We studied the most secure static encrypted nonce variant of “MIFARE Classic compatible” cards — meant to resist all known card-only attacks — and developed new attacks defeating it, uncovering a hardware backdoor in the process. And that’s only the beginning…
我们研究了“MIFARE Classic兼容”卡的最安全的静态加密随机数变体 – 旨在抵抗所有已知的仅卡攻击 – 并开发了新的攻击来击败它,在此过程中发现了硬件后门。而这仅仅是个开始……
Introduction 介绍
MIFARE Classic contactless cards, developed and licensed by NXP Semiconductors1, are widely used but have been subjected to numerous attacks over the years. Despite the introduction of new versions, these cards have remained vulnerable, even in card-only scenarios, i.e. attacking the card alone, without access to the corresponding reader.
由NXP Semiconductors1开发和许可的MIFARE Classic非接触式卡被广泛使用,但多年来遭受了多次攻击。尽管引入了新版本,但这些卡仍然容易受到攻击,即使在仅卡的情况下也是如此,即单独攻击卡,无法访问相应的读卡器。
In 2020, the FM11RF08S, a new variant of MIFARE Classic, was released by Shanghai Fudan Microelectronics, the leading Chinese manufacturer of unlicensed “MIFARE compatible” chips. This variant features specific countermeasures designed to thwart all known card-only attacks and is gradually gaining market share worldwide.
2020 年,FM11RF08S 年,上海复旦微电子发布了 MIFARE Classic 的新变体,上海复旦微电子是中国领先的未经许可的“MIFARE 兼容”芯片制造商。该变体具有特定的对策,旨在挫败所有已知的仅卡攻击,并逐渐在全球范围内获得市场份额。
We published a paper where we present several attacks and unexpected findings regarding the FM11RF08S.
我们发表了一篇论文,其中介绍了有关FM11RF08S的几次攻击和意外发现。
The full paper and annexes of our security analysis can be found on the ePrint website.
我们的安全分析全文和附件可以在ePrint网站上找到。
Findings 发现
- We found the first attack capable of cracking FM11RF08S sector keys in a couple of minutes in the specific case of keys being reused across at least three sectors or three cards.
我们发现第一种攻击能够在几分钟内破解FM11RF08S扇区密钥,在密钥至少在三个扇区或三张卡上重复使用的特定情况下。 - Through quick fuzzing, we discovered a hardware backdoor that allows authentication with an unknown key.
通过快速模糊测试,我们发现了一个硬件后门,允许使用未知密钥进行身份验证。 - We cracked the secret key with our new attack and found it to be common to all existing FM11RF08S cards!
我们用新的攻击破解了密钥,发现它对所有现有的FM11RF08S卡都是通用的! - We designed several other attacks leveraging the backdoor to crack all the keys of any card in a few minutes, without the need to know any initial key (besides the backdoor one).
我们设计了其他几种利用后门的攻击,在几分钟内破解任何卡的所有密钥,而无需知道任何初始密钥(除了后门密钥)。 - The optimized versions of these attacks required a successful partial reverse-engineering of the internal nonce generation mechanism of these cards in black-box mode.
这些攻击的优化版本需要在黑盒模式下对这些卡的内部随机数生成机制进行成功的部分逆向工程。 - We demonstrated how these attacks could be executed instantaneously by an entity in a position to carry out a supply chain attack.
我们演示了这些攻击如何由有能力实施供应链攻击的实体立即执行。 - We then found a similar backdoor in the previous generation, the FM11RF08, protected with another key.
然后,我们在上一代中发现了一个类似的后门,即 FM11RF08,由另一个密钥保护。 - We cracked this second key and discovered that the key is common to all FM11RF08 cards, as well as other Fudan references (FM11RF32, FM1208-10, and probably more), and even old cards from NXP1 (MF1ICS5003 & MF1ICS5004) and Infineon (SLE66R35)!
我们破解了这第二把钥匙,发现这把钥匙是所有FM11RF08卡的通用钥匙,以及其他复旦参考卡(FM11RF32、FM1208-10,可能还有更多),甚至是恩智浦1(MF1ICS5003 MF1ICS5004)和英飞凌(SLE66R35)的旧卡! - Finally, we described how existing attacks can be adapted to leverage this second backdoor key to accelerate them.
最后,我们描述了如何调整现有攻击以利用第二个后门密钥来加速它们。
Conclusion 结论
The FM11RF08S backdoor enables any entity with knowledge of it to compromise all user-defined keys on these cards, even when fully diversified, simply by accessing the card for a few minutes.
FM11RF08S后门使任何了解它的实体都可以通过访问卡几分钟来破坏这些卡上的所有用户定义的密钥,即使完全多样化。
Therefore, we considered it important to share this information and alert potential users of the risks.
因此,我们认为分享这些信息并提醒潜在用户注意风险非常重要。
Consumers should swiftly check their infrastructure and assess the risks. Many are probably unaware that the MIFARE Classic cards they obtained from their supplier are actually Fudan FM11RF08 or FM11RF08S, as these two chip references are not limited to the Chinese market. For example, we found these cards in numerous hotels across the US, Europe, and India.
消费者应迅速检查其基础设施并评估风险。许多人可能不知道,他们从供应商那里获得的MIFARE Classic卡实际上是复旦FM11RF08或FM11RF08S,因为这两个芯片参考并不局限于中国市场。例如,我们在美国、欧洲和印度的众多酒店中发现了这些卡。
Nevertheless, it is important to remember that the MIFARE Classic protocol is intrinsically broken, regardless of the card. It will always be possible to recover the keys if an attacker has access to the corresponding reader. There are many more robust alternatives on the market (but we cannot guarantee the absence of hardware backdoors…).
尽管如此,重要的是要记住,无论卡如何,MIFARE Classic协议本质上都是坏的。如果攻击者可以访问相应的读取器,则始终可以恢复密钥。市场上有许多更强大的替代品(但我们不能保证没有硬件后门……
The various tools and attacks developed in the context of this paper have now been merged into the Proxmark3 source code. At this stage, a few technical questions remain unanswered, and some of them might lead to even faster attacks. We have grouped these questions at the end of the annexes and hope they will inspire additional research within the community.
在本文上下文中开发的各种工具和攻击现已合并到 Proxmark3 源代码中。在这个阶段,一些技术问题仍未得到解答,其中一些可能会导致更快的攻击。我们将这些问题归类在附件的末尾,希望它们能激发社区内的更多研究。
You can get the full paper and annexes here (pdf).
您可以在此处获取完整的论文和附件 (pdf)。
