Last month a hardware backdoor was published, which virtually comprises most RFID access-based systems out there. I haven’t been able to read it in detail till now. It’s a great read I have linked it below. RFID systems are used for access systems in hotel rooms and as employee badges use a cheap IC called FM11RF08. This is a contactless smart card chip developed by Shanghai Fudan Microelectronics, designed to be compatible with NXP’s MIFARE Classic cards but very cheap. Most devices in the last decade of installation would probably use this chip.
The paper reveals a critical flaw in FM11RF08S (newer secure version of the classic) cards. The vulnerability stems from a hardware backdoor, allowing attackers to access and compromise user-defined keys. This backdoor is triggered by using specific authentication commands that are normally used to initiate communication between the card and a reader. Through fuzzing (random testing of commands), they discovered that certain authentication commands respond in weird ways, allowing access to a backdoor authentication mechanism.
Normally, commands starting with 60 or 61 would authenticate using the card’s user-defined keys (keyA or keyB), but by changing specific bits, the card accepts a backdoor key, which allows the attacker to authenticate without knowledge of the actual keys. After breaking the backdoor key, the attacker gains access to all user-defined keys on the card, even if those keys are diversified or unique for each card sector. The allows an attacker to read all data stored on the card, including sensitive user information. Then the attacker can use a device like the Proxmark3 to clone the card. Once cloned, the attacker can emulate the card to any system that relies on the FM11RF08S. A pretty brilliant work with the hack.
So if you are a business owner using one of these systems and have something even remotely valuable guarding access with these chips, time to switch to something better!
