Experts have raised alarms about a significant security flaw in contactless cards used to unlock doors in hotels and offices worldwide, making it possible for almost anyone to gain unauthorized access.
Cybersecurity researchers from Quirkslab have focused on a specific variant of the MIFARE Classic card called FM11RF08S, which was introduced in 2020 by Shanghai Fudan Microelectronics, a leading Chinese manufacturer of “MIFARE compatible” chips. Despite claims that the FM11RF08S includes safeguards against all known card-only attacks, its growing popularity is concerning.
Shockingly, it only took the researchers a few minutes to find a vulnerability in the FM11RF08S cards. When the same sector keys were reused across at least three sectors or three different cards, they were able to crack the keys.
Further investigation revealed an even more troubling issue—a hardware backdoor in the card that allows authentication without knowing the key. When they cracked the card’s secret key, they discovered it was the same across all FM11RF08S cards, making every single one vulnerable.
With this backdoor, the researchers designed several additional attacks, all capable of cracking any card’s keys in just a few minutes, without needing any initial keys besides the backdoor one.
To make matters worse, when Quirkslab examined older models, they found a similar backdoor in the previous generation FM11RF08 card, which was also protected by a key. Once they cracked this second key, they realized it was the same for all FM11RF08 cards, as well as other Fudan models (FM11RF32, FM1208-10), and even older cards from NXP1 (MF1ICS5003 & MF1ICS5004) and Infineon (SLE66R35), some dating back to 2007.
The researchers have advised users to review their infrastructure and assess the risks, as many may not be aware that the MIFARE Classic cards they’ve purchased are actually Fudan FM11RF08 or FM11RF08S variants. These compromised cards have been found in numerous hotels across the US, Europe, and India, not just in China.