Backdoor discovered in MIFARE classic compatible cards
In a significant revelation, cybersecurity researchers have uncovered critical vulnerabilities in a new variant of the widely used MIFARE Classic smart cards. Despite years of updates and security patches, the latest model, identified as FM11RF08S, which was released by a leading Chinese manufacturer of unlicensed “MIFARE compatible” chips, has been found to harbor serious flaws that could compromise secure access control systems globally.
The MIFARE Classic has long been a staple in the security systems of numerous industries, particularly in access control and public transportation. However, this widespread adoption has not been without consequence. The card has been the target of many attacks over the years, leading to the development of new variants designed to resist known exploits.
Among these is the FM11RF08S, which introduced a countermeasure known as the static encrypted nonce. This mechanism was intended to thwart all known card-only attacks, which are attacks that can be executed directly on the card without needing to interact with the backend system. However, researchers at Quarkslab have revealed that this countermeasure is not as secure as previously thought.
Through extensive testing and analysis, the research team discovered that the FM11RF08S chip harbors a hardware backdoor, a critical vulnerability that allows attackers to bypass security and gain access to user-defined keys. This backdoor, once accessed, enables a complete compromise of the card’s security, allowing the attacker to clone the card or emulate it without needing prior knowledge of the keys.
The study reveals that the static encrypted nonce, which was initially believed to provide robust protection against unauthorized access, can be easily manipulated under certain conditions. The researchers demonstrated that by exploiting the backdoor, they could not only extract sensitive information but also control the card’s behavior in ways that should be impossible under normal circumstances.
What makes this vulnerability particularly concerning is the revelation that this backdoor key is universal across all FM11RF08S chips. This means that anyone with knowledge of the backdoor key can potentially compromise any card based on this chip, regardless of how securely it was configured.
The discovery of this backdoor raises significant concerns about the overall security of systems relying on MIFARE Classic technology. Despite the chip’s reputation as a secure option, these findings demonstrate that inherent vulnerabilities remain that could be exploited by determined attackers.
Moreover, the research uncovered similar backdoors in older versions of MIFARE Classic-compatible chips, suggesting that this issue may be more widespread than previously understood. This discovery underscores the need for organizations using these cards to reassess their security strategies and consider migrating to more secure alternatives.
For organizations still relying on MIFARE Classic and its variants, this research serves as a stark warning. It is imperative that systems be updated, and alternative security measures be implemented to protect against potential exploits. As attackers become increasingly sophisticated, relying on outdated or flawed security mechanisms is no longer viable.
Quarkslab’s research has not only exposed a critical flaw in the FM11RF08S but has also contributed tools and methodologies to the Proxmark3 repository, enabling security professionals to test and secure their systems against these newly uncovered vulnerabilities.
