Security researchers have discovered a widespread hardware backdoor in the FM11RF08S variant of the MIFARE Classic RFID smart cards manufactured by the Chinese chip company Shanghai Fudan Microelectronics.
The backdoor allows instantaneous cloning of the cards, posing a major security risk for businesses and consumers using the affected cards. The variant had been released around 2020 and touted as resistant to all known ‘card-only’ attacks – attacks that can be carried out on the card itself without access to its reader.
Backdoor in Chinese FM11RF08S Smart Cards
Through empirical research, the researchers from Quarkslab found a hardware backdoor that enables any entity with knowledge of it to compromise all user-defined keys on these cards without prior knowledge simply by accessing the card for a few minutes.
The backdoor was discovered during an investigation into the card’s security features. The researchers successfully cracked the secret key, revealing that it is the same across all FM11RF08S cards. In the study, detailed in a research paper, they described steps to to successfully crack the sector keys of these cards within minutes if the same keys were reused across at least three sectors or cards.
The FM11RF08S had earlier been introduced as a more secure alternative, featuring a countermeasure called ‘static encrypted nonce’ designed to thwart card-only attacks. The finding has significant implications for users, as it allows attackers to dump and clone these cards, even if all their keys are properly diversified.
The presence of the backdoor raises several questions, particularly given that it is not limited to the Chinese market. In fact, the researchers found these cards in numerous hotels across the U.S., Europe, and India.
MIFARE Classic’s Legacy
In addition, the researchers uncovered another hardware backdoor key that was common across several older MIFARE Classic card models from various manufacturers, including NXP and Infineon.
The MIFARE Classic card standard, developed and licensed by NXP, has long been known to be insecure, with numerous attacks demonstrated over the years. However, the cards remain widely used due to business inertia and the high cost of migrating to newer, more secure systems.
The researchers emphasize that migrating to more robust alternatives is crucial to ensure the security of RFID-based systems.
Consumers should check their RFID infrastructure and assess such potential risks, the researchers advised, as many could be unaware that the MIFARE Classic cards they had deployed within sensitive environments could be the Fudan FM11RF08 or FM11RF08S.
However, the researchers warned that most RFID cards could be susceptible to recovery-based attacks if an attacker has access to matching readers, stating that while there were many more robust alternatives on the market, they could cannot guarantee the absence of hardware backdoors.