Major Backdoor In Millions of RFID Cards Allows Instant Cloning (securityweek.com) 23
SecurityWeek reports:
A significant backdoor in millions of contactless cards made by China-based Shanghai Fudan Microelectronics Group allows instantaneous cloning of RFID smart cards used to open office doors and hotel rooms around the world.
French security services firm Quarkslab has made an eye-popping discovery... Although the backdoor requires just a few minutes of physical proximity to an affected card to conduct an attack, an attacker in a position to carry out a supply chain attack could execute such attacks instantaneously at scale, researcher Philippe Teuwen explained in a paper.
Thanks to Slashdot reader wiredmikey for sharing the article.
French security services firm Quarkslab has made an eye-popping discovery... Although the backdoor requires just a few minutes of physical proximity to an affected card to conduct an attack, an attacker in a position to carry out a supply chain attack could execute such attacks instantaneously at scale, researcher Philippe Teuwen explained in a paper.
Thanks to Slashdot reader wiredmikey for sharing the article.
Is this some how different from this? (Score:2)
https://www.pcmag.com/news/sec... [pcmag.com]
Because this sort of feels like a dupe from this event that was disclosed back in March and has been known about by the company since Defcon 23' people told the company at hand.
Re: (Score:3)
It probably is. MiFare is an older technology, mostly in use because the cards are so cheap to make they're pretty much disposable. That's why they're used for hotel locks and the like. Even if it's not, MiFare is past its prime but isn't going away soon. There are a lot of hacks on MiFare cards, which pretty much guarantees that there are more to be found. It's going to be very expensive to replace millions of door locks worldwide, I can see customers resisting updating to newer technologies tooth and
The next million dollar idea (Score:2)
Wallets lined with copper mesh.
Re: (Score:2)
Re: (Score:3)
You can get a 5pk of conductive-coated mylar sleeves for like $4, just slip your credit card or RFID card in there when not in use. The sleeves don't increase the size of the card so they still fit fine in your wallet.
I've been using one of my card's near-field for checkout for years, and one of my other cards recently went to a chip, so I was having problems with the two battling to see who got the purchase when I waved my wallet. I put the other card in a sleeve and no more problems with it trying to st
Re: (Score:2)
Wallets lined with copper mesh.
Any decent wallet already has RF blocking as a feature. Only very cheap, or "designer" wallets don't. Example 1, [fossil.com] Example 2, [carhartt.com] Example 3 [walmart.com]
Little dirty secret (Score:2)
Re: (Score:2)
For hotels, a serial number that's only valid on a particular door for a few days is fine if it's 2 or more digits.
Is a thief really going to sit outside a hotel room and and maybe have to try 100 different combos hoping to get the door open before someone notices?
If the contents of your room are important enough to get at, they're going to steal a card from a staff member who has access to all the rooms anyway.
What you're really looking for is to stop someone from accidentally entering your room, or to kee
Re: (Score:2)
For hotels, a serial number that's only valid on a particular door for a few days is fine if it's 2 or more digits.
Hell no! And for exactly this cloning reason! If it's just using the serial number, then that can easily be cloned. The card will broadcast that whenever it gets power. Sitting in the hotel bar, someone need only sit next to your or walk behind you to read it - it's probably still in the little cardboard holder in your pocket. Skim a bunch of people in the bar, then walk the hallway, or follow someone back to/from their room.
There's no good reason not to do it the right way, and that would prevent such triv
Re: (Score:2)
That would be why I put it in my wallet before I even walk away from the front desk.
Re: (Score:2)
Does it broadcast which room the key is for?
No surprise (Score:2)
Re: No surprise (Score:2)
Lawl inorite? Good thing the freest most democraciest country in the entire universe never ever did such a thing.
https://en.m.wikipedia.org/wik... [wikipedia.org]
Just that one time. NEVER EVER again. Promise!
IP Theft Smoking Gun? (Score:5, Interesting)
It's a great paper but what I found most interesting beyond the CS is that they found a backdoor of the 'NXP Compatible' Fudan card by fuzzing but then when they went back and tested some very old NXP cards they found the very same backdoor at the very same fake opcode address that functions exactly the same way.
I'm calling BS on the idea that this is possibly a coincidence.
The researchers point out which fabs made the NXP cards. I suspect they suspect somebody at a fab leaked the design.
There's more to come on this story.
Re:IP Theft Smoking Gun? (Score:5, Interesting)
...they found a backdoor of the 'NXP Compatible' Fudan card by fuzzing but then when they went back and tested some very old NXP cards they found the very same backdoor at the very same fake opcode address that functions exactly the same way.
This bit is almost more interesting that the disclosure of the backdoor in general. Nevermind how the Chinese got the backdoored design, that's what they do... but why is NXP putting backdoors in their products? And what's up with the Infineon cards having the same backdoor, but in earlier dated production runs? Where did it in fact originate? NXP is likely going to be pretty mum about the situation, and probably try to sue anyone who asks questions.
For the TL;DR crowd: The Chinese cards discussed here were essentially impossible to crack without having access to a reader, until this research was released. Given these findings, it's possible to crack most of them with a few minutes of access to the card. The "genuine" NXP cards were (and still are) crackable in seconds, because of bad design that was improved in the knockoffs. And Chinese improvements or no, Mifare Classic in general is trivially cracked, nearly instantly, if you have the ability to present a card to a legit reader and sniff the authentication. So while this is impressive research, it's not really a seismic shift in the threat landscape.
Re: (Score:2)
The backdoor could be for factory use, for testing the cards during manufacturing. It could be for debug. It could also be at the request of security services who want to enter people's hotel rooms.
Instantaneous, or a few minutes? (Score:2)
The difference is significant, if you're trying to compromise cards "at scale."
Re: (Score:2)
Re: (Score:2)
Right. The difference matters, because if it's instantaneous, then someone could potentially clone your card just by walking past you. But if it takes a few minutes, then they'd have to take your card physically and remove it from your possession for a while. I have visions in my head from crime shows, picturing an investigator sneaking into the boss's office while he stepped out, trying to clone the card, hearing footsteps coming down the hall, only to disappear in the nick of time when the boss walks back
Another silly scare (Score:2)