RFID cards could turn into a global security mess after discovery of hardware backdoor

A

Alfonso Maruccia

Posts: 1,265   +348
Staff
WTF?! Chinese-made chips used in popular contactless cards contain hardware backdoors that are easy to exploit. These chips are compatible with the proprietary Mifare protocol developed by Philips spin-off NXP Semiconductors and are inherently "intrinsically broken," regardless of the card's brand.

Security researchers at Quarkslab have discovered a backdoor in millions of RFID cards developed by Shanghai Fudan Microelectronics (FMSH). When properly exploited, this backdoor could be used to quickly clone contactless smart cards that regulate access to office buildings and hotel rooms worldwide.

According to French researchers, "Mifare Classic" cards are widely used but have significant security vulnerabilities. These chip-based contactless cards have been targeted by various attacks over the years and remain vulnerable despite the introduction of updated versions.

In 2020, Shanghai Fudan released a new variant that provides a compatible (and likely cheaper) RFID technology through the Mifare-compatible FM11RF08S chip. It featured several countermeasures designed to thwart known card-only attacks, but introduced its own security issues.

Quarkslab analyst Philippe Teuwen discovered an attack capable of cracking FM11RF08S "sector keys" within a few minutes, but only if a specific key is reused across at least three sectors or three cards.

Armed with this new knowledge, the researcher made a subsequent, puzzling discovery: the FM11RF08S cards contain a hardware backdoor that allows certain authentication through an unknown key. He ultimately cracked this secret key and discovered that it was used by all existing FM11RF08S cards.

Furthermore, the previous generation of Mifare-compatible cards (FM11RF08) had a similar backdoor protected by another secret key. After cracking this second key, Teuwen found that it was common to all FM11RF08 cards and even to "official" Mifare cards manufactured by NXP and Infineon.

The newly discovered FM11RF08S backdoor could enable an attacker to compromise all user-defined keys by simply accessing the card for a few minutes, Teuwen said. Customers should be aware that RFID cards based on FM11RF08 and FM11RF08S chips are also used outside the Chinese market, with numerous hotels in the US, Europe, and India employing this significantly insecure technology.

"It is important to remember that the MIFARE Classic protocol is intrinsically broken, regardless of the card," Teuwen said.

Recovering the keys will always be possible if an attacker has access to the corresponding reader. More robust (and hopefully backdoor-free) alternatives for RFID-based security are already available on the market.

Permalink to story:

RFID cards could turn into a global security mess after discovery of hardware backdoor

 
the researcher made a subsequent, puzzling discovery: the FM11RF08S cards contain a hardware backdoor that allows certain authentication through an unknown key. He ultimately cracked this secret key and discovered that it was used by all existing FM11RF08S cards.
Click to expand...
This is surprising? Most hardware and software out of China contains security vulnerabilities added at the behest of the CCP. It's the price of doing business there. Just in the news this week: IBM is shutting down all its R&D labs in China, over similar concerns.
 
Last edited:
  • Like
Reactions: ferrellsl, trparky, mgwerner and 8 others
I don't have a card with NFC. My bank refuses to put it on the card.
I use the phone, but, NFC is turned off unless I'm using it.
 
Endymio said:
This is surprising? Most hardware and software out of China contains security vulnerabilities added at the behest of the CCP. It's the price of doing business there. Just in the news this week: IBM is shutting down all its R&D labs in China, over similar concerns.
Click to expand...
I am not sure if this is factual. China may be the manufacturer, but ultimately, the design has to come from companies that made the order.

Objectively, anything that brings about convenience always will have its downsides. It’s a trade off. For example, people want the convenience of software to remember our passwords, but such services also increases cybersecurity risk.
 
  • Like
Reactions: RandomName576468, lostinlodos, BlueSkyGuy and 1 other person
That central bank digital currency is shaping up real good eh? One hardware backdoor and POOF! There goes the US treasury! I wonder if people will ever get fed up and demand technology is REMOVED where it is not absolutely needed. The chip and pin system is far more secure and it doesn't take that long to do....
scavengerspc said:
Ok, did anyone really need to read any further?
Click to expand...
Yes, because the Chinese do not have a monopoly on poor design or backdoors.
 
  • Like
Reactions: RandomName576468
whateversa said:
Makes you wonder about all those random stories of people being found in their hotel rooms that died due to supposedly hanging themselves.
Click to expand...
Look into the assassination of Mahmoud Al-Mabhouh. Mossad agents broke into his hotel room in UAE by reprogramming the electronic locks, then injected him with a paralyzing agent, suffocated him to death, undressed the body, placed it in the bed, folded his clothes, and exited the room, using a special tool to lock the door from the inside.

His death was initially ruled by natural causes ... until an overzealous hotel security guard compiled enough video footage to make police dig deeper.
 
