A security flaw in smart locks used in hotels around the world has allowed hackers to open the doors of more than a million hotel rooms using just an Android smartphone.

Security researchers have discovered a vulnerability in Saflok locks manufactured by Dormakaba. They were able to pair a key card with an RFID read/write device and write the code to separate key cards.

Then they touched the two key cards to the lock. One of the cards rewrote the lock code and the other opened the door. This method can be replicated on an NFC-enabled Android phone using a signal-emitting app.

The flaw affects more than 13,000 establishments in 131 countries, totaling around three million vulnerable hotel rooms. However, the good news is that there is a fix.

Researchers notified Dormakaba about the vulnerability in 2022 and a fix is in the works. However, because each lock needs to be reprogrammed individually, it may take some time for all locks to be fixed.

Until the fix is implemented, hotel guests should be aware of the potential risk and take additional precautions, such as using the door security lock or storing valuables in a safe.