The Key to All Doors: How a Backdoor Was Found in the Most Reliable Access Cards

[Man]

You put your key card to the reader and the office door opens. But what if that pass could be hacked and copied by anyone?

In 2020, Shanghai Fudan Microelectronics released new FM11RF08S smart cards. The manufacturer claimed that they are fully protected from all known hacking methods. A group of researchers checked these claims and found a built-in backdoor that allows full access to the card data.

In this article, I will tell the fascinating story of how this backdoor was discovered and the disastrous consequences of its deployment. This case clearly demonstrates the risks of blindly trusting marketing claims about security and the importance of independent auditing of critical systems.

The Standard That Survived: The Phenomenon of MIFARE Classic Durability​

MIFARE Classic is a dinosaur of the contactless card world that somehow hasn't gone extinct yet. Every day, millions of people around the world use these cards to readers: open office doors, pay for subway rides, and get discounts on their favorite coffee.

Unfortunately, this standard has proven to be very unreliable. MIFARE Classic has been hacked so often that it has become a national sport among hackers. Remember our article about hacking Boston subway tickets? That's just the tip of the iceberg.

And the manufacturers? They took the path of least resistance. Instead of completely reworking the vulnerable architecture, they release “patches”, as if trying to patch holes in a sinking ship. All for the sake of backward compatibility with old equipment installed around the world.

(image source).

And in 2020, a large Chinese company, Shanghai Fudan Microelectronics, introduced another smart card based on MIFARE. The manufacturer called it invulnerable to existing hacking methods. Marketing materials were full of loud phrases: “improved protection”, “elimination of weaknesses in the algorithm”, “next-generation security features”. At the same time, the technical documentation for FM11RF08S only mentioned “improvements to the cryptographic protocol” - without a single specific detail.

The hacker community initially responded with the traditional "challenge accepted" and prepared for a quick victory. But something went wrong. Several years passed, and the new cards remained impregnable.

It looks like the developers really did a good job of fixing the bugs.

And then a team of researchers led by Philippe Thevin entered the scene. They decided to take on this challenge, not suspecting what amazing discoveries lay ahead.

Algorithm of the card operation​

To fully appreciate the discoveries of Thevin and his team, it is first necessary to discuss the early stages of the CRYPTO-1 protocol, which is responsible for authenticating MIFARE Classic cards.

1. The user places the card near the reader.
2. The reader sends an authorization command to the card, specifying two parameters: the target memory block and the key it will work with. Let's say it's KeyA.

The card memory is divided into blocks (sectors) - 16 or 40 depending on the model. Each block is protected by a pair of keys with different access rights. KeyA usually allows you to read information, such as the owner's ID, and KeyB allows you to change the data in the block.

1. The card responds to the reader's request by generating a four-byte pseudo-random number - Nonce (number used once).
2. The reader combines the Nonce with a pre-known key. In our case, it is KeyA. This combination is passed through the CRYPTO-1 cipher. The resulting encrypted value is sent back to the card.
3. The card simultaneously performs the same calculations using its copy of the key and the generated Nonce. If the card's calculations match the reader's response, authentication is successful. The system then generates a key stream for subsequent data encryption.

All further communication is encrypted. To access the new block of the card, the process of embedded authentication is launched: the reader encrypts the corresponding command, and the card encrypts the new Nonce with the key from the new block. Remember this moment - it will be the key in our story.

First Findings: Features of CRYPTO-1 Implementation in FM11RF08S​

A research team led by Thevin began studying the differences between the implementations of the CRYPTO-1 algorithm in the new version of the card and the original MIFARE Classic.

The new card used static Nonce values for nested authentication, meaning that the numbers that should be random were unchangeable. In comparison, the original MIFARE Classic cards had dynamically generated Nonce values using a Linear Feedback Shift Register (LFSR).

Experienced hackers knew that if you hold the card to the reader long enough and try to log in over and over again, the generated values become predictable.

More than 500 Nonces are concentrated in a very small number of consecutive LFSR outputs out of a potential 216 − 1 (image source)

This feature of Nonce values in MIFARE Classic makes it possible to carry out so-called Nested attacks.

The FM11RF08S developers took a different approach. When the card first encountered the reader, everything followed the classic scenario. But then the most interesting thing began: with embedded authentication, the card issued the same Nonce for each memory block. Additional research showed that this value depends on three parameters: the sector number, the card UID, and the value of the access key. Thus, each FM11RF08S card contained an individual set of constant Nonces tied to a specific combination of keys and sectors.

Partial output of the Proxmark3 hf mf info command for such a card. The protection is called static encrypted Nonces (image source).

At first glance, the idea seemed good. The classic Nested attack really didn't work - after all, the attacker couldn't predict the next Nonce value, no matter how much time he spent watching the card. But, as often happens in the world of security, by closing one door, the developers accidentally left a window open...

When using one access key to authenticate in two different blocks in nested authentication, the card issues different Nonces but encrypts them with the same key. An attacker can collect several pairs of such encrypted values and restore the original key without a full search. The researchers called this hacking method a Reused Keys Nested Attack.

Imagine that there is an unknown key KeyX, which is used in several blocks of the card. To pick it, it is enough to have access to just one "legal" key in any other sector of the card:

1. You perform the first authentication using a known key, thus establishing an encrypted connection with the card.
2. You perform nested authentication in those blocks where KeyX is supposedly used, and save each encrypted Nonce that the card issues.
3. You go through all possible key values. For each Nonce you collect, you get hundreds of keys that could theoretically encrypt it.
4. Compare the resulting sets of potential keys for Nonce of different sectors. You need to find the key that is present in each set: voila, this is the desired KeyX.

The advantage of this attack is its speed: the computer tries the keys "offline" without accessing the card. However, two important conditions must be met for the attack to be successful. First, you must have at least one working access key - a kind of pass to the system. Second, somewhere on the card the same keys must be used for different sectors.

Even if these conditions are met, it does not guarantee a successful hack: it will only be possible to find out the repeating keys - the rest will remain safe. It would seem that this is not the most practical hacking method, but this is not all that Philippe Thevin's team found.

Suspicious key​

The researchers used fuzzing, sending non-standard commands and distorted byte sequences to the card and observing the card's reaction.

The main tool of the researchers was Proxmark3, a specialized gadget for analyzing RFID and contactless smart cards. This is an open project based on the Xilinx Spartan-II FPGA and the AT91SAM7S256 ARM controller.

In theory, the card should be quite selective in its communications. At the authentication stage, it should respond only to three commands: authentication with keyA (code 60**), authentication with keyB (code 61**), and the HLTA stop command (code 5000). But Philippe Thevin's team discovered a deviation from the protocol: the card sent a Nonce in response to any command in the 6*00 series, from code 6000 to 6f00, regardless of the block.

Intrigued by this behavior, the researchers decided to dig deeper. They took a card with known keys, set up different keys keyA and keyB, and began methodically checking all the variations of the 6*00 commands. It turned out that the commands could be divided into 4 groups based on the card's behavior:

• Group 1: 6000, 6200, 6800, 6a00 → gives Nonce 4e506c9c (authentication successful);
• Group 2: 6100, 6300, 6900, 6b00 → yields Nonce 7bfc7a5b (authentication successful);
• Group 3: 6400, 6600, 6c00, 6e00 → gives Nonce 65aaa443 (authentication failed);
• Group 4: 6500, 6700, 6d00, 6f00 → gives Nonce 55062952 (authentication failed).

When they changed keyA, the Nonces for groups 1 and 3 changed. They made keyA and keyB the same, and got two different Nonces instead of four: one Nonce for groups 1 and 2 with successful authentication, and another for groups 3 and 4. It seems that for the last two groups of commands, the card expected to get some other key, keyC…

Key selection​

And then it clicked in the researchers' heads: "What if this mysterious keyC is used in all the blocks of the card?" And if so, then... Bingo! The already familiar key reuse attack can be applied to it. The algorithm is simple:

1. Perform initial authentication using keyA.
2. Make multiple nested authentications using anomalous commands in other memory sections and save the resulting Nonces.
3. Compute all possible key values for each collected Nonce.
4. Compare the resulting sets of values and select the key that occurs in each of them.