  • Like
Reactions: Theinsanegamer and BbN48
Watzupken said:
I am not sure if this is factual. China may be the manufacturer, but ultimately, the design has to come from companies that made the order.

Objectively, anything that brings about convenience always will have its downsides. It’s a trade off. For example, people want the convenience of software to remember our passwords, but such services also increases cybersecurity risk.
Click to expand...
Most Chinese companies have some sort of funding/ownership/monitoring relationship with the CCP, if they are in the defense, tech or do any business with overseas entities. Mom & Pop shops do not, but chip manufacturers are partially owned by the CCP.
https://eastasiaforum.org/2023/08/11/ccp-branches-out-into-private-businesses/

Since there are alternative platforms around, that are likely more expensive, the solution is to stop buying cheap crap from China.
 
  • Like
Reactions: scavengerspc and JMoser
Oh really? Those tap cards everyone's paying for things with aren't secure? What a surprise!

I've refused tap on my cards from day one. It's convenient, but it always looked less secure to have.
 
Koren said:
Oh really? Those tap cards everyone's paying for things with aren't secure? What a surprise!

I've refused tap on my cards from day one. It's convenient, but it always looked less secure to have.
Click to expand...

Tap credit/debit cards are still safer than chip and stripe. As the article mentions, these affect hotels mainly as they reuse cards.

Tap card generate one-time use codes, so stealing it is pointless. Chip cards still get their numbers stolen and reused. Stripe ofc has neither protection.
 
  • Like
Reactions: lostinlodos and Endymio
Read carefully:"After cracking this second key, Teuwen found that it was common to all FM11RF08 cards and even to "official" Mifare cards manufactured by NXP and Infineon." So, it was not the FMSH who implemented the backdoor. Also, sometimes is useful to have a secret security key in cases of emergency.
 
  • Like
Reactions: RandomName576468, Aiodensghost and hwertz
mosu said:
Read carefully:"After cracking this second key, Teuwen found that it was common to all FM11RF08 cards and even to "official" Mifare cards manufactured by NXP and Infineon." So, it was not the FMSH who implemented the backdoor. Also, sometimes is useful to have a secret security key in cases of emergency.
Click to expand...
To be honest, I'd speculate that it's used for programming the cards. Instead of the card programmer having to have the current keys on the card (and the card is not reprogrammable and becomes a paperweight if you don't have those keys), I'd guess the card programmer may just use the master keys.

Some cards of course are not reprogrammed often at all and this wouldn't be an issue -- the case of a hotel room key, it might be reprogrammed almost daily, and I imagine it'd reduce the amount of cars that "go bad in the field" (from either the card or the programmer losing the current key for whatever reason) pretty significantly to just be able to reprogram them with a master key.

Could be wrong on that though! To be honest, I don't sweat it too much -- Mifare themselves has basically said these are not for high security use and they make cards with stronger security for uses that do need that. I mean, when it comes to it, if a hotel went back to physical locks one can pick the lock too. These are still popular since they are inexpensive and do at least provide similar level of security (pretty good but not THAT good) that a regular ol' lock and key do.
 
  • Like
Reactions: RandomName576468 and Aiodensghost
hwertz said:
To be honest, I'd speculate that it's used for programming the cards. Instead of the card programmer having to have the current keys on the card (and the card is not reprogrammable and becomes a paperweight if you don't have those keys), I'd guess the card programmer may just use the master keys.

Some cards of course are not reprogrammed often at all and this wouldn't be an issue -- the case of a hotel room key, it might be reprogrammed almost daily, and I imagine it'd reduce the amount of cars that "go bad in the field" (from either the card or the programmer losing the current key for whatever reason) pretty significantly to just be able to reprogram them with a master key.

Could be wrong on that though! To be honest, I don't sweat it too much -- Mifare themselves has basically said these are not for high security use and they make cards with stronger security for uses that do need that. I mean, when it comes to it, if a hotel went back to physical locks one can pick the lock too. These are still popular since they are inexpensive and do at least provide similar level of security (pretty good but not THAT good) that a regular ol' lock and key do.
Click to expand...

That's why I still deadbolt the door when I'm settled into the hotel room for the night. If the hotel doesn't have deadbolts on the door, don't sleep there.

Edit: hotel room keys are reprogrammed pretty much daily. I know, because I had the misfortune of one turning into a dud after making contact with my phone, which was connected to my headset and playing music, as I was riding in the elevator to go down to the smoke shack. Stopped by the counter, and the lady took the card from me, tried to reprogram it, and failed. I told her what happened, said "sorry," she just chuckled and tossed it in the trash, programmed me another. Told me if Rule #1 was to empty your lap before getting up, Rule #2 should be watching which pockets I put what in.
 
