Hackers found a way to open any of 3M hotel keycard locks

Title and “3M” Confusion

  • Many readers initially misread “3M” as the company, not “3 million,” prompting calls to retitle the submission.
  • Long tangent on notation: M vs MM vs mm, SI units vs accounting shorthand; some argue for “3MM” or spelling out “3 million” to avoid ambiguity.

Nature and Impact of the Saflok Vulnerability

  • Vulnerability affects millions of Dormakaba Saflok locks; one valid card from a property can be used to open any room there.
  • Attack can be executed with inexpensive tools (Proxmark, Android, Flipper Zero, blank cards).
  • Deadbolt is controlled by the same keycard system, so it does not add real protection.

Hotel Deadbolts and “Security Theater”

  • Surprise that deadbolts don’t provide independent security; others say this is intentional so staff and emergency responders can always enter.
  • Discussion of “swing bar” latches and how bypass tools and DIY methods can defeat them.
  • Broader point: many locks mainly deter honest people; serious attackers have multiple fast bypass options.

Keycard Tech, RFID, and NFC Security

  • MIFARE Classic widely regarded as effectively broken; cloning and rapid attacks are possible.
  • Many access systems only check a static ID, send it in cleartext (e.g., Wiegand), and reuse insecure cards because they’re cheap and compatible.
  • Debate whether NFC is inherently more secure; one side claims it’s designed for secure, short-range encrypted use, the other stresses base NFC has no built‑in encryption and security depends entirely on higher‑level protocols.

Vendor Response and Responsibility

  • Dormakaba was informed in 2022; as of the article, only ~36% of locks reportedly updated.
  • Some view this as unacceptably slow for a critical security issue; others note customers also resist upgrades due to cost and complexity.

Operational and Social Risks

  • Even without hacking, many hotels reissue keycards with minimal or no ID checks, so social engineering remains a major threat.
  • Various explanations of how hotel cards actually work: offline locks, data and expiry written to card, “new key invalidates old” logic.

Guest and Tenant Mitigations

  • Suggestions: door jammers, straps, extra physical devices when in the room.
  • For apartments, multiple stories about changing cylinders or avoiding insecure RFID locks, with tension between tenant security and landlord/emergency access requirements.