Experts warn that contactless cards used to open doors in hotels and offices around the world are so flawed that anyone can use them to open almost any door.
Cybersecurity researchers from Quirkslab aimed at FM11RF08S, a variant of the MIFARE Classic card released in 2020 by Shanghai Fudan Microelectronics, apparently the “leading Chinese manufacturer of unlicensed ‘MIFARE-compatible’ chips.”
The report claims that the FM11RF08S has countermeasures “designed to thwart all known card-only attacks,” but it is worrying that the card’s use is becoming more popular by the day.
Cracked within minutes
It reportedly took researchers “a few minutes” to find an attack that cracked the FM11RF08S sector keys – reusing the keys in at least three sectors or three cards.
Further investigation gave them a hardware backdoor that allows authentication with an unknown key. When they cracked the card’s secret key, it turned out to be “common to all existing FM11RF08S cards!”
The backdoor allowed the experts to design “multiple other” attacks, each capable of cracking all the keys of an arbitrary card within minutes, without needing to know the initial keys (except those of the backdoor).
To make matters worse, Quirkslab then turned their attention to older models and found a “similar backdoor” in the previous generation – FM11RF08 – which was protected with a different key. After cracking the second key, they found that it was common to all FM11RF08 boards, as well as other Fudan references (FM11RF32, FM1208-10, and likely more), and even old boards from NXP1 (MF1ICS5003 & MF1ICS5004) and Infineon (SLE66R35), some of which dated back to late 2007.
Finally, the researchers warned users to check their infrastructure and assess the risks. “Many are probably not aware that the MIFARE Classic cards they received from their supplier are actually Fudan FM11RF08 or FM11RF08S, as these two chip references are not limited to the Chinese market. For example, we have detected these cards in numerous hotels in the US, Europe, and India,” they said.
Via The Hacker News