NFID
Full Title or Meme
Or is this confused with RFID
Problems
from Toni Pati on Linked in:
Ars Technica: Hackers can unlock over 3 million hotel doors in seconds, by exploiting weaknesses in both Dormakaba's encryption and the underlying RFID system.[1]
When thousands of security researchers descend on Las Vegas every August for what's come to be known as “hacker summer camp,” the back-to-back Black Hat and Defcon hacker conferences, it's a given that some of them will experiment with hacking the infrastructure of Vegas itself, the city's elaborate array of casino and hospitality technology. But at one private event in 2022, a select group of researchers were actually invited to hack a Vegas hotel room
By exploiting weaknesses in both Dormakaba's encryption and the underlying RFID system Dormakaba uses, known as MIFARE Classic, Carroll and Wouters have demonstrated just how easily they can open a Saflok keycard lock. Their technique starts with obtaining any keycard from a target hotel—say, by booking a room there or grabbing a keycard out of a box of used ones—then reading a certain code from that card with a $300 RFID read-write device, and finally writing two keycards of their own. When they merely tap those two cards on a lock, the first rewrites a certain piece of the lock's data, and the second opens it.
The technique to hack Dormakaba's locks that Wouters and Carroll's research group discovered involves two distinct kinds of vulnerabilities: One that allows them to write to its keycards, and one that allows them to know what data to write to the cards to successfully trick a Saflok lock into opening. When they analyzed Saflok keycards, they saw that they use the MIFARE Classic RFID system, which has been known for more than a decade to have vulnerabilities that allow hackers to write to keycards, though the brute-force process can take as long as 20 seconds. They then cracked a part of Dormakaba's own encryption system, its so-called key derivation function, which allowed them to write to its cards far faster. With either of those tricks, the researchers could then copy a Saflok keycard at will, but still not generate one for a different room.
The researchers' more crucial step required them to obtain one of the lock programming devices that Dormakaba distributes to hotels, as well as a copy of its front desk software for managing keycards. By reverse-engineering that software, they were able to understand all the data stored on the cards, pulling out a hotel property code as well as a code for each individual room, then create their own values and encrypt them just as Dormakaba's system would, allowing them to spoof a working master-key that opens any room on the property. “You can make a card that really looks as if it was created by the software from Dormakaba, essentially,” says Wouters.- ↑ Andy Greenberg, Hackers can unlock over 3 million hotel doors in seconds 2024-03-22 https://arstechnica.com/security/2024/03/hackers-can-unlock-over-3-million-hotel-doors-in-seconds/