Contactless cards used to open doors in hotels and offices around the world are flawed in a way that could allow any person to open practically any door, experts have warned.
Cybersecurity researchers from Quirkslab focused on FM11RF08S, a variant of the MIFARE Classic card that was released in 2020 by Shanghai Fudan Microelectronics, apparently the “leading Chinese manufacturer of unlicensed ‘MIFARE compatible’ chips.
The report claims the FM11RF08S features countermeasures “designed to thwart all known card-only attacks”, but worryingly, usage of the card is growing increasingly popular by the day.
Cracked in minutes
It reportedly took the researchers a “couple of minutes” to find an attack that cracks FM11RF08S sector keys – when the keys were reused across at least three sectors, or three cards.
Further analysis landed them a hardware backdoor that allows authentication with an unknown key, and when they cracked the card’s secret key, they found it to be “common to all existing FM11RF08S cards!”.
With the backdoor, the experts were able to design “several other” attacks, each of which was able to crack all the keys of any card in just a few minutes, without needing to know any initial keys (besides the backdoor one).
To add insult to injury, Quirkslab then shifted their attention to older models, and found a “similar backdoor” in the previous generation – FM11RF08 – which was protected with another key. After cracking the second key, they found it to be common to all FM11RF08 cards, as well as other Fudan references (FM11RF32, FM1208-10, and probably more), and even old cards from NXP1 (MF1ICS5003 & MF1ICS5004) and Infineon (SLE66R35), some of which date back to late 2007.
To conclude, the researchers warned users to check their infrastructure and assess the risks. “Many are probably unaware that the MIFARE Classic cards they obtained from their supplier are actually Fudan FM11RF08 or FM11RF08S, as these two chip references are not limited to the Chinese market. For example, we found these cards in numerous hotels across the US, Europe, and India,” they said.
Via The Hacker News