A Security Flaw in Millions of Hotel Keycard Locks Has Been Found. What Does that Mean for Planners?

How planners can safeguard their attendees against hotel room breaches

In 2022, at a private event in Las Vegas during “hacker summer camp,” as the Black Hat and Defcon hacker conferences have come to be known, a group of researchers found a flaw that could put millions of hotel rooms around the world at risk of being breached.

In Smart Meeting’s ongoing journey to inspire meeting professionals with the latest tips for elevating the event design process, we worked with the AI app InVideo to bring our content to visual life and allow all viewers to accessibly enjoy content in video form. We hope you enjoy. Please consider following our YouTube channel for more weekly tips and trends for meeting planners.

Security researcher Lennert Wouters, Seats.aero flight awards search tool founder Ian Carroll and a team of researchers have just recently come out with the news of what they found. The hacking technique is called Unsaflok—and it allows hackers to open several models of Saflok RFID-based keycard locks with just two taps, according to Wired. These Saflok door security systems, sold by Swiss lock maker Dormakaba, have been installed on three million doors inside 13,000 properties in 131 countries.

In the Wired article, Wouters and Carroll demonstrate just how easy it was to open a Saflok keycard lock. After obtaining any old or new keycard from a hotel, hackers can read a specific code from the card with an RFID read-write device and write the code on two keycards of their own. After tapping those two cards on a lock—the first tap rewrites a piece of the lock’s data, the second tap opens the door—the hackers are in.

This puts meeting planners and their attendees, who are often gathered together in the hundreds, if not thousands, at risk. As meeting professionals, having up-to-date knowledge about a hotel’s security locks and software can be the difference between if an attendee’s valuables and important information are stolen or kept safe.

Pre-event Security Check-in

Alan Kleinfeld, senior director of meetings and safety at Arrive Management Group, shared a few tips about what meeting planners can do. It starts off with doing your due diligence with the venue.

“Planners can work with venues,” he says. “Let them know [you] are aware of this room hack issue and ask the hotel what they’re doing to remedy the situation. Planners can also learn what kind of door system the hotel uses and if it’s vulnerable to the hack. If the venue does indeed have a concern, the planner can ask the hotel to do more security sweeps in the hallways while the group is in house.”

Read More: Beware the Public Wi-Fi Network: 6 Ways to Practice Cybersecurity While Traveling

While this isn’t exactly a physical security issue, physical security does have a place. Kleinfeld says venues can place uniformed security near entrances and exits and monitor video cameras more often. “A stronger security presence can ward off would-be thieves (and maybe make attendees feel safer). Planners can remind the hotel to secure discarded and returned keycards to prevent them from falling into the wrong hands. Also, the planner can make sure the hotel has updated the software in the locks.”

According to Wired, Dormakaba has been working with hotels to make them aware of their security flaw and has been helping to fix or replace the locks. “For many of the Saflok systems sold in the last eight years, there’s no hardware replacement necessary for each individual lock. Instead, hotels will only need to update or replace the front desk management system and have a technician carry out a relatively quick reprogramming of each lock, door by door,” the article reads.

Preparing Attendees

After working with the hotel, Kleinfeld says, planners can prepare their attendees with “safety travel tips.”

Read More: Be Aware: Tips for Women Business Travelers On the Road

“They don’t necessarily need to announce the problem to attendees unless they feel it’s relevant, but they can remind them: ‘When you leave your hotel room, remember to lock valuables in your hotel safe. Keep backpacks, suitcases, etc. zipped. If they have a locking feature, use it.’ Include safety tips like, ‘When in your room, lock the deadbolt and secure the door chain. Don’t open the door for anyone you don’t know and if someone claims to be from the hotel, call the front desk to confirm it.’” By briefing attendees on the importance of locking valuables in their hotel room’s safe, planners can alleviate anxiety and be sure that attendees’ valuables are further protected with this additional layer of security.

Only a Fraction

Kleinfeld shared a reassuring thought: “It’s worth pointing out that of those 3 million locks, I bet there’s only a fraction in use in U.S. hotels. A quick Google search says there are roughly 5.3 million hotel rooms in the U.S., so in context, I would think only a million or so would be vulnerable.”

Even though Kleinfeld believes only a fifth of U.S. hotels could be at risk, he says, “Still, it’s worth a planner’s time to ask venues about their situation.”