The MIFARE Classic is one of the most widely used RFID smart cards in the world, primarily known for its role in access control systems and public transportation fare collection. At its core, the MIFARE Classic is a memory card where each block of memory can be configured with two keys: KeyA and KeyB. These keys are used to control read/write access to the memory blocks, providing a rudimentary level of security. However, the security of MIFARE Classic cards relies on the proprietary Crypto1 encryption algorithm, which has been found to be flawed. Researchers have demonstrated that Crypto1 can be cracked with relatively modest computational resources, depending on implementation variations between vendors and products.
The Proxmark3 Community
The Proxmark3 is a versatile tool used by security researchers and hobbyists to analyze and manipulate RFID cards, including the MIFARE Classic. The community around the Proxmark3 has been instrumental in uncovering subtle implementation differences across different card types and vendors. Through meticulous testing and fuzzing, they have identified new weaknesses and vulnerabilities that build upon the original Crypto1 flaws. The Proxmark3 community has also been at the forefront of documenting these findings, sharing knowledge, and pushing the boundaries of what is possible in RFID security research.
A New Backdoor Discovered
A recent paper titled “MIFARE Classic: exposing the static encrypted nonce variant” (https://eprint.iacr.org/2024/1275) by Philippe Teuwen from Quarkslab has revealed a new backdoor in various MIFARE Classic cards: Shanghai Fudan Microelectronics FM11RF08S, FM11RF08, FM11RF32, FM1208-10, as well as NXP MF1ICS5003/MF1ICS5004 and Infineon SLE66R35 cards. Some of these vulnerabilities are dating back to at least 1998.
The paper details the journey by the researcher and the Proxmark3 community from initially identifying the FM11RF08S card from Shanghai Fudan Microelectronics to the backdoor. The FM11RF08S appeared to be immune to the known weaknesses of the MIFARE Classic. In investigating new weaknesses, the card was fuzzed for available commands. With this, a single bit in the command field was found that could switch from KeyA/KeyB authentication to a backdoor key.
This backdoor allows for the reading of any memory contents without the need for the standard authentication keys. The backdoor key itself could be brute-forced in just two minutes, making the entire card’s data contents accessible. Combining this with other weaknesses, researchers were able to recover all contents, including any KeyA and KeyB keys, within an hour. Additionally, they described a potential supply chain attack where 36 bytes of information captured during manufacturing could later be used to instantly access the card in the field without knowing the key.
Takeaways and Reflections
First and foremost, Crypto1 has been known to be vulnerable for over 15 years, so all products using it are based on an insecure foundation. For some applications, card security may not be critical, and a migration may not be needed. However, if confidentiality and integrity of the card contents are critical to the overall security, this backdoor finding should (re)emphasize a trajectory of moving to more secure products.
The discovery of backdoor keys is a reminder that debug or backdoor functionality, often intended for development purposes, can sometimes be left in production systems. While Hanlon’s razor—”Never attribute to malice that which is adequately explained by stupidity”—suggests these are typically mistakes, the widespread presence of the same backdoor key across multiple vendors points to this being intentionally placed (though not necessarily with knowledge of those vendors).
The fact that this backdoor has remained undiscovered for so long raises questions about the thoroughness of any security evaluations performed. While black-box testing can miss such vulnerabilities — the Proxmark3 and MIFARE Classic community did not find these issues for over 15 years — a more rigorous white-box review should have detected these issues. When deploying a security product, always ensure manufacturer’s claims have been independently verified.
In conclusion, the ongoing discoveries surrounding MIFARE Classic and its derivatives underscore the importance of rigorous security testing, both in development and production. As the RFID community continues to explore and uncover these vulnerabilities, it is clear that more attention must be paid to the potential long-term implications of seemingly minor oversights.