Dormakaba Discloses Critical Vulnerability, To Rip And Replace Access For 300,000 Doors
Cracked access control credentials are a rising concern as technologies developed decades ago are still widely sold and used and are increasingly at risk.
Now, Dormakaba discloses a vulnerability within their Saflok locks that allows unauthorized access to 3 million doors that use Mifare Classic credentials.
Based on an interview with Dormakaba, the security researchers who discovered the vulnerability, and IPVM research, we detail the impact and severity of this vulnerability, as well as mitigation strategies.
Executive *******
******* ***** ********* ****** ****** ******* credentials **** ** ** *********** ******** or *******, ** ** ******** *** gain ****** ** *** **** ****** the ******** ***** * ****** ******* credential ****** *** **** ********, ********** of *** ********* ***** (********, *****, valid, *******, ***.).
*** ********* ****** ************* ******* * million ***** ***** ****** ******* ***********, with **% ******* ** ** ***** ripped *** ********. *** ************* ********* impacts *********** ***** *** *** ***-*********** locks, *** ** ******** *** *************, Mifare ******* *********** **** ** ** disabled *** ********* ****** ***** *******.
**** ****** ******** **** ****** *** Mifare ******* ********** ** *** ****** and **** ** ** ****** *** new *********** **** ***** ****** ** any **** ****** *** ******. ** such, ********* ********** ***** ****** ********** C *** ******* *** *********** ****** these ******* *** ********* ** ******** that **** *** ******* ****** *******.
***** *** ************* *** ********* ** Dormakaba ** ******** ****, ********* **** IPVM **** **** ******* ** *** systems ***** ********* ** *** ***** due ** **** *************. ** ******** to *** *************, *** ******* *** stopped ******* *** ********** ****** *******, prioritizing "**** ******" ************.
3 ******* ***** **********
********* **** **** **** *** ************* within ****** ****** ******* *********** ******* 3 ******* *****. *** *********** ******** use ****** **********, ********* ** ***********, with ********** ******** ****** **** *** Ambiance.
*** ************* ** ******* **** * system ** **** **** ****** ******* credentials. *** ******** ******* ***** *** this ************* *** *** **** ***** utilize *** ****** **********, ***** *** information ******* ** *** *** **** is **** *** **** **** *** the ****** ********. **** ** ********* used ** *********** *********, ***** *** management ******** ** ****** **** ** Ambiance. **** ************ ** *** *********** Housing ***** ***** *** ****** **** or ********* *** **** ********
300,000 ***** ** ** ****** *** ********
********* **** **** **** ******* ***** than ***** ***** *** **** ** be ****** *** ********, ************* ** ~300,000 *****.
*** **** ******** ** ****** ***** systems *** ***** **** ********* *** use ** **** ****** *********** **** as ****** ********** * *** **** than ***** *****. **** ******* *** more **** ***** ***** ***, ***** represents ***** **% ** *** ********* base.
**** **** ** **** *** ***** electronics ** *** ******* ********** * and ******* ***********.
*** ******* ****** *** *** *********** of **** ***-********** ** ** **** cases **** **** *********** ** **** they **** ** ***** ******* ** electronics **** ** *** ******* ** reading *** **** ****** **** ********** types.
********* ***** **** **** ******* **** to ******* ******** **** ** ******* the *********** ** ******* ********** * and ******* ***********, *** **** ***** not **** ** ******* **** ********.
**** ********* **** **** ***** ****** of ******* ******* **** ** *** support *** **** ****** *********** *** those **** ** ********.
Customers **** *** *** ********
***** ********* *** ******* * **** to **** **** **** ************* ************, the ******** ********* **** **** ** pay *** ****** ******** ** ******** it.
*** ********* **** **** ********** *** transition **** ********** *******, **** ********* saying **** ***** "****** ** *********."
****** ** ********* ****** ******** ********* have **** ***** ** ***** ** execute *** ******* ** ******* ** possible.
Mifare ******* ********* ********** *************
**** ************* *** ********** ** ******** researchers,******* *******,*** *******,***,************,*** *****, ******, ******* *******. *********** ********* *** ************* ** Dormakaba ** ******** **** *** ************ with *** ******* ** ******* ********** approaches.
*** *********** **** **** **** ******* Saflok *** ****** ***** ********, *** they *** **** **** ****** *********** without ******* *** *** (*** ****’* *********** ** * ******** researcher’s ****** *** **************).
***, ** *** ******* ******** *** Saflok *** *********. **** *** **** part ** *** ******** ** ******** to *********. **** ******** ****** *** KDF *** ******** ********* ** *** user "*******" ** *****. ************, ****** have ***** **** **** ******* ********** the *** **** ***** ***, ****** our ******** *******.
