Hijacking Smart Cards Over the Internet

Some researchers have come up with malware that lets them hijack smartcards over the Internet. It installs a driver that lets the attacker see the USB smart card reader as if it were locally installed on his machine. There’s also a keylogger to capture any PINs for the smartcard.

It only works if the user has their smart card inserted, so it’s not fully duplicating the biggest mystery of the DigiNotar hack. If you remember, the hackers there apparently bypassed the smartcard protection on the hardware security modules to get their certificates signed.

In other news, I recently started using Windows (!) for certain things. Having used exclusively Unix-based systems for the last 7 years (excepting Internet cafes), holy hell. For all the work they’ve put into it, it’s the same mess it ever was… did anyone over at Microsoft ever think it might be a good idea to design software before they started writing it?

(Linux feels far more coherent as a system — yet it’s far more anarchic in its background.)

Not really worth linking to on its own, but this kind of architectural salad has serious security consequences. I would have loved to get ahold of this vulnerability (http://www.scmagazine.com.au/News/322651,usb-stick-sploit-makes-anyone-a-windows-admin.aspx ) back in high school or earlier… you mean the Internet in the computer lab’s supposed to be /filtered/?

This sort of thing was even ruled legal recently, which is neat.


“A team of researchers has created a proof-of-concept piece of malware that can give attackers control of USB smart card readers attached to an infected Windows computer over the Internet.

The malware installs a special driver on the infected computer which allows for the USB devices connected to it to be shared over the Internet with the attacker’s computer.

In the case of USB smart card readers, the attacker can use the middleware software provided by the smart card manufacturer to perform operations with the victim’s card as if it was attached to his own computer, said Paul Rascagneres, an IT security consultant at Luxembourg-based security auditing and consulting firm Itrust Consulting, on Thursday. Rascagneres is also the founder and leader of a malware analysis and engineering project called malware.lu, whose team designed this USB sharing malware.

There are already documented cases of malware that hijacks smart card devices on the local computer and uses them through the API (application programming interface) provided by the manufacturer.

However, the proof-of-concept malware developed by the malware.lu team takes this attack even further and shares the USB device over TCP/IP in “raw” form, Rascagneres said. Another driver installed on the attacker’s computer makes it appear as if the device is attached locally.[…]

Rascagneres and the malware.lu team tested their malware prototype with the national electronic identity card (eID) used in Belgium and some smart cards used by Belgian banks. The Belgian eID allows citizens to file their taxes online, sign digital documents, make complaints to the police and more.

However, in theory the malware’s USB device sharing functionality should work with any type of smart card and USB smart card reader, the researcher said.

In most cases, smart cards are used together with PINs or passwords. The malware prototype designed by the malware.lu team has a keylogger component to steal those credentials when the users input them through their keyboards.

However, if the smart card reader includes a physical keypad for entering the PIN, then this type of attack won’t work, Rascagneres said.

The drivers created by the researchers are not digitally signed with a valid certificate so they can’t be installed on versions of Windows that require installed drivers to be signed, like 64-bit versions of Windows 7. However, a real attacker could sign the drivers with stolen certificates before distributing such malware.

In addition, malware like TDL4 is known to be able to disable the driver signing policy on 64-bit versions of Windows 7 by using a boot-stage rootkit — bootkit — component that runs before the operating system is loaded.

The attack is almost completely transparent to the user, since it won’t prevent them from using their smart card as usual, Rascagneres said. The only giveaway might be the blinking activity led on the smart card reader when the card is accessed by the attacker, he said.”


Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )


Connecting to %s

%d bloggers like this: