A security flaw has been discovered in millions of contactless key cards used worldwide for office and hotel access. French cybersecurity firm Quarkslab has identified a hardware backdoor in chips manufactured by Shanghai Fudan Microelectronics Group, a leading supplier of RFID chips. This vulnerability affects chips like FM11RF08S and FM11RF08, allowing attackers to clone these cards within minutes, posing a risk to security systems.
The Discovery of the Backdoor
In 2020, Fudan Microelectronics released the FM11RF08S chip as a variant of the commonly used MIFARE Classic, developed by NXP Semiconductors. This new chip was designed to resist known “card-only” attacks, which target the card itself without needing the corresponding card reader. Following these advancements, Quarkslab researcher Philippe Teuwen identified a hardware backdoor within these chips, capable of bypassing the existing security features. The backdoor discovered in FM11RF08S chips allows unauthorized access to all user-defined keys on the card. This vulnerability is highly concerning, as the secret key associated with the backdoor is common across all existing FM11RF08S cards. An attacker with knowledge of this key could breach the card’s security within minutes, rendering the card’s encryption useless.
Implications of the Backdoor
The backdoor endangers the security of systems using these cards. While exploiting this flaw requires physical proximity to a compromised card, a malicious actor with control over the supply chain could clone cards on a large scale during manufacturing. This scenario could lead to widespread unauthorized access to secure areas, in industries relying on contactless access control, such as hospitality and corporate environments. Teuwen’s research also uncovered a similar backdoor in the previous generation of Fudan chips, the FM11RF08. Protected by a different key, this backdoor dates back to at least 2007, indicating that these vulnerabilities have been present in the market for over a decade. This issue extends further than Fudan’s products; it was also found in older models from NXP Semiconductors and Infineon Technologies.
Exploiting the Vulnerability
The FM11RF08S chip was first praised for its resistance to card-only attacks through a mechanism known as the “static encrypted nonce.” Teuwen went on to devise an attack that could crack these cards within minutes if keys were reused across different sectors or cards. This attack was later improved to take advantage of the hardware backdoor, allowing instantaneous cloning of the cards once the backdoor key was obtained. The research shows that the backdoor key is shared both among FM11RF08S cards, and also among other models from Fudan, and even some from other manufacturers. This universality of the backdoor key aggravates the threat, making it easier for attackers to exploit the vulnerability on a large scale.
Industry Impact
The discovery of this backdoor has repercussions for industries relying on MIFARE Classic-compatible cards for security. Companies using these cards are prompted to assess their security measures and consider replacing cards with more secure alternatives, to reduce their cyber incident liability. The hospitality industry is at very high risk, as these cards are used in hotel access systems worldwide. Patrick Tiquet, Vice President of Security & Architecture at Keeper Security, made clear the seriousness of the situation. He commented that the ability to clone cards with just a few minutes of physical access could lead to unauthorized entry into highly secure areas. Tiquet also mentioned the importance of good security practices and vetting of components throughout the supply chain to prevent such weaknesses from being exploited.
The revelation of a hardware backdoor in Fudan Microelectronics’ contactless key cards accentuates a security issue that has gone unnoticed for years. The ability to clone these cards quickly, combined with the widespread use of these chips, necessitates immediate action from affected industries.
Photo credits: Kadmy, AdobeStock.com