******* ***** **** *** **** ********* detail, ***** ** *** *** *** in *** ***** ** ******* ******, knowledge ** *** *** ** *** strictly ********* *** *** ******.
*** ********* ************* ****** ** ******** to ******** ********** *** **** ************ access ** *** **** ** *** target ******** ** ********* ** ******* or ****** *****/***** *** **** ****** by *** **** ********. *** ******** uses **** **** ** * ****** to ********** *** **** **** *** generate *** *** *****.
*** ******* **** *** ***** ********* the *** ** ****** ******* ***********, the ************* ** ********* ******* *** modification ** *** **** ** *** MIFARE ******* ***********.
*** ********* *********** ***** ***** *** keys ********** **** * ********* *** used ** *********** **** **** ***** to ****** * ****.
** **** ******* * ******** ****** on *** ********* ******* ** **** vulnerability.
Ethical ********** **** ********** **** ********
***** *********** *** ********* *** *** address *** ******** *** ** ******* and ****** **********, **** ******** ***********' approach ** ********** *** ************* ****** puts ******** ** ********* ** ******* the ************* *** *** ****** ****** affected *******.
*********** **** **** **** *** *** seek ******** ************ **** ********* *** chose ** ******** *** ************* *********.
**, ** *****. * **** **** Dormakaba ********* **** ***** ***** **** kind ** *** ****** *******. **** we ****** ** **** *********, **** didn't **** * *** ****** ******* and * *** ******** **** ******** kind ** * ***** ****** ***** you *** ****** ***************, ** ****'* good.
*********** ***** **** **** *** *** want ** **** **** *** ****** to ******* **** ************* ** * future ****.
** **** ** ***** **** ** didn't **** ** **** *** **** and ** **** ** **** ****** about *** *************.
Dormakaba's ********** ********
*********'* ********** ******** ******** ****** ******* for ******** ******** *** ************* *** customers ** ******** ****** ***************.
********* ** ********* ****** ******* ***** software ******** *** ********. ** **** otherwise ******** * ***** ***** ** documentation *** ********* **** ** **** assist ********* ** *********** **** ********* their ****** ** ********* ** *** what ***** *** ** ***** ** mitigate **** *************.
********* ********** *** ***** ** **** secure *********** **** ********** * ** DESFire *** ** ******* *************** ****** Mifare ******* ***********.
*****, ********* **** ******* ** ***** secure *********** **** ** ****** ********** C ** ****** ******* ***. *** of ****** ******* *** ***** *** fobs ****** ** ************.
*** ******* ***** ******** ** ******** software **** *** ** ********** ** support ********** * *********** *** ******* Mifare ******* *********** **************.
********* *** ******** ******** ** ********, Community, *** ****** **** **** ******* secure *********** **** ** ****** ********** C *** ****** *** ****** ** be *** **** **** ***** **** systematically ****** ** **** ****** ******* credentials.
********* **** **** **** *** ******* closely ** ********* *** ********* ********* an ***-**-*** ******** ********* *** ******** doors *** ****-***** ******.
**** ********* **** * ******* ** third-party ****** ************ **** *** ********* interact ****. ******** *** ******* ********* and ****-***** ****** *******. ** **** developed ********* *** ***** **** **** with *** ****** ***********. ** *** working ******* **** **** ********* *** third-party ******** ** **** ******* **** systems.
Dormakaba ***** ******* ****** *******
********* **** **** **** **** ******* selling *** ********** ****** ******* ***********.
** **** *** ******** ****** *** that *** *** *** ******** ** upgrade, ** **** *** **** ****** classic *******.
*** ******* ***** ******* ** ****** Classic ***** *** *******, ***** **** first ****** ** ***** **** *** in ********* **** ** *********** *** Multifamily ******* *********, ****** * **** after *** ************* *** *********.
*** **** ****** ************** ********* *********’* changes ** *** ******* ******* **** technology **** ****** ** ***** **** and ********* **** ** *** *********** and *********** ******* *********.
Mifare ******* *** ******** *** ***********
***** ****** ******* *** **** ******* for * ******, ************* **** *********** strategies ** ******** ******* ** ***** credentials, **** ** ************ *********** *** derivation ********* **** ***** *** ****** surface. **** *** ********* ************* ** Dormakaba, ***** ********** *** ** ****** viable, ******* *** **** *** ** circumvented ** ******** ******** **** **** the *** *****. ***** ****** **** away **** ****** ******* *********** ** more ****** *******.
******:
************* ***-****-******* *** ********* ******** ************* *********, and*** ** ********* ******** *** ******** analysis.