A security researcher has developed a proof-of-concept malware capable of remotely accessing smart card readers on Windows machines.
The proof-of-concept installs a separate USB driver which allows attackers to share smart card readers over the Internet, The Register reported Tuesday. Attackers would theoretically be able to read information on any smartcards inside the reader even if they weren’t in front of the compromised Windows computer the reader is connected via USB, according to itrust Consulting, the team behind the project.
Paul Rascagneres, a security consultant at itrust Consulting is scheduled to demonstrate the proof-of-concept at the MalCon conference in New Delhi, India on Nov. 24. The demonstration would “showcase a new kind of malware” that would transmit the information stored on the smartcard inside the compromised reader directly to a command-and-control server, according to a description of the presentation posted on the MalCon Website.
“The attacker can use the smartcard as if it is directly connected to his machine!” according to the summary.
There have been instances of malware hijacking smart card devices, but this proof-of-concept extends the attack by making the compromised smart card reader available over TCP/IP, IDG News reported. From the attacker’s perspective, the smart card reader attached to the compromised computer appears as if it attached locally to the attacker’s computer.
The Sykipot Trojan is one such malware, and it successfully hijacked smart readers on United States Department of Defense computers earlier this year, according to AlienVault’s latest At-A-Glance report released on Monday. The Defense Department used smart cards to handle authentication for restricted resources, AlienVault said.
“Sykipot successfully and effectively hijacked DoD and Windows smart cards in early 2012. As long as the card remained in the smart card reader, the attacker was able to quietly gain access to unlimited resources on secure networks,” AlienVault wrote in the report.
Some banks use smartcards to protect customers using online banking and confirm transactions. Businesses may use smartcards to authenticate remote workers onto the network. Smartcards are generally used with PIN codes or passwords as part of a two-factor authentication scheme. The PIN or password would fit “what you know” and the smartcard would fill the “something you have” criteria. itrust Consulting bundled in a key-logger into the proof-of-concept in order to intercept the PIN, password or other login credentials that may be entered on that infected machine.
itrust Consulting tested the prototype with smart cards used by Belgian banks and the Belgian electronic identity card.
As the drivers used by the prototype malware are not digitally signed, defenders can block similar attempts by looking for properly signed code. That wouldn’t stop the bad guys from stealing digital certificates, though
The proof-of-concept at the moment appears to be software-specific and works on a smart card reader running the ActiveClient software from ActiveIdentity.
