Cybersecurity researchers have found a hardware backdoor in a specific model of MIFARE Classic contactless cards that could allow unauthorized access to hotel rooms and office doors.
The vulnerability is present in FM11RF08S, a new version of MIFARE Classic released in 2020 by Shanghai Fudan Microelectronics.
According to Quarkslab researcher Philippe Teuwen, the backdoor in FM11RF08S allows attackers to compromise user-defined keys on the cards, even when fully diversified, by accessing the card for a few minutes.
Not only is the secret key common to existing FM11RF08S cards, but the attack could also be executed instantly through a supply chain attack.
A similar backdoor has been discovered in the older generation FM11RF08 cards, which are protected with another key. This vulnerability has been observed in cards dating back to November 2007.
An optimized version of the attack can speed up the key cracking process by partially reverse engineering the nonce generation mechanism.
The company stated that the backdoor allows for the instant cloning of RFID smart cards used in office doors and hotel rooms worldwide.
Consumers are advised to check for susceptibility, especially since these cards are widely used in hotels in the U.S., Europe, and India.
Teuwen noted that the backdoor and its key enable new attacks to dump and clone these cards, even if all their keys are properly diversified.
This is not the first time security issues have been found in hotel locking systems. In March, vulnerabilities were discovered in Dormakaba’s Saflok electronic RFID locks, which could be exploited by threat actors to forge keycards and unlock doors.
