This application is provided solely for educational and demonstrational purposes. The use of this software to access property without authorization may violate local, state, and federal laws. The author explicitly does not condone unauthorized use of this software and bears no liability or responsibility for such actions.
This Flipper Zero application demonstrates a significant security vulnerability in the access control systems used by Thrive Communities properties and potentially other properties using Saflok with MIFARE Classic NFC technology. This disclosure follows multiple unsuccessful attempts to privately report and resolve this security issue through proper channels.
This application demonstrates how the Saflok system can be exploited to create unauthorized access credentials. Key features include:
- Field-by-field modification of MIFARE Classic NFC keys
- Creation of various credential types with different access levels
- Ability to modify key properties including expiration dates, access levels, and property numbers
While the application is not fully polished (it has some memory management issues, incomplete preset key functionality requiring blocks 8 and 9 modification, and imperfect in-app emulation), its core functionality works effectively. Users can manually modify fields to match preset key configurations, save the key, and emulate it using the Flipper Zero's NFC application.
Important: This vulnerability is not limited to Thrive properties. Any facility using Saflok systems with MIFARE Classic technology may be susceptible to similar exploitation.
After discovering this vulnerability, I immediately followed responsible disclosure protocols:
-
Initial Demonstration: I contacted the local Thrive management team and, at their request, demonstrated the vulnerability by unlocking multiple randomly-selected resident doors to prove the severity of the issue.
-
Follow-up Attempts: Over the following six weeks, I made repeated attempts to follow up with the management team but received no response.
-
Executive Escalation: I then escalated the issue to Thrive's executive team through email, receiving a response from Vice President Rochelle Erwin.
-
Limited Communication: VP Erwin sent two emails:
- First requested a phone call instead of written communication
- Second informed me she was on vacation and would investigate upon return
-
Physical Evidence Provided: To facilitate verification, I sent them a sample NFC key demonstrating the vulnerability along with details of the previous on-site demonstration.
After another week without response, the situation escalated:
-
Legal Representation: I received an email from Thrive's attorney, Christopher Reed of Montgomery Purdue PLLC, stating that Thrive "adamantly denies the existence of any security vulnerability" and considered the matter closed.
-
Attempted Clarification: I reminded Mr. Reed that I had already demonstrated the vulnerability to Thrive staff and provided physical evidence. I asked what would be required for them to take the issue seriously.
-
No Response: Mr. Reed did not reply to my inquiry.
-
New Attorney Contact: Days later, I received communication from Ben VandenBerghe of Montgomery Purdue PLLC, who took a more confrontational approach:
- Made accusations of extortion
- Cited various criminal codes
- Threatened legal action if the vulnerability was disclosed
- Later offered $2,500 for non-disclosure after initially accusing me of extortion
-
Final Attempt: I offered to send a preview of this application to allow verification before public disclosure, which received no response.
This public disclosure is being made following multiple good-faith attempts to resolve this matter privately and in accordance with standard security research practices. The attorneys at Montgomery Purdue PLLC approached this security disclosure as an adversarial legal matter rather than a legitimate technical concern, transforming what should have been a standard vulnerability disclosure process into an unnecessary legal confrontation.
Their contradictory positions—first denying the vulnerability's existence, then threatening legal action if disclosed, and finally offering payment for silence—demonstrates inappropriate handling of a serious security issue affecting residents' safety and privacy.
The vulnerability documented here affects thousands of residents, and this disclosure aims to prompt proper remediation of the security issue that Thrive has repeatedly refused to address.