image of breaking badness
Breaking Badness
Breaking Badness

Breaking Badness Cybersecurity Podcast - 184. Saflok It Down

Coming up this week on Breaking Badness: Too Legit To Quit, Under Saflok and Key and Gold, Guidance, and Grievances.


Here are a few highlights from each article we discussed:

Too Legit To Quit

  • Threat actors are leveraging digital document publishing sites to carry out phishing, credential harvesting, and session token theft, underscoring yet again how repurposing legitimate services can be used for malicious ends
  • What are digital document publishing (DDP) services?
    • DDP services allow users to upload and share PDF files in a browser-based interactive flipbook format, adding page flip animations and other visual effects to any catalog, brochure, or magazine
    • In simple terms DDP services allow organizations or individuals to give their instruction manuals or marketing materials a little pizazz
  • Who typically uses DDP services?
    • Tons of companies use DDP services to publish documents and manuals. Just from a little Internet research we were able to see the names of several major brands using these companies. One DDP company listed a major U.S. Airline along with an international cosmetic company and a popular jewelry company as clients on its home page
    • It might be easier to think about “who isn’t using these services.” These services are simple to setup and use and are being used by organizations of all sizes and in a variety of industries
  • How do threat actors exploit DDP services?
    • Threat actors are repurposing legitimate services for  their own malicious ends.They are using platforms like FlipSnack, Marq, and Simplebooklet to carrying out phishing, credential harvesting, and session token theft
    • DDP sites are integrated into the attack chain in the secondary or intermediate stage, typically by embedding a link to a document hosted on a legitimate DDP site in a phishing email
    • The DDP-hosted document serves as a gateway to an external, adversary-controlled site either directly by clicking on a link included in the decoy file, or through a series of redirects that also require solving CAPTCHAs to thwart automated analysis efforts
    • But what the threat actors are actually exploiting is the positive reputation of infrastructure associated with services to as a means to bypass enterprise content filters and controls
    • As Craig Jackson, a security researcher at Cisco Talos explained last week, “Hosting phishing lures on DDP sites increases the likelihood of a successful phishing attack, since these sites often have a favorable reputation, are unlikely to appear on web filter blocklists, and may instill a false sense of security in users who recognize them as familiar or legitimate.”
  • This article mentioned that attackers take advantage of the fact that DDP sites facilitate transient file hosting – what does that mean?
    • As the word transient implies, people or companies are able to host files on DDP services for a limited amount of time before they are automatically taken down or removed by the DDP provider automatically
    • Many DDP sites offer either a free tier or a no-cost trial period where a defined number of files can be published for a limited time. No-cost trial periods usually require only limited personal identifiers and no payment methods. Threat actors can quickly and easily create multiple free accounts, with a varying number of malicious pages per account
    • The transient nature of these free-trial periods actually plays to the threat actor’s advantage. The files containing their IOC disappear at the end of the trial period and the threat actors don’t have to worry about removing malicious files themselves. This is reduce the chances that security researchers will be able to scrutinize the lure themes or TTPs being used by the threat actors
  • How can defenders better prepare for these kinds of attacks? What can users do to defend themselves?
    • Defenders should consider the following actions to help defend against phishing attacks that leverage DDP sites:
      • Block common DDP sites via border security devices, endpoint detection and response (EDR, web content filtering, and/or DNS security controls if access to these sites is not required for normal business operations
        • Determine whether or not access to these sites are actually necessary for business continuity 
      • If blocking these sites will disrupt normal operations, develop a procedure to ensure malicious domains identified in DDP-hosted phishing lures can be quickly blocked
      • Configure email security controls to detect and alert on links in emails containing common DDP site URLs
      • Leverage threat intelligence to quickly identify newly created sites related to known threats – in this case, new DDP sites that may be leveraged by threat actors
      • Monitor for behavioral trends within the organization’s internal environment that could indicate coordinated malicious activity, including activity to blocked sites
        • As a SOC analyst, if you are seeing unusual amounts of traffic between your network and a DDP site or sites, we would suggest investigating what prompted that increase
      • Update user security awareness training to include information about DDP sites and other cloud-hosted phishing attack methods

Under Saflok and Key

  • We haven’t discussed much in the way of physical hacking in a while, so today we are going to discuss how hackers have found a way to open any of 3 million hotel keycard locks in seconds
  • Researchers mentioned in this article were actually tasked with finding vulnerabilities in hotel room gadgets, and some spent time on the room’s door – they found the vulnerability in several models of the Saflok-brand RFID-based keycard locks – who is Saflok?
    • To begin, these researchers were invited to basically red-team the heck out of a room, and all its contents. Much like real red teams, the objective was to find security flaws so that the customer could a) be aware and b) start doing something about them
    • Sakflok is a sub-brand of a Swiss company called Dormabaka
    • According to the article we’re linking to in the notes, these things are installed on some 3 million doors worldwide, inside 13,000 properties in 131 countries. That’s a pretty big attack surface
  • How did the researchers identify the vulnerabilities?
    • First, they just need an existing key. They could get one by booking a room there or grabbing a keycard out of a dropoff box or grabbing one off the floor—whatever
    • Then comes the “$300 RFID read-write device,” which we think we all know is a Flipper Zero, and reading a certain code from that card. As an aside, although the FZ is the (relatively) new hotness, they point out that other devices like the Proxmark3 and an NFC capable Android phone can also do this
    • Then they write two keycards of their own
    • When they tap those two cards on a lock, the first rewrites a certain piece of the lock’s data, and the second opens it
    • We also want to mention that Len Wouters pointed out that this allows one to open any door in the hotel. We think of the guest rooms, of course, but there are plenty of other places in a hotel where unauthorized entry could be…problematic
    • Dormakaba uses a Key Derivation Function (KDF) to derive the keys for some of the Saflok MIFARE Classic keycards—which are just one of the product lines, and a very old one, made by a company called NXP. This KDF only uses the card’s Unique IDentifier (UID) as an input. So they were able to crack the KDF. Cool, then they have to be able to write a card
    • This is where two kinds of engineering – social and reverse – enter the picture. They got the hotel front-desk software by simply asking the manufacturer, and then they were able to reverse-engineer it
    • That allowed them to know all the data stored on the cards, pulling out a hotel property code as well as a code for each individual room, and at that point they could then create their own values and encrypt them just as Dormakaba’s system would
    • So it’s worth reiterating that it’s pretty trivial to make a copy of a single key card. What’s scary here is that with this technique they can write arbitrary master keys
  • How has Dormabaka responded to these findings?
    • This was an example of responsible disclosure, and the vendor has been responsive. The red-teaming itself occurred in 2022, and they have helped customers update millions of locks since then. The updates, fortunately, in many cases don’t require a hardware update
    • But the affected companies will need to update or replace the front desk management system, and have a technician reprogram each lock, door by door. That’s cumulatively a lot of person-hours, and at this point they report that around 36% of the affected locks have been upgraded
  • If only about a third of the locks have been updated, what can hotels do in the meantime for protection?
    • Use the physical chain for added protection 
    • When you leave your room, be mindful of what valuables you leave there

This Week’s Hoodie Scale

Too Legit To Quit

[Tim]: 5/10 Hoodies
[Austin]: 6/10 Hoodies

Under Saflok and Key

[Tim]: 3.5/10 Hoodies
[Austin]: 3/10 Hoodies


That’s about all we have for this week, you can find us on Twitter @domaintools, all of the articles mentioned in our podcast will always be included on our podcast recap. Catch us Wednesdays at 9 AM Pacific time when we publish our next podcast and blog.

*A special thanks to John Roderick for our incredible podcast music!