Have you ever considered how secure your office or hotel key
cards really are?
Recent research by French security firm Quarkslab has
uncovered a serious vulnerability that could impact millions of contactless
cards worldwide. These cards, produced by Shanghai Fudan Microelectronics
Group, contain a backdoor that allows hackers to clone them in mere minutes.
This backdoor, discovered by Quarkslab researcher Philippe
Teuwen, is found in RFID smart cards used in many places, from office buildings
to hotel rooms. The worrying part? Hackers only need a few minutes of physical
access to one of these cards to clone it. And if they can infiltrate the supply
chain, they could clone cards on a massive scale almost instantly.
Teuwen stumbled upon this issue while testing the security
of the MIFARE Classic card family, a type of card used widely in public
transport and the hospitality industry. These cards have been around since 1994
and have seen numerous security upgrades over the years. However,
vulnerabilities that allow attacks without needing access to the card
reader—just the card itself—remain a significant concern.
In 2020, a new variant of these cards, known as FM11RF08S,
was released by Shanghai Fudan Microelectronics. This version was supposed to
be more secure, featuring protections against known attacks. But Teuwen
discovered that this version still has weaknesses. Specifically, if certain
keys are reused across different sectors or cards, they can be cracked in just
a few minutes.
Further investigation revealed a hardware backdoor that
allows anyone who knows about it to bypass the card’s security, even if it has
been customized with unique keys. Shockingly, the secret key that enables this
backdoor is the same across all FM11RF08S cards. Teuwen also found a similar
backdoor in the previous generation of these cards, and it turns out that other
models from the same vendor, as well as some older cards from NXP
Semiconductors and Infineon Technologies, share the same flaw.
Quarkslab has issued a warning, urging businesses to check
their systems and assess the risks. Many organizations may not even realize
that the MIFARE Classic cards they’re using are actually the vulnerable Fudan
FM11RF08 or FM11RF08S models. These cards have been found in hotels across the
U.S., Europe, and India.
This discovery highlights the importance of regularly
reviewing and updating your security systems. If you’re using contactless
cards, it might be time to take a closer look at whether they’re as secure as
you think.