Smart cards are mostly used as hardware-based authentication devices for signing into VPNs, corporate networks, banking and financial portals, and signing documents digitally. Traditionally considered one of the more secure routes for ensuring remote access, the new proof shows that idea the door.
The malware was developed by a team of researchers at Luxembourg-based security auditing and consulting firm Itrust Consulting, headed up by security consultant Paul Rascagneres, who is scheduled to give a presentation on the malware at the upcoming MalCon 2012 event on Nov. 24.
Rascagneres told IDG how it works: the malware infects Windows machines with a special driver that makes USB devices viewable to a remote attacker. The perpetrator is able to see the device as though it were local to his or her own machine, using it to gain corporate access. As a further tool, the Windows malware also installs a keylogger to capture the log-in credentials that a user needs in conjunction with the smart card.
Worst of all, the legitimate user would have no clue that the smart card or machine is compromised. The only tell-tale sign is an easily-missed blinking on the card when the hacker gains entry.
Rascagneres and his team tested the prototype using Belgium’s state-issued national electronic identity card (eID) (used for a range of high-value activities, like online tax filing and digital document signing), and a few banking smart cards. It worked like a dream.
There is a moat around the castle though, in the form of physical keyboards for the USB device itself. Some smartcards require physical manipulation in order to work, via an on-board lock or a manual keyboard. Rascagneres said that this thwarts the malware’s electronic visibility.
USB sticks have long been a malware target – either for spreading infections through shared thumb drives, or in terms of infected machines accessing the data contained on them and sending it back to attackers. This new prototype, however, takes USB security concerns to an entirely different level, by virtue of putting the device itself – in this case smart cards – under control of the attackers.