Security Risk: Hardware Backdoor in Chinese FM11RF08S Smart Cards

Security researchers have made a concerning discovery regarding the security of FM11RF08S variant of the MIFARE Classic RFID smart cards manufactured by Shanghai Fudan Microelectronics. A widespread hardware backdoor has been found in these cards, allowing for instant cloning and compromising of user-defined keys.

The backdoor, which was previously thought to be resistant to card-only attacks, was uncovered by researchers from Quarkslab during an investigation into the card’s security features. They were able to crack the secret key, revealing that it is the same across all FM11RF08S cards. This poses a significant security risk for businesses and consumers using these cards, as attackers can easily dump and clone them.

The implications of this discovery are far-reaching, as the affected cards have been found in hotels across the U.S., Europe, and India. Additionally, the researchers also found a common hardware backdoor key in older MIFARE Classic card models from various manufacturers.

While the MIFARE Classic card standard has long been known to be insecure, it remains widely used due to business inertia and the high cost of migrating to more secure systems. The researchers stress the importance of migrating to more robust alternatives to ensure the security of RFID-based systems.

Consumers are advised to assess the potential risks of their RFID infrastructure and consider the possibility that their MIFARE Classic cards may be affected by the hardware backdoor. While there are more secure alternatives on the market, the researchers caution that no system can guarantee the absence of hardware backdoors.