Security researchers have discovered a backdoor in a popular make of contactless key card, that could be exploited at scale to open hotel room and office doors across the globe.
Quarklabs said it found the hardware backdoor in FM11RF08S, a new variant of Mifare Classic cards manufactured by Shanghai Fudan Microelectronics.
“Through quick fuzzing, we discovered a hardware backdoor that allows authentication with an unknown key. We cracked the secret key with our new attack and found it to be common to all existing FM11RF08S cards,” researcher Philippe Teuwen explained in a blog post.
“We designed several other attacks leveraging the backdoor to crack all the keys of any card in a few minutes, without the need to know any initial key (besides the backdoor one). We demonstrated how these attacks could be executed instantaneously by an entity in a position to carry out a supply chain attack.”
In such a scenario, a malicious actor with knowledge of the backdoor and access to the manufacturing process could clone the cards at scale.
Read more on physical security threats: Hotel Guests Locked Out of Rooms After Ransomware Attack
More concerning still, Teuwen found a similar backdoor in the previous generation of cards, the FM11RF08, protected with another key.
He urged customers to find more “robust alternatives” to these Mifare Classic cards on the market.
“The FM11RF08S backdoor enables any entity with knowledge of it to compromise all user-defined keys on these cards, even when fully diversified, simply by accessing the card for a few minutes,” Teuwen concluded.
“Consumers should swiftly check their infrastructure and assess the risks. Many are probably unaware that the Mifare Classic cards they obtained from their supplier are actually Fudan FM11RF08 or FM11RF08S, as these two chip references are not limited to the Chinese market. For example, we found these cards in numerous hotels across the US, Europe, and India.”
Millions of Cards at Risk
Other experts claimed the backdoor could impact millions of smart cards used around the world, potentially allowing malicious actors to physically enter areas of restricted access.
“Backdoors like this are rarely accidental. They are typically intentional, either for debugging or undisclosed access. The fact that it was discovered during security research suggests it was not well-hidden, indicating possible negligence, but it is impossible to come to a conclusion without knowing more,” argued Jason Soroko, SVP of product at Sectigo.
“Supply chain attacks here could involve inserting compromised chips into card readers or cloning cards during production or distribution. Attackers could mass-produce cloned cards or alter the chips’ firmware, allowing widespread, undetectable breaches at scale. This could lead to massive, coordinated attacks on multiple facilities, with severe consequences for both security and business operations.”