The Python script completed the task in less than two minutes and successfully calculated the required key:

KeyC turned out to be more than just a key - it was a universal master key and allowed authentication regardless of the values of keyA and keyB. With its help, an attacker could read any user data blocks, even if the access rights forbid reading them with ordinary keys.

But the researchers only broke out in a cold sweat when they tested this key on other FM11RF08S cards. The key worked on all cards regardless of the batch and release date.

It wasn't a bug. It wasn't an error. It wasn't an accident. It was a real backdoor - an undocumented mechanism that provided privileged access to the card, bypassing standard security measures. The very existence of such a key was a serious blow to the protection of the FM11RF08S and to all the security systems that rely on these cards, but that was only the beginning.

How to crack a backdoor​

The discovered backdoor gave access to service memory sections where the keys keyA and keyB are stored, but the key values were masked. For most hackers, this would have been a signal to stop - the goal was achieved, the backdoor was found, a report could be written. But Thevin's team went further.

They set a new goal: to find a way to pick these keys. Success would mean the ability to clone and emulate any FM11RF08S card without any obstacles.

They developed the following algorithm:

1. Authenticated in the block using the master key keyC.
2. The card sent the Nonce in clear text, which the researchers saved.
3. The reader encrypted the Nonce with the backdoor key and gave it to the card. The card validated the value and established an encrypted communication channel.
4. Now the researchers initiated nested authentication in the same sector with keyA.
5. The card sent the same static Nonce, but encrypted with keyA.

The final act of this drama turned out to be purely mathematical. The researchers used the XOR operation between the public and encrypted Nonce to calculate the key stream. Then, using a modified version of the static nested attack, they learned to recover the value of keyA. The process required trying tens of thousands of options, but on a modern computer it took only 3-4 minutes.

And then the real optimization began. Using various statistical tricks, the team brought the process to perfection:

• 32 random keys? 17 minutes please.
• 16 keys, where keyA = keyB? Half an hour maximum.
• And if you're lucky enough to find a card with 24 keys, 8 of which are repeated? 40 seconds, and you're done!

The final verdict was like a death sentence: the backdoor built into the device by the manufacturer not only breached the security, it turned it into a house of cards. Imagine a bank vault, where each cell has its own unique code, and somewhere in the wall there is a secret button that opens all the cells at once. This is exactly what the manufacturer did with the FM11RF08S. Knowing the master key, an intruder could completely copy any card.

Disappointing conclusions​

The story of FM11RF08S will probably go down in textbooks as a classic example of how not to make security systems. The discovered backdoor turned the "most secure implementation of MIFARE Classic" into a sieve, putting millions of devices around the world at risk. Including those at important facilities: airports, power plants and industrial enterprises.

How to eliminate the risk? Alas, there is only one solution, and it is like extracting a bad tooth - a complete refusal to use compromised cards. And their number... well, let's just say that the count is in the millions.

Shortly after the first FM11RF08S hack, an identical backdoor with the same master key was found in older Shanghai Fudan Microelectronics cards (FM11RF08 and FM11RF32), as well as in products from other manufacturers - NXP Semiconductors before 2009 and Infineon before 2013.

This suggests that the backdoor was deliberately introduced into production many years ago. Maybe to simplify debugging? Or were there some agreements with government agencies? Or... we can only guess. But the fact remains: security systems around the world have been using cards with a built-in vulnerability for years.

There are three important lessons to learn from this story. First, reputation is no guarantee of security. Second, the principle of “security through obscurity” in cryptography is untenable. Keeping algorithms secret only creates the illusion of protection — the only reliable solution is to use open algorithms verified by the expert community. Third, trust, but verify. Independent auditing and penetration testing are not an unnecessary expense, but a vital necessity.

P.S. The article is based on the original research of Philippe Thevin MIFARE Classic: exposing the static encrypted Nonce variant and a number of open publications.

Source