Talk
TODAYS TOPIC
What is Saflok?
- Saflok = hotel lock system made by Dormakaba.
- SPOILER ALERT: not very safe, kinda poorly designed.
- It’s a PACS (Physical Access Control System), just like what we use at Tech, but implemented very differently.
PACS basics (high-level)
- PACS usually stores two values:
- Facility code (e.g., “this is an MTU card”)
- Card number (unique per person, defines access)
- Tap card → reader → door controller → network controller → server
- Server cross-references values → decides if door opens
- At Tech: centralized + online (industry standard).
- You can view your own logs at cardservices.mtu.edu (real-time audits & alerts).
Wiegand stuff (the value on your card)
- Wiegand comes from the wiegend effect from physics
- Old-school cards used dedicated 0/1 wires (now mostly emulated).
- Format is usually hexadecimal.
- Easy to decode by hand.
Where Saflok fits in
- Dormakaba makes Saflok ( just one PACS product among many).
- Common in hotels and apartments
- Rough estimate: ~30% of NFC hotel properties use Saflok.
- System has evolved over time but:
- Same core design
- Uses RFID / MIFARE Classic
- Stores basically the same data as decades ago
Offline pacs is… not great
- Saflok is fully offline (sometimes semi-offline).
- All auth happens locally on the lock.
- Downsides:
- No central monitoring
- Brute forcing card values is possible without alerts
- Privilege escalation is easier (flip a few bits → higher access)
- There exists an emergency key (super master key).
- Overrides everything
- Used in emergencies
- Yes it’s terrifying
System 6000 & why this got bad
- Older Saflok installs use System 6000
- Previously you needed expensive hotel hardware to mess with it.
- Now:
- You can interact with the backend database (System 6000 Firebird)
- Mint cards for other properties
- Edit card permissions across facilities
- Property ID validation is not great
Card internals (high-level)
- Data is “encrypted” (really obfuscated).
- Once the obfuscation is understood, the whole system falls apart.
- Card levels:
- Guest key (level 0/1)
- Higher privilege levels
- Emergency key = bit 12 (stored as level 13)
- Flipping fields manually causes weird edge cases because the system was never meant to be used this way.
- Emergency key can bypass deadbolts if software-controlled (not good).
Sequencing (important concept)
- Keys have sequence numbers to invalidate old cards.
- Treat sequence + combination as a password.
- You can resequencing keys:
- Guest resequencing key
- Emergency resequencing key
- Etc.
- This mechanism is supposed to improve security but is easily abused.
Patching problems
- Fixing Saflok is expensive.
- Many hotels didn’t want to pay.
- Dormakaba offered two “enhanced security” options:
- Disable MIFARE Classic (cheap, bad, doesn’t really fix it)
- Actually fix the system (expensive)
- Marketing was confusing, so many properties chose the cheap option.
- Result: problem not actually solved.
“Ultralight C is safe”. well not really
- Initial impression was that:
- Only System 6000 is affected
- Ultralight C is safe
- But the reality is…:
- Newer apartments use different software + locks
- Same underlying system
- Same weaknesses, just rebranded
Patents = accidental info leak
- Dormakaba patents describe:
- Internal lock logic
- Key structure
- Algorithms
- Basically hands attackers a roadmap.
- Algorithms are shared across deployments (no per-site keys).
- Enhanced security does fix this by introducing per-property keys.
Tooling
- Custom tools exist for Flipper Zero and Proxmark.
- Noah’s version is more generic — doesn’t fully automate things.
- Many similar tools exist from other researchers.
Final plea
Please stop installing cheap, half-fixed security systems.
Please no more MIFARE Classic credentials. Please