Security Flaws at Zedwell's Capsule Hotel

Tuesday, April 28, 2026

Table of Contents

I recently spent a few nights in London, staying at the Zedwell Capsule Hotel in Piccadilly Circus. It was cheap, central, and let’s be honest. It’s an unique experience sleeping in a 2 m² box.

That said, it didn’t take long before I started noticing security flaws. This turned my stay into feeling like a playground for experimentation.

Sneaking Into the Hotel

The main entrance is staffed 24/7 by a security guard who asks to see your keycard before letting you in. This sounds solid on paper. In practice? Not really. The easiest bypass is simply saying you haven’t checked in yet—no keycard required. Alternatively, there’s a fire escape door to the left of the entrance that’s completely unguarded.

Unlocking the Capsules

Each capsule can be locked from both the inside and the outside. The internal lock is fine, however the external one? Not great. In fact, it’s very weak.

In the video below, I showcase the locking mechanism. And how it can be opened even when “locked”:

And here it is in action:

It’s important to note that the inside locking mechanism doesn’t seem vulnerable to the same issue. Staff also mentioned that newer locks had been installed on the 5th floor, but without testing them, it’s impossible to say whether they fix the problem.

Emulating the Key Cards

Here’s what the keycards look like: Front:

Back:

These cards are used to access different floors. From the labeling, they use MiFare technology and are manufactured by Assa Abloy.

A bit of digging reveals that back in 2018, researchers discovered a master key vulnerability. That specific issue is likely patched by now. But it raises an interesting question: how robust is the current implementation?

Without my Proxmark3 Easy, I was limited to using my phone. Still, with NFC Tools, I was able to extract some data:

The card appears to be a MiFare Ultralight chip, which stores 64 bytes of data. Based on the labeling, this includes access logs. But it’s unclear whether additional data is stored or how the system validates cards.

If the system only checks the card’s UUID (serial number), that opens the door to a potential attack. The hotel reuses keycards, and the UUID doesn’t change. Meanwhile, unused cards are openly available in the lobby for self check-in.

In theory, an attacker could:

1. Scan multiple card UUIDs from the lobby
2. Wait for guests to check in
3. Emulate a valid UUID to gain access

To be clear, this is purely speculative. I didn’t verify whether the system is actually vulnerable in this way. But if UUID-only validation is used, it would be a significant weakness.

Closing Thoughts

The overall vibe is closer to a hostel than a traditional hotel. People are friendly, and the atmosphere is relaxed.

But from a security perspective, it’s not the best. If you’re staying here, don’t rely on the capsule lock to protect valuables while you’re away. Treat it as a convenience, not a safeguard.

That said, considering the price and location, it’s still a decent option for a short stay.