A hardware backdoor that could allow unauthorized access to hotel rooms, office doors, and other secure areas has been found in a particular model of MIFARE Classic contactless cards by security researchers.
Shanghai Fudan Microelectronics released the FM11RF08S, the model in question, in 2020. The chip was marketed as the most hardened version of the MIFARE Classic family yet, built around a countermeasure the research community calls the “static encrypted nonce” that was supposed to shut down every known card-only attack. According to Philippe Teuwen of Quarkslab, “The backdoor in the FM11RF08S allows anyone with knowledge of it to compromise all user-defined keys on these cards, even when fully diversified, simply by accessing the card for a few minutes.”
Teuwen, the R&D lead at Quarkslab, uncovered the flaw alongside the Proxmark3 community, the loose collective of researchers and hobbyists who probe RFID hardware with the open-source Proxmark3 tool. Working through repeated empirical testing and command fuzzing, the team flipped a single bit in the card’s command field and found it switched authentication away from the standard KeyA/KeyB scheme over to a hidden backdoor key. That key could then be brute-forced in roughly two minutes, after which every data sector on the card could be read without any of the legitimate credentials.
The secret key can be used to launch supply chain attacks in addition to being shared by all FM11RF08S cards currently in circulation, the researchers discovered. Furthermore, FM11RF08, a backdoor from the earlier generation, has been found to function similarly. Cards have been vulnerable to this flaw since November 2007, and the underlying weaknesses in this card family trace back even further, to the late 1990s.
What started as a single suspicious chip turned into a far wider problem. Teuwen’s investigation eventually mapped the backdoor across an entire roster of cards rather than a lone model. Beyond the FM11RF08S, the same or closely related hidden keys turned up in Fudan’s FM11RF08, FM11RF32, and FM1208-10 chips, and, more troublingly, in “official” cards from established Western vendors, including NXP’s MF1ICS5003 and MF1ICS5004 and Infineon’s SLE66R35. A separate backdoor key was even pinned down specifically for the FM11RF32. The fact that the same hidden access keys span multiple manufacturers and chip generations points to a systemic design problem rather than a single vendor’s mistake.
Researchers created an optimized attack that can accelerate the key-cracking process by five to six times. This method entails partially disassembling the nonce generation process.
“The backdoor enables the immediate cloning of RFID smart cards used to open office doors and hotel rooms worldwide,” Quarkslab stated. Although physical proximity to the card is usually required for the attack, supply chain attacks have the potential to enable extensive exploitation.
Because the backdoor lives in the silicon itself, there is no software update or firmware patch that can close it. Any access-control system still relying on these chips is fundamentally exposed, and the only real remedy is physically replacing the affected cards and readers, an expensive and slow proposition for the many organizations that adopted MIFARE-compatible cards precisely because they were cheap.
Because MIFARE Classic cards are used in many hotels in the US, Europe, and India, consumers are encouraged to check if their cards are vulnerable. Many buyers never realize the cards their supplier handed them are actually Fudan FM11RF08 or FM11RF08S parts, since these chip references are sold well beyond the Chinese market.
The threat is not limited to door access. Contactless card cloning has already migrated into financial fraud, as seen with the NGate Android malware that relays NFC data to clone no-contact payment cards, underscoring how quickly weaknesses in contactless technology get weaponized once they are public.
In his research paper, Teuwen stressed that the backdoor “allows us to launch new attacks to dump and clone these cards, even if all their keys are properly diversified.” Independent reviewers, including the engineering team at Keysight, confirmed the findings and warned that organizations should begin migrating to genuinely secure card technology. This information comes after security holes in Dormakaba’s Saflok electronic RFID locks were discovered earlier in the same period.
