The end users of such cards are often not aware of the source, there's usually resellers that supply them who are always trying to save a buck here or there.

We have customers who use smartcards and we often need to read or write to them, during on-boarding they often have no clue what version or spec they are using and it often results in trial-and-error after they send us a few cards with little-to-no markings on them.

The paper reports that the same backdoor seems to be present in some NXP and Infineon SKUs as well, including some manufactured in Europe.

They could have licensed the IP from the same company.

Possibly so. It just means that based on the report's findings, even if you'd decided to play it safe and buy exclusively from NXP directly (the creators of this ecosystem and owners of the MIFARE trademark), it looks like you could still end up with backdoored hardware.

Sorry if I was being unclear with my compound snark, but using a MIFARE Classic of any provenance would be a firing offense for the CISO of my daydream company.

Indeed. Alas (or fortunately depending which colour team you work on), fully broken Mifare Classic is still all over the place, and likewise the "hardened" variant broken in this paper :(

What's a good alternative? How more expensive is it?

MIFARE DESFire is an option. In a genral public reseller, I found 100 DESFire cards sold for 146€ (tax excluded), while 100 of the equivalent versions as MIFARE Classic are sold for 109€ (tax excluded). This is a differnce of 37 cents by card, MIFARE Classic are about 25% less expensive than MIFARE DESFire. I guess the difference increase with the quantity you buy at once.

NXP would probably want to steer you away from mifare classic in the first place, wouldn't they?

Maybe for greenfield deployment… but there’s all the existing infrastructure to support.

I still see classic being installed for door/gate systems in American apartments that are under active construction in 2024. Presumably that’s because resellers either don’t know better or they just have a massive inventory.

I still see new apartment buildings with Sentex or Linear call boxes with the factory master passwords. I don't think these guys are crack security experts.

They found the exact same backdoor key present on old NXP and Infineon cards produced as early as 1996. See p.11:

> But, quite surprisingly, some other cards, aside from the Fudan ones, accept the same backdoor authentication commands using the same key as for the FM11RF08!

> ...

> - Infineon SLE66R35 possibly produced at least during a period 1996-20136 ;

> - NXP MF1ICS5003 produced at least between 1998 and 2000 ;

> - NXP MF1ICS5004 produced at least in 2001.

> ...

> Additionally, what are we to make of the fact that old NXP and Infineon cards share the very same backdoor key?

I think it's more likely those NXP/Infineon parts are counterfeits. Look at A.12, there are early cards that don't NACK $F000 but claim to be NXP or Infineon, behavior counter to legit parts. It looks like the Chinese copies started to chameleon that behavior later as well.

... or used the IP without licensing.

You might get promoted to CISO if you can come up with a creative way to quantify the risk. Risk management frameworks can communicate how the impact, likelihood, and possible responses would play out in dollar amounts. With a few proposed ideas for how different risk mitigations would affect the resulting residual risk, non-technical people may be able to adopt your vision for securing the enterprise.

Yes, it also means doing basic things like saying "security is important", "vulnerabilities are bad", and "supply chain risk should be addressed", etc. The more informed you are, the more of a pain this is, at least in my experience (disclaimer: I'm not a CISO).

1) Frame as much of the risk in terms of reputation damage;

2) Present a huge dollar number to make it sound important;

3) Get promoted as everyone high-up implicitly understands that reputational damage is a fiction that never materializes in practice.

That’s not how CISOs get promoted. If a CISO presented it this way, the very obvious next question is “and how much will it cost us to fix” followed by “and how much will insurance cover,” which are both going to blow the reputational damage argument out of the water.

CISOs get promoted by being willing to focus on compliance over security, so that they can cover the company if and when it inevitably gets breached by saying they “followed best practices” (if that’s true).

All of this is because resolving a breach and giving everyone a year of identity theft protection is a lot less expensive, short-term, than actually investing in a real security practice, and companies in the US think in quarters, not years.

Europe is better about this because they tend to think many years ahead rather than focusing on short-term results.

The question is usually a bit more complex, such as "should we rip out thousands of readers and gates in our buildings, or can we maybe get away with switching to hardened cards using the same protocol for a few more years".

Not that I'd recommend it, but in most companies, physical security doesn't have a limitless budget just like everything else.

Does a CISO even make this decision? Probably like a contractor hired by the building manager of an anonymous commercial real estate holding company.