Millions of Office and Hotel RFID Smart Access Cards Allow Instant Cloning Due to Backdoor

• Security researchers have discovered a major backdoor in the RFID smart cards made by a Chinese producer.
• The vulnerability affects two generations of the MIFARE Classic cards used by several hotel chains worldwide.
• The backdoor in these generations enables key code-cracking in only a few minutes.

A backdoor in millions of RFID smart cards used to open office doors and hotel rooms allows instant cloning, as per the latest Quarkslab security report. The vulnerability was found in the public transportation and the hospitality industry MIFARE Classic smart cards made by China-based leading chip manufacturer “Shanghai Fudan Microelectronics Group.”

The MIFARE Classic cards affected by this backdoor belong to the FM11RF08 or FM11RF08S generations and are not limited to the Chinese market, as they were found in hotels in the U.S., Europe, and India.

The security vulnerability allows “card-only” attacks, which require access only to a card and not the corresponding card reader, and lets an attacker read and write data in just a few minutes of physical proximity to an affected card. Still, attacks could also be executed instantaneously at scale.

In 2020, the FM11RF08S variant of the MIFARE Classic released by the leading Chinese manufacturer of unlicensed compatible chips had specific countermeasures designed to thwart all known card-only attacks, dubbed by the community as “static encrypted nonce.”

However, security experts say Shanghai Fudan’s FM11RF08S cards’ keys can be cracked in a few minutes if they are being reused across at least three sectors or three cards via a hardware backdoor that allows authentication with an unknown key. The FM11RF08S backdoor allows anyone with knowledge to compromise all user-defined keys, even when fully diversified.

A similar backdoor with a different key was found in the previous card generation, FM11RF08, as well as other models from the same vendor, like FM11RF32, FM1208-10, and even some old cards from NXP Semiconductors and Infineon Technologies.

The widely used MIFARE Classic card series was launched in 1994 by Philips and has been subjected to numerous attacks over the years. 

A recent security report discovered 24 vulnerabilities in a popular biometric terminal, a hybrid biometric terminal made by ZkTeco. Among them are QR code SQL injection, buffer stack overflow, and more.