Every Saflok hotel lock installed since 1988 could be opened with $50 of hardware and two blank cards. 3 million locks. 13,000 hotels. 131 countries. Researchers created a master key that opens any room in any Saflok hotel. Marriott, Hyatt, IHG — all of them. The lock on your hotel room door has been bypassable for 36 years. Dormakaba knew since September 2022 and patched slowly. Dormakaba was told about the flaw in September 2022. Eighteen months later, only 36% of locks were fixed. Each lock must be individually reprogrammed by a technician visiting the door. A hotel with 500 rooms needs 500 individual visits. At this pace, guests will be sleeping behind bypassable locks for years. The vulnerability is 36 years old. The fix will take more years.
What they claim: Dormakaba Saflok marketed as secure hotel access control trusted by major hotel chains worldwide
What we found: In March 2024, researchers Lennert Wouters and Ian Carroll disclosed "Unsaflok" — a vulnerability affecting every Saflok lock deployed since 1988. Using $50 of off-the-shelf hardware (a MIFARE Classic card writer), they could create a master key for any Saflok lock in any hotel. 3 million locks across 13,000 properties in 131 countries were affected, including Marriott, Hyatt, IHG, and Wyndham hotels.
What they claim: Dormakaba describes its response to security disclosures as responsible and timely
What we found: Researchers notified Dormakaba in September 2022. By the March 2024 public disclosure — 18 months later — only 36% of affected locks had been updated. The fix requires physically visiting each lock with a programmer device. Many hotels have thousands of locks. At the current pace, researchers estimated some hotels would remain vulnerable for years.