Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

IoT Security

Major Backdoor in Millions of RFID Cards Allows Instant Cloning

A significant backdoor in contactless cards made by China-based Shanghai Fudan Microelectronics allows instantaneous cloning of RFID cards used to open office doors and hotel rooms around the world.

RFID Card backdoor

French security services firm Quarkslab has made an eye-popping discovery: a significant backdoor in millions of contactless cards made by Shanghai Fudan Microelectronics Group, a leading chip manufacturer in China.

The backdoor, documented in a research paper by Quarkslab researcher Philippe Teuwen, allows the instantaneous cloning of RFID smart cards used to open office doors and hotel rooms around the world.

Although the backdoor requires just a few minutes of physical proximity to an affected card to conduct an attack, an attacker in a position to carry out a supply chain attack could execute such attacks instantaneously at scale, Teuwen explained in the paper (PDF).

Teuwen said he discovered the backdoor while conducting security experiments on the MIFARE Classic card family that is widely deployed in public transportation and the hospitality industry.

The MIFARE Classic card family, originally launched in 1994 by Philips (now NXP Semiconductors), are widely used and have been subjected to numerous attacks over the years. 

Security vulnerabilities that allow “card-only” attacks (attacks that require access to a card but not the corresponding card reader) are of particular concern as they may enable attackers to clone cards, or to read and write their content, just by having physical proximity for a few minutes. Over the years, new versions of the MIFARE Classic family fixed the different types of attacks documented by security researchers.

In 2020, the FM11RF08S variant of the MIFARE Classic was released by Shanghai Fudan Microelectronics, the leading chinese manufacturer of unlicensed “MIFARE compatible” chips. Teuwen noted that this variant features specific countermeasures designed to thwart all known card-only attacks and has gradually gained market share worldwide.

While looking at Shanghai Fudan’s FM11RF08S cards, which use a countermeasure dubbed by the community as “static encrypted nonce,” Teuwen devised an attack for that variant capable of cracking FM11RF08S keys in a few minutes if they are being reused across at least three sectors or three cards. 

Advertisement. Scroll to continue reading.

Additional research revealed a hardware backdoor that allows authentication with an unknown key. Teuwen then used the new attack to obtain (“crack”) that secret key and found it to be common to all existing FM11RF08S cards. 

Teuwen then discovered a similar backdoor, protected with another key, in the previous card generation (FM11RF08). After this second secret key was also cracked it was discovered that the key is common to all FM11RF08 cards, as well as other models from the same vendor (FM11RF32, FM1208-10), and even some old cards from NXP Semiconductors and Infineon Technologies.

“The FM11RF08S backdoor enables any entity with knowledge of it to compromise all user-defined keys on these cards, even when fully diversified, simply by accessing the card for a few minutes,” Quarkslab said in a note, urging consumers to swiftly check their infrastructure and assess the risks. 

“Many are probably unaware that the MIFARE Classic cards they obtained from their supplier are actually Fudan FM11RF08 or FM11RF08S, as these two chip references are not limited to the Chinese market. For example, we found these cards in numerous hotels across the US, Europe, and India,” the company said.

Related: Exploitable ‘PixieFail’ Flaws Found in Tianocore EDK II

Related: Security Defects in TPM 2.0 Spec Raise Alarm

Related: Critical Flaw in Google’s Titan M Chip Earns Researchers $75,000

Written By

Ryan Naraine is Editor-at-Large at SecurityWeek and host of the popular Security Conversations podcast series. He is a security community engagement expert who has built programs at major global brands, including Intel Corp., Bishop Fox and GReAT. Ryan is a founding-director of the Security Tinkerers non-profit, an advisor to early-stage entrepreneurs, and a regular speaker at security conferences around the world.

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join SecurityWeek and Hitachi Vantara for this this webinar to gain valuable insights and actionable steps to enhance your organization's data security and resilience.

Register

Event: ICS Cybersecurity Conference

The leading industrial cybersecurity conference for Operations, Control Systems and IT/OT Security professionals to connect on SCADA, DCS PLC and field controller cybersecurity.

Register

People on the Move

Tim McKnight has joined UnitedHealth Group as CISO following the Change Healthcare ransomware attack.

Zach Furness has joined MITRE as CISO.

Gregg R. Kendrick has been named CISO at Vanderbilt University.

More People On The Move

Expert Insights

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest cybersecurity news, threats, and expert insights. Unsubscribe at any time.