Paper 2024/1275
MIFARE Classic: exposing the static encrypted nonce variant
Abstract
MIFARE Classic smart cards, developed and licensed by NXP, are widely used but have been subjected to numerous attacks over the years. Despite the introduction of new versions, these cards have remained vulnerable, even in card-only scenarios. In 2020, the FM11RF08S, a new variant of MIFARE Classic, was released by the leading Chinese manufacturer of unlicensed "MIFARE compatible" chips. This variant features specific countermeasures designed to thwart all known card-only attacks and is gradually gaining market share worldwide. In this paper, we present several attacks and unexpected findings regarding the FM11RF08S. Through empirical research, we discovered a hardware backdoor and successfully cracked its key. This backdoor enables any entity with knowledge of it to compromise all user-defined keys on these cards without prior knowledge, simply by accessing the card for a few minutes. Additionally, our investigation into older cards uncovered another hardware backdoor key that was common to several manufacturers.
Note: Revision 1.3 additions: Backdoor in FM1216-137; New Section IX Another way to Recover Nested Nonces and new Annex A.7 detailing support for Section IX in the Proxmark3; Bibliography: more datasheets
Metadata
- Available format(s)
-
PDF
- Category
- Attacks and cryptanalysis
- Publication info
- Preprint.
- Keywords
- MIFAREbackdoorProxmark3Fudan
- Contact author(s)
- pteuwen @ quarkslab com
- History
- 2024-12-12: last of 3 revisions
- 2024-08-12: received
- See all versions
- Short URL
- https://ia.cr/2024/1275
- License
-
CC BY-SA
BibTeX
@misc{cryptoeprint:2024/1275,
author = {Philippe Teuwen},
title = {{MIFARE} Classic: exposing the static encrypted nonce variant},
howpublished = {Cryptology {ePrint} Archive, Paper 2024/1275},
year = {2024},
url = {https://eprint.iacr.org/2024/1275}
}