What the hell?! China-made chips used in popular contactless cards contain easily exploitable hardware backdoors. These chips are compatible with the proprietary Mifare protocol developed by Philips spin-off NXP Semiconductors and are inherently “intrinsically defective” regardless of the brand of card.
Security researchers at Quarkslab have discovered a backdoor in millions of RFID cards made by Shanghai Fudan Microelectronics (FMSH). If exploited correctly, this backdoor could be used to quickly clone contactless smart cards that control access to office buildings and hotel rooms around the world.
According to French researchers, “Mifare Classic” cards are widely used but have significant security flaws. These chip-based contactless cards have been the target of various attacks over the years and remain vulnerable despite the introduction of updated versions.
In 2020, Shanghai Fudan launched a new variant that offers compatible (and probably cheaper) RFID technology via the Mifare-compatible FM11RF08S chip. It had several countermeasures designed to fend off known card-only attacks, but brought its own security issues.
Quarkslab analyst Philippe Teuwen discovered an attack that can crack the FM11RF08S “sector keys” within a few minutes, but only if a specific key is reused for at least three sectors or three cards.
Armed with this new knowledge, the researcher made another puzzling discovery: the FM11RF08S cards contain a hardware backdoor that allows a specific authentication through an unknown key. He eventually cracked this secret key and discovered that it was used by all existing FM11RF08S cards.
In addition, the previous generation of Mifare-compatible cards (FM11RF08) had a similar backdoor protected by another secret key. After cracking this second key, Teuwen found that it was present on all FM11RF08 cards and even on the “official” Mifare cards from NXP and Infineon.
The newly discovered FM11RF08S backdoor could allow an attacker to compromise all custom keys simply by accessing the card for a few minutes, Teuwen said. Customers should be aware that RFID cards based on the FM11RF08 and FM11RF08S chips are also used outside the Chinese market. Numerous hotels in the US, Europe and India use this significantly insecure technology.
“It is important to remember that the MIFARE Classic protocol is fundamentally flawed, regardless of the card,” said Teuwen.
Recovering the keys is always possible if an attacker has access to the corresponding reader. More robust (and hopefully backdoor-free) alternatives for RFID-based security are already available on the market.
