This post contains references to products from one or more of our advertisers. We may receive compensation when you click on links to those products. For an explanation of our Advertising Disclosure, visit this page.

I often write about ways to keep yourself, your loved ones and your valuables safe while traveling. For some background, I’ve traveled over three million miles, to 70+ countries, have stayed in thousands of hotels and haven’t had any major problems like getting my stuff stolen. It’s because I’ve been aware, vigilant and lucky. Heck, even Rick Steves has been pickpocketed three times.

Hotel room door and lock.
Wired published a disturbing story yesterday titled: Hackers Found a Way to Open Any of 3 Million Hotel Keycard Locks in Seconds. Turns out, every August, there are hacker conferences that take place in Las Vegas. It’s smart of the city to invite them because they’re trying to figure out the vulnerabilities in their infrastructure, including casino and hospitality technology.

Results are just being released from a 2022 private event where a select group of hackers were invited to hack a Vegas hotel room. Unfortunately, they discovered a technique that “would allow an intruder to open any of millions of hotel rooms worldwide in seconds, with just two taps.”

According to Wired, “Ian Carroll, Lennert Wouters, and a team of other security researchers are revealing a hotel keycard hacking technique they call Unsaflok. The technique is a collection of security vulnerabilities that would allow a hacker to almost instantly open several models of Saflok-brand RFID-based keycard locks sold by the Swiss lock maker Dormakaba. The Saflok systems are installed on 3 million doors worldwide, inside 13,000 properties in 131 countries.”


The good news is that the company has a fix. The bad news is that it’s going to take a few months to get to all of their properties.

Carroll and Wouters say “hotel guests can recognize the vulnerable locks most often—but not always—by their distinct design: a round RFID reader with a wavy line cutting through it. They suggest that if hotel guests do have a Saflok on their door, they can determine if it’s been updated by checking their keycard with the NFC Taginfo app by NXP, available for iOS or Android. If the lock is manufactured by Dormakaba, and that app shows that the keycard is still a MIFARE Classic card, it’s likely still vulnerable.”

This is a lot for the average consumer to do so I think it’s best to follow their other piece of advice if your hotel hasn’t fixed the lock. “There’s not much to do other than avoid leaving valuables in the room and, when you’re inside, bolt the chain on the door.” They warn that the deadbolt on the room is also controlled by the keycard lock, so it doesn’t provide an extra safeguard.

As I’ve pointed out in other stories, you can’t trust the locks, including the safety latch as they can be opened in seconds. That’s why I pack a door stopper and recommend using other devices if you’re really concerned. Read this story about how criminals are using an insider device to break into hotel rooms and see the videos below:

YouTube video

Here’s a demonstration of how easy it is to open a folding latch from the outside:

YouTube video

And here’s an example of a swing bar latch:

YouTube video


Is Your Hotel Scamming You?
Don’t Fall For It: Scammers Are Pretending to be Customs and Border Protection Agents
Cybersecurity and Fraud Expert Shares Tips on How Not to Get Scammed When Traveling
How To Avoid Vacation Rental Scams
Don’t Fall For These QR Code Scams

Want more travel news, tips and deals? Sign up to Johnny Jet’s free newsletter and check out these popular posts: The Travel Gadget Flight Attendants Never Leave Home Without and 12 Ways to Save Money on Baggage Fees. Follow Johnny Jet on MSNFacebook, InstagramPinterest, and YouTube for all of my travel posts.

1 Comment On "Security Alert: Millions of Hotel Room Keycard Locks Vulnerable to Hacking, Warns Report"
  1. John|

    Bad people have to much free time on their hands.

Leave a Reply

Required fields are marked *