MIFARE Classic smart cards, developed and licensed by NXP, are widely used but have been subjected to numerous attacks over the years. Despite the introduction of new versions, these cards have remained vulnerable, even in card-only scenarios
In 2020, the FM11RF08S, a new variant of MIFARE Classic, was released by the leading Chinese manufacturer of unlicensed "MIFARE compatible" chips. This variant features specific countermeasures designed to thwart all known card-only attacks and is gradually gaining market share worldwide. E.g. they are present in the hotels of past editions of Hardwear.io NL, USA and Nullcon Goa.
We present the specific countermeasures, a chain of several attacks and unexpected findings regarding the FM11RF08S. Through empirical research, we discovered a hardware backdoor and successfully cracked its key. This backdoor enables any entity with knowledge of it to compromise all user-defined keys of these cards without prior knowledge, simply by accessing the card for a few minutes.
Additionally, our investigation into older cards uncovered another hardware backdoor key that was common to several manufacturers.
Philippe Teuwen (@doegox) is a Security Tech Leader at Quarkslab happily sailing across the frontier between hardware and software, having enabled new vector attacks and open source tools such as adaptation of side-channel techniques towards whitebox cryptography, EEPROM tear-off attacks defeating various RFID security features, etc. He's in the editorial team of the International Journal of PoC||GTFO and loves organizing Hardware CTFs.