Contactless cards used to open doors in hotels and offices around the world are so flawed that it could allow any person to open virtually any door, experts warn.
Cybersecurity researcher from Quirkslab focused on FM11RF08S, a variant of the MIFARE Classic card released in 2020 by Shanghai Fudan Microelectronics, apparently the “leading Chinese manufacturer of unlicensed ‘MIFARE-compatible’ chips.”
The report claims that the FM11RF08S has countermeasures “designed to thwart all known card-only attacks.” What’s worrying, however, is that the use of this card is becoming more popular by the day.
Cracked in just a few minutes
It reportedly took researchers “a few minutes” to find an attack that cracks the FM11RF08S sector keys – if the keys were reused for at least three sectors or three cards.
Upon further analysis, they discovered a hardware backdoor that allows authentication with an unknown key, and when they cracked the card’s secret key, they found that it is “common to all existing FM11RF08S cards!”
Using the backdoor, the experts were able to design “several additional” attacks that could crack all the keys of any card within a few minutes, without needing to know any exit keys (except the one in the backdoor).
To make matters worse, Quirkslab then turned their attention to older models and found a “similar backdoor” in the previous generation – FM11RF08 – protected with a different key. After cracking the second key, they found that it was present on all FM11RF08 cards, as well as other Fudan references (FM11RF32, FM1208-10 and probably more) and even old cards from NXP1 (MF1ICS5003 & MF1ICS5004) and Infineon (SLE66R35), some of which dated back to late 2007.
Finally, the researchers warned users to check their infrastructure and assess the risks. “Many are probably unaware that the MIFARE Classic cards they received from their supplier are actually Fudan FM11RF08 or FM11RF08S, as these two chip references are not limited to the Chinese market. For example, we found these cards in numerous hotels in the US, Europe and India,” they said.
Over The hacker news