Contactless cards used to open doors in hotels and offices around the world have flaws that could allow anyone to open virtually any door, experts have warned.
Quirkslab cybersecurity researchers focused on FM11RF08S, a variant of the MIFARE Classic card that was released in 2020 by Shanghai Fudan Microelectronics, apparently the “leading Chinese manufacturer of unlicensed ‘MIFARE-compatible’ chips.”
The report claims that the FM11RF08S features countermeasures “designed to thwart all known card-only attacks,” but worryingly, card usage is becoming more popular by the day.
Cracked in minutes
It reportedly took researchers “a couple of minutes” to find an attack that cracked FM11RF08S sector keys, when the keys were reused across at least three sectors or three cards.
Further analysis allowed them to find a hardware backdoor that allows authentication with an unknown key, and when they cracked the card's secret key, they discovered that it was “common to all existing FM11RF08S cards.”
With the backdoor, the experts were able to design “several other” attacks, each of which was capable of cracking all the keys on any card in just a few minutes, without needing to know any initial keys (other than the backdoor key).
To make matters worse, Quirkslab turned their attention to older models and found a “similar backdoor” in the previous generation (FM11RF08) that was protected with another key. After cracking the second key, they discovered that it was common to all FM11RF08 cards, as well as other Fudan references (FM11RF32, FM1208-10, and probably more), and even older cards from NXP1 (MF1ICS5003 and MF1ICS5004) and Infineon (SLE66R35), some of which date back to late 2007.
In conclusion, the researchers warn users to check their infrastructure and assess the risks. “Many are probably unaware that the MIFARE Classic cards they have obtained from their supplier are actually Fudan FM11RF08 or FM11RF08S, as these two chip references are not limited to the Chinese market. For example, we have found these cards in numerous hotels in the United States, Europe and India,” they say.
Through Hacker News
