Major Backdoor in RFID Cards Allows Instant Cloning
A security vulnerability in RFID cards from Shanghai Fudan Microelectronics allows instant cloning, affecting MIFARE Classic cards used globally. Organizations are urged to assess their security against potential supply chain attacks.
Read original article
A significant security vulnerability has been identified in millions of RFID cards produced by Shanghai Fudan Microelectronics, allowing for the instantaneous cloning of these cards, which are commonly used for access to office buildings and hotel rooms. The discovery was made by Quarkslab, a French security firm, and detailed in a research paper by Philippe Teuwen. The vulnerability, which can be exploited with just a few minutes of physical proximity to the card, poses a serious risk, especially in scenarios involving supply chain attacks. The affected cards belong to the MIFARE Classic family, widely used in public transportation and hospitality. Teuwen's research revealed that the FM11RF08S variant, released in 2020, was thought to have countermeasures against known attacks. However, he found a backdoor that allows unauthorized access using a common secret key across all FM11RF08S cards. Similar vulnerabilities were also discovered in earlier card generations. Quarkslab has urged organizations to assess their security infrastructure, as many may be unaware that their MIFARE Classic cards are actually Fudan's variants, which are prevalent in various locations worldwide, including hotels in the US, Europe, and India.
- A backdoor in RFID cards from Shanghai Fudan Microelectronics allows for instant cloning.
- The vulnerability affects MIFARE Classic cards used globally for access control.
- Exploitation requires only a few minutes of physical proximity to the card.
- Organizations are advised to check their infrastructure for these vulnerable cards.
- The issue highlights risks associated with supply chain attacks in cybersecurity.
Related
The tiny chip that powers Montreal subway tickets
The article discusses the MIFARE Ultralight EV1 chip in Montreal subway tickets, detailing its battery-free operation, NFC communication with turnstiles, security measures, and data storage capabilities. It highlights the chip's design, functionality, and handling requirements.
Firmware Update Hides a Device's Bluetooth Fingerprint
Researchers at UC San Diego created a firmware update to conceal Bluetooth fingerprints, hindering device tracking. The update, presented at a security conference, reduces tracking accuracy, requiring prolonged observation for identification. Industry collaboration is sought.
Secure Boot useless on PCs from major vendors after key leak
A study by Binarily found that hundreds of PCs from major manufacturers are vulnerable due to a leaked 12-year-old test platform key, allowing attackers to bypass Secure Boot protections.
Is this the end for the magnetic stripe?
Magnetic stripes are declining as Mastercard stops requiring them on cards, with alternatives like contactless payments and digital tickets gaining popularity, though this shift may create new security challenges.
Windows 0-day was exploited by North Korea to install advanced rootkit
North Korean hackers exploited a Windows zero-day vulnerability, CVE-2024-38193, to install the undetectable FudModule rootkit, targeting sensitive sectors while Microsoft delayed patching for six months.
6 commentsBlog post: https://blog.quarkslab.com/mifare-classic-static-encrypted-n...
Discussion: https://news.ycombinator.com/item?id=41269249
A backdoor is one thing, but the technology is paper-thin when used alone.
RFID is an inexpensive thing-monitoring platform, great for tracking goods in a process (manufacturing or in some cases, warehousing) but it should not be relied upon as the only layer in a security solution.
RFID identifies; MIFARE and similar cards also mutually authenticate and/or store data securely (or not so securely when using MIFARE Classic or clones, such as this one).
Related
The tiny chip that powers Montreal subway tickets
The article discusses the MIFARE Ultralight EV1 chip in Montreal subway tickets, detailing its battery-free operation, NFC communication with turnstiles, security measures, and data storage capabilities. It highlights the chip's design, functionality, and handling requirements.
Firmware Update Hides a Device's Bluetooth Fingerprint
Researchers at UC San Diego created a firmware update to conceal Bluetooth fingerprints, hindering device tracking. The update, presented at a security conference, reduces tracking accuracy, requiring prolonged observation for identification. Industry collaboration is sought.
Secure Boot useless on PCs from major vendors after key leak
A study by Binarily found that hundreds of PCs from major manufacturers are vulnerable due to a leaked 12-year-old test platform key, allowing attackers to bypass Secure Boot protections.
Is this the end for the magnetic stripe?
Magnetic stripes are declining as Mastercard stops requiring them on cards, with alternatives like contactless payments and digital tickets gaining popularity, though this shift may create new security challenges.
Windows 0-day was exploited by North Korea to install advanced rootkit
North Korean hackers exploited a Windows zero-day vulnerability, CVE-2024-38193, to install the undetectable FudModule rootkit, targeting sensitive sectors while Microsoft delayed patching for six months.