MIFARE Classic (RFID cards)

2024: Identifying a critical hole

In mid-August 2024, French firm Quarkslab discovered a critically significant hole in millions of contactless cards issued by Shanghai Fudan Microelectronics Group, a leading chipmaker in China. This backdoor, described by Quarterslab researcher Philip Teuven, allows you to instantly clone RFID cards, so any hacker can open the doors of offices and hotel rooms around the world.

Teuven said that he discovered a vulnerability during experiments with the MIFARE Classic family of cards, which is widely used in public transport and the hotel business. The MIFARE Classic family of cards is widely used around the world and has often been the victim of cyber attacks. Particular concerns are raised by vulnerabilities in which a hacker only needs access to the card, without interacting with the reader, since this allows attackers to clone cards or read and write their contents simply by sitting nearby for several minutes.

RFID Card

In 2020, Shanghai Fudan Microelectronics released its MIFARE Classic card with protection against then known non-reader attack options, which allowed the company to gradually gain significant market share worldwide. However, Teuven showed that FM11RF08S keys can be hacked in just a few minutes if they are reused in at least three sectors or on three maps. During the experiment, Teuven "cracked" the secret key and discovered that it was common to all existing FM11RF08S cards. Quarkslab urged consumers to check their infrastructure as soon as possible and assess the risks of hacking, given that such cards are not limited to the Chinese market and are found in many hotels in the United States, Europe and India.^[1]

Notes