A shocking discovery by French cybersecurity firm Quarkslab has revealed a critical backdoor in millions of smart cards produced by Shanghai Fudan Microelectronics Group, China’s leading chip manufacturer. This vulnerability allows for instant cloning of RFID cards based on NXP’s MIFARE Classic chips, which are extensively used in public transportation, office buildings, hotels, financial institutions, and various organizations worldwide.
The Scope and Implications of the Vulnerability
The researchers at Quarkslab warn that exploiting this backdoor requires minimal effort. An attacker needs only a few minutes in proximity to a vulnerable card to compromise it. In cases of large-scale supply chain attacks, the compromise could be nearly instantaneous and affect a vast number of cards.
This vulnerability is particularly concerning because it affects cards that were previously thought to be secure against known “card-only” attacks. The FM11RF08S MIFARE Classic version, introduced in 2020 by Shanghai Fudan Microelectronics, was designed with enhanced security measures to prevent such attacks. However, this new backdoor bypasses these protections entirely.
Technical Details of the Backdoor
The backdoor was discovered accidentally during a security analysis of the MIFARE Classic smart card family. Researchers found that they could perform authentication using an unknown key. Further investigation revealed that this backdoor key is identical for all existing FM11RF08S cards: A396EFA4E24F.
Additionally, a similar backdoor with a different key (A31667A8CEC1) was found in the previous generation of cards (FM11RF08) and other models from the same manufacturer. Alarmingly, this key also works on some older cards from NXP Semiconductors and Infineon Technologies.
Historical Context and Widespread Impact
The researchers believe that this backdoor may have been present since 2007, meaning that millions of cards issued over the past 17 years can be easily cloned within minutes or even seconds. This vulnerability affects not only the Chinese market but has global implications, with vulnerable cards being used in hotels across the United States, India, and European countries.
Implications for Cybersecurity and User Privacy
This discovery raises serious concerns about the security and privacy of smart card systems worldwide. Organizations using MIFARE Classic cards, especially those supplied by Shanghai Fudan Microelectronics, need to reassess their security measures immediately. The ease with which these cards can be compromised poses significant risks to access control systems, payment systems, and user privacy.
Recommendations for Affected Organizations
Organizations using potentially affected cards should consider the following steps:
- Conduct an immediate audit of their smart card systems to identify vulnerable cards
- Implement additional security layers, such as multi-factor authentication, where possible
- Begin planning for a transition to more secure smart card technologies
- Inform users about the potential risks and advise them on protective measures
This vulnerability serves as a stark reminder of the importance of ongoing security audits and the risks associated with relying on single-factor authentication systems. As cyber threats continue to evolve, organizations must remain vigilant and proactive in their approach to security, regularly updating and verifying the integrity of their systems and components.