Research from Quarkslab has revealed a critical backdoor in smart cards produced by Shanghai Fudan Microelectronics Group. According to the researchers’ technical paper, the issue enables rapid compromise of affected RFID cards built around MIFARE Classic-compatible designs used in transport, access control, hospitality, and other large deployments.
The Scope and Implications of the Vulnerability
The researchers at Quarkslab warn that exploiting this backdoor requires minimal effort. An attacker needs only a few minutes in proximity to a vulnerable card to compromise it. In cases of large-scale supply chain attacks, the compromise could be nearly instantaneous and affect a vast number of cards.
This vulnerability is particularly concerning because it affects cards that were previously thought to be secure against known “card-only” attacks. The FM11RF08S MIFARE Classic version, introduced in 2020 by Shanghai Fudan Microelectronics, was designed with enhanced security measures to prevent such attacks. However, this new backdoor bypasses these protections entirely.
Technical Details of the Backdoor
The backdoor was discovered accidentally during a security analysis of the MIFARE Classic smart card family. Researchers found that they could perform authentication using an unknown key. Further investigation revealed that this backdoor key is identical for all existing FM11RF08S cards: A396EFA4E24F.
Additionally, a similar backdoor with a different key (A31667A8CEC1) was found in the previous generation of cards (FM11RF08) and other models from the same manufacturer. Alarmingly, this key also works on some older cards from NXP Semiconductors and Infineon Technologies.
Historical Context and Widespread Impact
The researchers believe that this backdoor may have been present since 2007, meaning that millions of cards issued over the past 17 years can be easily cloned within minutes or even seconds. This vulnerability affects not only the Chinese market but has global implications, with vulnerable cards being used in hotels across the United States, India, and European countries.
Organizations using MIFARE Classic cards from Shanghai Fudan face immediate cloning risk
This discovery raises serious concerns about the security and privacy of smart card systems worldwide. Organizations using MIFARE Classic cards, especially those supplied by Shanghai Fudan Microelectronics, need to reassess their security measures immediately. The ease with which these cards can be compromised poses significant risks to access control systems, payment systems, and user privacy.
Recommendations for Affected Organizations
Organizations using potentially affected cards should consider the following steps:
- Conduct an immediate audit of their smart card systems to identify vulnerable cards
- Implement additional security layers, such as multi-factor authentication, where possible
- Begin planning for a transition to more secure smart card technologies
- Inform users about the potential risks and advise them on protective measures
Organizations should verify with their card supplier whether deployed cards are FM11RF08S or FM11RF08 models from Shanghai Fudan Microelectronics. If confirmed, begin immediate transition planning to cryptographically stronger alternatives such as MIFARE DESFire EV3 or CIPURSE-compliant cards. Quarkslab’s research summary and the full paper with annexes include the affected references and attack details.
