Researchers from Quarkslab have unveiled significant vulnerabilities in the FM11RF08S, a modern variant of the widely used MIFARE Classic smart cards.
Despite industry efforts to improve security, these cards, manufactured by Shanghai Fudan Microelectronics, contain a critical backdoor that could allow attackers to compromise all user-defined keys.
MIFARE Classic chips is a widely used technology in access control systems, public transportation, and contactless payment cards. NXP Semiconductors, a major player in the semiconductor industry who manufactures the MIFARE Classic chips, has long since moved on to newer, more secure generations of MIFARE chips which offer stronger encryption and better security features.
However, the transition away from MIFARE Classic in many organizations has been slow due to cost and logistical challenges. This has created an industry of MIFARE Classic compatible cards, of which Shanghai Fudan Microelectronics is one of the largest players.
Finding a backdoor in the chip
The vulnerabilities on FM11RF08S were identified through a meticulous investigation conducted by Philippe Teuwen, a researcher at Quarkslab. The study focused on card-only attacks, which can be executed solely on the card without needing interaction with the card reader. Although FM11RF08S cards were initially perceived as resistant to known card-only attacks, including the infamous static nested attack, the Quarkslab team found otherwise.
Through extensive empirical testing using tools like Proxmark3, as well as fuzzing, the researchers reverse-engineered the card’s proprietary encryption algorithm, CRYPTO-1, which revealed the existence of a hardware backdoor. By exploiting this backdoor, the team successfully cracked the encryption keys, exposing all user-defined keys on the card. These keys can be extracted and copied to “clone cards.”
Impact
The FM11RF08S is a newer version of the MIFARE Classic, introduced by Fudan to improve security against previous vulnerabilities. However, the Quarkslab team's findings reveal that the backdoor could allow any entity with knowledge of it to access and clone the cards without prior knowledge of the encryption keys. This discovery undermines the security claims of the FM11RF08S, particularly as the backdoor key is universally the same across all tested cards.
This includes the previous generation FM11RF08, older NXP cards like MF1ICS5003 and MF1ICS5004, and the Infineon SLE66R35. This highlights a systemic issue in the security design of these cards, which are still used in various mission-critical applications worldwide, including access control systems and public transportation.
Conclusion
Shanghai Fudan Microelectronics markets the FM11RF08S as a secure alternative to the older MIFARE Classic 1K chip, offering anti-cracking capabilities, but Quarkslab research proved otherwise.
Given the severity of the issue, it is recommended that organizations using FM11RF08S or similar cards from previous generations immediately review their security measures. Affected entities should consider migrating to more secure alternatives or implementing additional layers of security to mitigate the risk of unauthorized access.
New Android Malware ‘NGate’ Exploits NFC to Steal Cash from Victims
Leave a Reply