Hotel room key cards everywhere could be at risk from RFID security flaw

Security researchers find flawed contactless cards dating back to late 2007

When you purchase through links on our site, we may earn an affiliate commission.Here’s how it works.

Contactless cards used to open doors in hotels and offices around the world are flawed in a way that could allow any person to open practically any door, experts have warned.

Cybersecurity researchers from Quirkslabfocused onFM11RF08S, a variant of the MIFARE Classic card that was released in 2020 by Shanghai Fudan Microelectronics, apparently the “leading Chinese manufacturer of unlicensed ‘MIFARE compatible’ chips.

The report claims the FM11RF08S features countermeasures “designed to thwart all known card-only attacks”, but worryingly, usage of the card is growing increasingly popular by the day.

Cracked in minutes

It reportedly took the researchers a “couple of minutes” to find an attack that cracks FM11RF08S sector keys - when the keys were reused across at least three sectors, or three cards.

Further analysis landed them a hardware backdoor that allows authentication with an unknown key, and when they cracked the card’s secret key, they found it to be “common to all existing FM11RF08S cards!”.

With the backdoor, the experts were able to design “several other” attacks, each of which was able to crack all the keys of any card in just a few minutes, without needing to know any initial keys (besides the backdoor one).

To add insult to injury, Quirkslab then shifted their attention to older models, and found a “similar backdoor” in the previous generation - FM11RF08 - which was protected with another key. After cracking the second key, they found it to be common to all FM11RF08 cards, as well as other Fudan references (FM11RF32, FM1208-10, and probably more), and even old cards from NXP1 (MF1ICS5003 & MF1ICS5004) and Infineon (SLE66R35), some of which date back to late 2007.

Are you a pro? Subscribe to our newsletter

Sign up to the TechRadar Pro newsletter to get all the top news, opinion, features and guidance your business needs to succeed!

To conclude, the researchers warned users to check their infrastructure and assess the risks. “Many are probably unaware that the MIFARE Classic cards they obtained from their supplier are actually Fudan FM11RF08 or FM11RF08S, as these two chip references are not limited to the Chinese market. For example, we found these cards in numerous hotels across the US, Europe, and India,” they said.

ViaThe Hacker News

More from TechRadar Pro

Sead is a seasoned freelance journalist based in Sarajevo, Bosnia and Herzegovina. He writes about IT (cloud, IoT, 5G, VPN) and cybersecurity (ransomware, data breaches, laws and regulations). In his career, spanning more than a decade, he’s written for numerous media outlets, including Al Jazeera Balkans. He’s also held several modules on content writing for Represent Communications.

This new phishing strategy utilizes GitHub comments to distribute malware

Should your VPN always be on?

Huge Black Friday Samsung sale: save up to $1,900 on QLED, OLED TVs, and more