Last edited:
  • Like
Reactions: hwertz
mosu said:
Read carefully:".... it was not the FMSH who implemented the backdoor.
Click to expand...
You misread. The vulnerability that led to the recovery of the first backdoor key, and that key itself, was found only on the FMSH devices. Using that vulnerability and key, they were able to discover a second key, that apparently was common to earlier devices as well, both from FMSH and NXP/Infineon.
 
  • Like
Reactions: Aiodensghost
Endymio said:
This is surprising? Most hardware and software out of China contains security vulnerabilities added at the behest of the CCP. It's the price of doing business there. Just in the news this week: IBM is shutting down all its R&D labs in China, over similar concerns.
Click to expand...

It is a Dutch protocol that's at fault. The article even calls out a Dutch and German company for having the flaw. This isn't just China bad. This is bad protocol didn't get looked at properly before it became a global standard. Or maybe it did. Least we forget things like crypto AG?
 
Endymio said:
This is surprising? Most hardware and software out of China contains security vulnerabilities added at the behest of the CCP. It's the price of doing business there. Just in the news this week: IBM is shutting down all its R&D labs in China, over similar concerns.
Click to expand...

Huh lol it's called xenophobia and it's passed down through the elders. I'm Lebanese for reference. Take a look at the mess that is the west. Bots run rampant on here spreading propaganda.

Chinese are people like us, they need to survive in this ugly world, too. America is responsible for so much evil on this globe.
 
Theinsanegamer said:
That central bank digital currency is shaping up real good eh? One hardware backdoor and POOF! There goes the US treasury! I wonder if people will ever get fed up and demand technology is REMOVED where it is not absolutely needed. The chip and pin system is far more secure and it doesn't take that long to do....

Yes, because the Chinese do not have a monopoly on poor design or backdoors.
Click to expand...
But they're doing capitalism much better than America these days. Big lol

Look at da data

Numba 1 bs lol all propaganda
 
DaemonByte said:
It is a Dutch protocol that's at fault. The article even calls out a Dutch and German company for having the flaw. This isn't just China bad. This is bad protocol didn't get looked at properly before it became a global standard. Or maybe it did. Least we forget things like crypto AG?
Click to expand...
Oh yeah, the funny thing is this came out in 1994, these only use a 48-bit key and proprietary encryption. The security on these got seriously picked apart around 2008 (2008, one could crack the keys on one in about 3 minutes using 2008-era hardware; further flaws were found in 2009 reducing that to about well under 1 second.)

Oddly, even knowing the card security had been broken, several transportation systems at the time planning to install these cards just continued as if nothing had happened. (There were newer, more secure Mifarre cards out by then, and they didn't even switch to rolling out using the newer cards instead.)

NXP has been urging places to use the more secure cards and readers instead for over 15 years. But, places that have the infrastructure already (or are doing a newer rollout and are just cheapskates and don't care if the cards are very secure) continue to buy Classic cards, so NXP continues to make the chips for them.
 
  • Like
Reactions: kiwigraeme, mosu and Endymio
DaemonByte said:
It is a Dutch protocol that's at fault. The article even calls out a Dutch and German company for having the flaw. This isn't just China bad. This is bad protocol didn't get looked at properly
Click to expand...
No. The largest vulnerability is the attack that allows sector keys to be cracked within a few minutes. This vulnerability is specific to the Shangdai Fudan cards, and it is what allowed the discovery of the first backdoor key, which is also specific to these cards.

Using this backdoor key, Quarkslab was able to reverse-engineer the card and discover a second such key, this one (apparently) generic to all such cards.

NXP/Phillips -- the Dutch firm that originally developed Mifare Classic, has been telling the world for decades now that it isn't a secure standard. Shanghai Fudan released this "upgraded" version that was supposedly secure against all known attacks. Instead, it turns out to be substantially worse.

Oh, and let's not forget another point here. If you copy a public protocol, you don't get the baggage of private, non-published keys. The fact that the Shanghai Fudan cards include both this key as well as the new one they themselves added means they stole outright the firmware of an NXP/Phillips card at some point, then simply began tacking on their own features.
 
Last edited:
James2 said:
But they're doing capitalism much better than America these days. Big lol

Look at da data

Numba 1 bs lol all propaganda
Click to expand...
tenor.gif
 
You must log in or register to reply here.

Similar threads

midian182
Nvidia's mid-range RTX 4000 cards dominate latest Steam survey with impressive gains
Replies
5
Views
142
Axeia
Axeia
S
Nvidia to showcase Blackwell server installations at Hot Chips 2024
Replies
0
Views
31
Skye Jacobs
S
S
China-linked hackers suspected of exploiting zero-day flaw in software used by ISPs
Replies
0
Views
8
Skye Jacobs
S

Latest posts

Back