Sunday, September 15, 2024
HomeBackdoorBackdoor MIFARE Smart Cards Exposes User-Defined Keys On Cards

Backdoor MIFARE Smart Cards Exposes User-Defined Keys On Cards

Published on

Researchers analyze the security of MIFARE Classic cards, focusing exclusively on card-only attacks. They uncover multiple new attack vectors by examining the CRYPTO-1 algorithm, existing vulnerabilities, and a novel countermeasure. 

Through a combination of reverse engineering, cryptanalysis, and experimental analysis, they demonstrate the ability to extract card data and keys, clone cards, and ultimately compromise the security of both current and older MIFARE Classic card generations. 

The research culminates in the development of optimized attack tools and a deep understanding of the underlying vulnerabilities, emphasizing the critical need for replacing MIFARE Classic in modern applications.

- Advertisement - EHA

Free Webinar on Detecting & Blocking Supply Chain Attack -> Book your Spot

It investigates the vulnerabilities of MIFARE Classic memory cards using the CRYPTO-1 protocol by analyzing existing card-only attacks that exploit weaknesses in the protocol’s implementation, such as predictable nonce generation and parity bit leaks. 

Initial Observed across 500 authentication attempts with a FM11RF08S

Then, introduce the FM11RF08S card, which implements countermeasures against these attacks and uses a static encrypted nonce for nested authentication and a repeatable initial nonce generated by a Linear Feedback Shift Register (LFSR). 

Researchers discovered and exploited a backdoor in FM11RF08S RFID tags. By analyzing the tag’s response to unexpected commands, they uncovered a hidden authentication method that bypasses standard security measures. 

This backdoor grants full read access to all tag data, including previously inaccessible blocks, while the team developed a technique to recover the main encryption key, rendering the tag’s security mechanisms ineffective. 

It undermines the security of numerous RFID systems employing this tag model, emphasizing the critical need for robust security measures in embedded systems. 

FM11RF08S block 0 example

They discovered and exploited a backdoor in FM11RF08 and FM11RF08S MIFARE Classic clones, drastically accelerating key recovery attacks.

By targeting both keyA and keyB simultaneously and optimizing the key search process, they reduced attack time by a factor of six. 

Additionally, they identified a universal backdoor key applicable to older FM11RF08 models and even FM1208-10 devices, which enables rapid key extraction without prior knowledge, posing significant security risks for supply chain actors and end-users alike. 

Extensive testing of backdoor authentication commands on various card models revealed that certain non-Fudan cards unexpectedly accept these commands using a specific backdoor key, identical to that employed by Fudan FM11RF08 cards. 

 newer FM11RF08S block 128 access rights = 00F0FF

A separate group of cards, including NXP MF1ICS5005, MF1ICS5006, and MF1ICS5007, respond to backdoor commands using standard keyA/keyB authentication, while USCUID/GDM magic cards also fall into this category. 

The darknested attack is particularly effective against SLE66R35, MF1ICS5003, and MF1ICS5004 due to the slower key recovery process compared to the darkside attack. 

Researchers have discovered a critical hardware backdoor in the widely used FM11RF08S MIFARE Classic chip, enabling previously impossible attacks on card data, including cloning. 

The backdoor, present in all FM11RF08 chips since 2007, undermines the chip’s touted security and compromises systems worldwide, while the same backdoor key has been found on older NXP and Infineon cards, raising serious security concerns. 

MIFARE Classic’s inherent vulnerabilities remain, and this discovery highlights the urgent need for infrastructure audits and migration to more secure alternatives.

Tools and attack methods have been integrated into the Proxmark3 platform for public analysis and defense.

Latest articles

Kali Linux 2024.3 Released With New Hacking Tools

Kali Linux 2024.3, the most recent iteration of Offensive Security's highly regarded Debian-based distribution...

Hacker Tricks ChatGPT to Get Details for Making Homemade Bombs

A hacker known as Amadon has reportedly managed to bypass the safety protocols of...

Citrix Workspace App Vulnerable to Privilege Escalation Attacks

Citrix released a security bulletin (CTX691485) detailing two critical vulnerabilities in the Citrix Workspace...

Beware Of Weaponized Excel Document That Delivers Fileless Remcos RAT

A recent advanced malware campaign leverages a phishing attack to deliver a seemingly benign...

Free Webinar

Decoding Compliance | What CISOs Need to Know

Non-compliance can result in substantial financial penalties, with average fines reaching up to $4.5 million for GDPR breaches alone.

Join us for an insightful panel discussion with Chandan Pani, CISO - LTIMindtree and Ashish Tandon, Founder & CEO – Indusface, as we explore the multifaceted role of compliance in securing modern enterprises.

Discussion points

The Role of Compliance
The Alphabet Soup of Compliance
Compliance
SaaS and Compliance
Indusface's Approach to Compliance

More like this

Hackers Exploiting Apache OFBiz RCE Vulnerability in the Wild

A critical vulnerability in the Apache OFBiz framework has been actively exploited by hackers....

Docker Desktop Vulnerabilities Let Attackers Execute Remote Code

Docker has addressed critical vulnerabilities in Docker Desktop that could allow attackers to execute...

Critical Vulnerabilities in JPEG 2000 Library Let Attackers Execute Remote Code

Exploiting memory corruption vulnerabilities in server-side software often requires knowledge of the binary and...