A recent discovery has revealed that some widely used RFID cards may contain a significant hardware vulnerability. Security researchers at Quarkslab have found a hardware backdoor in RFID chips developed by Shanghai Fudan Microelectronics (FMSH). These chips are often used in contactless smart cards for managing access to office buildings, hotel rooms, and other secure areas worldwide, and they adhere to the Mifare protocol originally developed by Philips spin-off NXP Semiconductors. The security of these cards is at risk due to an inherent flaw, regardless of the card’s specific brand.

Quarkslab’s research into RFID encryption practices led to the discovery of backdoors in millions of contactless cards, specifically in a widely-used model known as “Mifare Classic.” This backdoor vulnerability could potentially enable attackers to easily clone or duplicate cards, compromising security for countless users. Despite previous security improvements, many cards using this protocol remain vulnerable to attacks, even as updated versions are released.

Shanghai Fudan’s FM11RF08S chip, a Mifare-compatible technology released in 2020, aimed to offer an affordable RFID solution with new security countermeasures to prevent known card-only attacks. However, it introduced unique vulnerabilities of its own. Philippe Teuwen, a Quarkslab analyst, discovered a way to compromise the chip’s “sector keys” in minutes if a particular key is reused across multiple sectors or cards. This new knowledge led him to an even more concerning finding: a hardware backdoor that enables access to cards using a hidden key. Teuwen was able to crack this key, which appears to be shared across all FM11RF08S cards.

Further investigation revealed that this hardware backdoor exists in earlier models, such as the FM11RF08, as well. The secret key used in these previous versions is common not only to Fudan’s cards but also to “official” Mifare cards produced by NXP and Infineon.

The FM11RF08S backdoor could allow an attacker to retrieve user-defined keys after accessing the card briefly, presenting a severe security risk for any institution relying on these cards for restricted access. This vulnerability affects numerous cards used across the United States, Europe, and India, with many hotels deploying this flawed technology.

Teuwen emphasized the risks posed by the Mifare Classic protocol itself, which is fundamentally insecure. If an attacker gains access to a corresponding reader, recovering the keys remains feasible, regardless of attempted improvements. However, there are alternative RFID solutions available on the market, which provide more robust and presumably backdoor-free security.

For users relying on Mifare Classic cards, it may be time to consider updating to a more secure technology to ensure their systems are not vulnerable to exploitation.