Millions of Office and Hotel RFID Smart Cards Vulnerable to Instant Cloning Through Hidden Backdoor

Researchers from Quarkslab have uncovered critical vulnerabilities in the latest variant of MIFARE Classic compatible cards. Despite being touted as a secure alternative, the FM11RF08S card, developed by Shanghai Fudan Microelectronics, has been found to contain a hardware backdoor, among other weaknesses.

The implications of these discoveries are far-reaching. The FM11RF08S card is not limited to the Chinese market; it has been found in numerous hotels and businesses across the US, Europe, and India. Many consumers may be unaware that the MIFARE Classic cards they are using are, in fact, Fudan FM11RF08 or FM11RF08S variants.

This discovery raises serious concerns for industries relying on these cards for secure transactions.

New Variant, Familiar Problems

MIFARE Classic cards, developed by NXP Semiconductors, have been widely used for years but have also been subject to numerous attacks. In response, new versions, including the FM11RF08S, were introduced to address these vulnerabilities. However, the latest research indicates that even the most secure variant of these cards remains susceptible to attack.

In 2020, the FM11RF08S variant was released, promising enhanced security against card-only attacks, where the card is targeted independently of its corresponding reader. Despite these claims, researchers have successfully developed new methods to crack the card’s security features.

Key Findings

The research team discovered several alarming issues with the FM11RF08S card:

1. Sector Key Cracking: The team identified the first-ever attack capable of cracking FM11RF08S sector keys within minutes. This attack is effective when keys are reused across multiple sectors or cards.
2. Hardware Backdoor: Through fuzzing techniques, a hardware backdoor was discovered, enabling authentication with an unknown key. This backdoor compromises all user-defined keys on the card, even when diversified.
3. Universal Secret Key: The secret key, common to all FM11RF08S cards, was cracked, enabling further attacks.
4. Supply Chain Vulnerability: The attacks could be executed instantly by entities in a position to carry out supply chain attacks, further highlighting the severity of the vulnerability.
5. Previous Generation Affected: Similar backdoors were found in the previous generation of Fudan chips, including the FM11RF08, FM11RF32, and FM1208-10, as well as older cards from NXP and Infineon.

Global Implications

Given the widespread use of these cards and the ease with which attackers can compromise them, users are urged to assess their infrastructure and take immediate action. While more robust alternatives are available on the market, the presence of hardware backdoors remains a concern.

The tools and techniques developed in this research have been integrated into the Proxmark3 source code, a widely-used tool for NFC and RFID security testing. The researchers hope that their findings will inspire further research within the security community to address the unanswered questions and potentially develop even faster attacks.

For those interested in a deeper dive into the findings, the full paper and annexes are available online, providing detailed insights into the vulnerabilities and potential defenses against these attacks.