Security researchers have discovered a backdoor in a common brand of contactless key cards that could be exploited on a large scale to open hotel room and office doors around the world.
Quarklabs said it found the hardware backdoor in FM11RF08S, a new variant of Mifare Classic cards manufactured by Shanghai Fudan Microelectronics.
“Through quick fuzzing, we discovered a hardware backdoor that allows authentication with an unknown key. Using our new attack, we cracked the secret key and found that it is common to all existing FM11RF08S cards,” researcher Philippe Teuwen explained in a blog post.
“We have developed several other attacks that use the backdoor to crack all keys of any card in a matter of minutes, without needing to know any original key (other than the backdoor key). We have shown how these attacks can be carried out instantly by an entity capable of conducting a supply chain attack.”
In such a scenario, a malicious actor with knowledge of the backdoor and access to the manufacturing process could clone the cards on a large scale.
Read more about physical security threats: Hotel guests locked out of rooms after ransomware attack
Even more worrying, Teuwen found a similar backdoor in the previous generation of cards, the FM11RF08, which was protected with a different key.
He urged customers to look for “more robust alternatives” to these Mifare Classic cards on the market.
“The FM11RF08S backdoor allows any entity with knowledge of it to compromise all custom keys on these cards, even if they are fully diversified, by simply accessing the card for a few minutes,” concluded Teuwen.
“Consumers should immediately review their infrastructure and assess the risks. Many are probably unaware that the Mifare Classic cards they received from their supplier are actually Fudan FM11RF08 or FM11RF08S, as these two chip references are not limited to the Chinese market. For example, we have found these cards in numerous hotels in the US, Europe and India.”
Millions of cards at risk
Other experts claimed that the backdoor could affect millions of smart cards in use around the world and could potentially allow malicious actors to physically penetrate restricted areas.
“Backdoors like this are rarely unintentional. They are usually intentional, either for debugging or for undisclosed access. The fact that it was discovered during a security investigation suggests it was not well hidden, suggesting possible negligence, but it is impossible to come to a conclusion without knowing more,” argued Jason Soroko, SVP of Product at Sectigo.
“Supply chain attacks could involve inserting compromised chips into card readers or cloning cards during production or distribution. Attackers could mass-produce cloned cards or modify the chips’ firmware, which could lead to large-scale, undetectable attacks. This could lead to massive, coordinated attacks on multiple facilities, with serious security and business consequences.”
