{"id":273,"date":"2025-09-18T15:43:11","date_gmt":"2025-09-18T05:43:11","guid":{"rendered":"https:\/\/qld.cybersafebusiness.au\/index.php\/2025\/09\/18\/major-backdoor-in-millions-of-rfid-cards-allows-instant-cloning\/"},"modified":"2025-09-18T15:43:11","modified_gmt":"2025-09-18T05:43:11","slug":"major-backdoor-in-millions-of-rfid-cards-allows-instant-cloning","status":"publish","type":"post","link":"https:\/\/qld.cybersafebusiness.au\/index.php\/2025\/09\/18\/major-backdoor-in-millions-of-rfid-cards-allows-instant-cloning\/","title":{"rendered":"Major Backdoor in Millions of RFID Cards Allows Instant Cloning"},"content":{"rendered":"<p><b>Have you ever considered how secure your office or hotel key<br \/>\ncards really are? <\/b><\/p>\n<p><b><\/b>Recent research by French security firm Quarkslab has<br \/>\nuncovered a serious vulnerability that could impact millions of contactless<br \/>\ncards worldwide. These cards, produced by Shanghai Fudan Microelectronics<br \/>\nGroup, contain a backdoor that allows hackers to clone them in mere minutes.&nbsp;<\/p>\n<p>This backdoor, discovered by Quarkslab researcher Philippe<br \/>\nTeuwen, is found in RFID smart cards used in many places, from office buildings<br \/>\nto hotel rooms. The worrying part? Hackers only need a few minutes of physical<br \/>\naccess to one of these cards to clone it. And if they can infiltrate the supply<br \/>\nchain, they could clone cards on a massive scale almost instantly.<\/p>\n<p>Teuwen stumbled upon this issue while testing the security<br \/>\nof the MIFARE Classic card family, a type of card used widely in public<br \/>\ntransport and the hospitality industry. These cards have been around since 1994<br \/>\nand have seen numerous security upgrades over the years. However,<br \/>\nvulnerabilities that allow attacks without needing access to the card<br \/>\nreader\u2014just the card itself\u2014remain a significant concern.<\/p>\n<p>In 2020, a new variant of these cards, known as FM11RF08S,<br \/>\nwas released by Shanghai Fudan Microelectronics. This version was supposed to<br \/>\nbe more secure, featuring protections against known attacks. But Teuwen<br \/>\ndiscovered that this version still has weaknesses. Specifically, if certain<br \/>\nkeys are reused across different sectors or cards, they can be cracked in just<br \/>\na few minutes.<\/p>\n<p>Further investigation revealed a hardware backdoor that<br \/>\nallows anyone who knows about it to bypass the card&#8217;s security, even if it has<br \/>\nbeen customized with unique keys. Shockingly, the secret key that enables this<br \/>\nbackdoor is the same across all FM11RF08S cards. Teuwen also found a similar<br \/>\nbackdoor in the previous generation of these cards, and it turns out that other<br \/>\nmodels from the same vendor, as well as some older cards from NXP<br \/>\nSemiconductors and Infineon Technologies, share the same flaw.<\/p>\n<p>Quarkslab has issued a warning, urging businesses to check<br \/>\ntheir systems and assess the risks. Many organizations may not even realize<br \/>\nthat the MIFARE Classic cards they\u2019re using are actually the vulnerable Fudan<br \/>\nFM11RF08 or FM11RF08S models. These cards have been found in hotels across the<br \/>\nU.S., Europe, and India.<\/p>\n<p>This discovery highlights the importance of regularly<br \/>\nreviewing and updating your security systems. If you&#8217;re using contactless<br \/>\ncards, it might be time to take a closer look at whether they&#8217;re as secure as<br \/>\nyou think.<\/p>\n","protected":false},"excerpt":{"rendered":"<p>Have you ever considered how secure your office or hotel key cards really are? Recent research by French security firm Quarkslab has uncovered a serious vulnerability that could impact millions [&hellip;]<\/p>\n","protected":false},"author":1,"featured_media":272,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"_et_pb_use_builder":"","_et_pb_old_content":"","_et_gb_content_width":"","footnotes":""},"categories":[],"tags":[],"class_list":["post-273","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry"],"_links":{"self":[{"href":"https:\/\/qld.cybersafebusiness.au\/index.php\/wp-json\/wp\/v2\/posts\/273","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/qld.cybersafebusiness.au\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/qld.cybersafebusiness.au\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/qld.cybersafebusiness.au\/index.php\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/qld.cybersafebusiness.au\/index.php\/wp-json\/wp\/v2\/comments?post=273"}],"version-history":[{"count":0,"href":"https:\/\/qld.cybersafebusiness.au\/index.php\/wp-json\/wp\/v2\/posts\/273\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/qld.cybersafebusiness.au\/index.php\/wp-json\/wp\/v2\/media\/272"}],"wp:attachment":[{"href":"https:\/\/qld.cybersafebusiness.au\/index.php\/wp-json\/wp\/v2\/media?parent=273"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/qld.cybersafebusiness.au\/index.php\/wp-json\/wp\/v2\/categories?post=273"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/qld.cybersafebusiness.au\/index.php\/wp-json\/wp\/v2\/tags?post=273"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}