "firmware problems,
| dead batteries, stuck mechanism" we had another device that
| worked by removing a cover and connecting with a wire, this
| was also used for testing and FW updates.
| Detrytus wrote:
| Shouldn't that be other way around? Keycard only holding
| the simple numeric id, which is burned into silicone chip
| on it and impossible to modify, and the reader at the door,
| connected to hotel central system checks what privileges
| that particular keycard grants?
| tesseract wrote:
| In the days before cheap, low-power radio networks a
| "central system" would have meant dedicated wiring to
| each door lock. So it would have been much more expensive
| to install than a standalone battery powered unit mounted
| directly on the door.
| vizzah wrote:
| I had the same experience with NFC hotel card failing after
| being in my pocket (next to other cards and a phone). It had
| to be re-programmed at the hotel's desk to work again.
| Puzzled me enough to search net for the answers, but to no
| avail.
| dpsych wrote:
| https://archive.is/gifH6
| asynchronous wrote:
| Going to go against the grain and say thank you to devices like
| the Flipper Zero for getting vulnerabilities like this out into
| the public eye for scrutiny.
| saagarjha wrote:
| Not really against the grain here :)
| CyberDildonics wrote:
| _By exploiting weaknesses in both Dormakaba 's encryption and the
| underlying RFID system Dormakaba uses, known as MIFARE Classic,
| Carroll and Wouters have demonstrated just how easily they can
| open a Saflok keycard lock._
| oneplane wrote:
| RFID and NFC are the new Magstripe and Barcodes.
|
| People think that they are mysterious things that are secure
| because they aren't able to see what they mean. But in reality,
| they are all still just a machine-readable number.
|
| (even if a rolling key, challenge-response or pubkey
| authentication is supported, we're often still just using a
| single number, but my point is more about the perceived obscurity
| for the public)
| lxgr wrote:
| It really depends. There are some contactless tags that really
| do nothing other than transmit a static identification number
| which is trivially spoofable, but many systems today use
| cryptography (again, some long cracked and horribly outdated,
| but others quite strong).
|
| I have a contactless card that runs GPG as a Java Card applet
| and creates 4096-bit RSA signatures. That's pretty secure!
| neilv wrote:
| > _[...] shared the full technical details of their hacking
| technique with Dormakaba in November 2022. [...] told by
| Dormakaba that, as of this month, only 36 percent of installed
| Safloks have been updated._
|
| Did Dormakaba not make this a first-priority, all-out effort?
|
| Or have 2/3 of the installations been offered a timely free fix,
| but are dragging their feet for some reason?
|
| > _"Our customers and partners all take security very seriously,
| and we are confident all reasonable steps will be taken to
| address this matter in a responsible way."_
|
| That "reasonable" in a PR response is suspicious.
|
| Wikipedia:
|
| > _dormakaba Holding AG is a global security group based in
| Rumlang, Switzerland. It employs more than 15,000 people in over
| 50 countries._
|
| Sounds like they probably have the resources, if they have the
| will to solve this before potential very bad things happen to
| some hotel customers.
|
| > _publicly traded on the SIX Swiss Exchange._
|
| https://www.google.com/finance/quote/DOKA:SWX?comparison=IND...
|
| https://www.google.com/finance/quote/DOKA:SWX?comparison=IND...
| lazide wrote:
| Hotel and hotel safe locks have always been of dubious
| security.
| JudasGoat wrote:
| https://archive.ph/PypxP
| LeoPanthera wrote:
| Apparently I don't understand how hotel card keys work. I always
| assumed that keys were manufactured with a random UUID inside
| them, and then when you checked in, a random card was attached to
| your room and given to you.
|
| When you try to open a door, it compares your card's ID to the
| room database to see if the door should open.
|
| Is that... not how it works? Because that seems _simpler_ than
| anything that involves encryption, or actually writing shit to
| the card.
| seplox wrote:
| > Dormakaba started selling Saflok locks in 1988, which means
| that vulnerable locks have been in use for over 36 years.
|
| Ok, my eyebrows are up. Authentication has grown so much as a
| field since then that I'm having trouble with the idea that this
| flaw has always been present. In fact, Saflok predates MIFARE
| Classic by at least five years. Perhaps all will become clear if
| a full technical disclosure is ever made available, but it seems
| like the authors are making an overstatement here.
|
| https://unsaflok.com/
___________________________________________________________________
(page generated 2024-03-21 23:00 UTC)