Proof-of-concept malware can share USB smart card readers with attackers over Internet

The malware uses a special driver to share local USB devices over TCP/IP with the attacker's computer, researchers say

A team of researchers have created a proof-of-concept piece of malware that can give attackers control of USB smart card readers attached to an infected Windows computer over the Internet.

The malware installs a special driver on the infected computer which allows for the USB devices connected to it to be shared over the Internet with the attacker's computer.

In the case of USB smart card readers, the attacker can use the middleware software provided by the smart card manufacturer to perform operations with the victim's card as if it was attached to his own computer, said Paul Rascagneres, an IT security consultant at Luxembourg-based security auditing and consulting firm Itrust Consulting, on Thursday. Rascagneres is also the founder and leader of a malware analysis and engineering project called malware.lu, whose team designed this USB sharing malware.

There are already documented cases of malware that hijacks smart card devices on the local computer and uses them through the API (application programming interface) provided by the manufacturer.

However, the proof-of-concept malware developed by the malware.lu team takes this attack even further and shares the USB device over TCP/IP in "raw" form, Rascagneres said. Another driver installed on the attacker's computer makes it appear as if the device is attached locally.

Rascagneres is scheduled to showcase how the attack works at the MalCon security conference in New Delhi, India, on Nov. 24.

Smart cards are used for a variety of purposes, but most commonly for authentication and signing documents digitally. Some banks provide their customers with smart cards and readers for secure authentication with their online banking systems. Some companies use smart cards to remotely authenticate employees on their corporate networks. Also, some countries have introduced electronic identity cards that can be used by citizens to authenticate and perform various operations on government websites.

Rascagneres and the malware.lu team tested their malware prototype with the national electronic identity card (eID) used in Belgium and some smart cards used by Belgian banks. The Belgian eID allows citizens to file their taxes online, sign digital documents, make complaints to the police and more.

However, in theory the malware's USB device sharing functionality should work with any type of smart card and USB smart card reader, the researcher said.

In most cases, smart cards are used together with PINs or passwords. The malware prototype designed by the malware.lu team has a keylogger component to steal those credentials when the users input them through their keyboards.

However, if the smart card reader includes a physical keypad for entering the PIN, then this type of attack won't work, Rascagneres said.

The drivers created by the researchers are not digitally signed with a valid certificate so they can't be installed on versions of Windows that require installed drivers to be signed, like 64-bit versions of Windows 7. However, a real attacker could sign the drivers with stolen certificates before distributing such malware.

In addition, malware like TDL4 is known to be able to disable the driver signing policy on 64-bit versions of Windows 7 by using a boot-stage rootkit -- bootkit -- component that runs before the operating system is loaded.

The attack is almost completely transparent to the user, since it won't prevent them from using their smart card as usual, Rascagneres said. The only giveaway might be the blinking activity led on the smart card reader when the card is accessed by the attacker, he said.

Join the newsletter!

Error: Please check your email address.
Rocket to Success - Your 10 Tips for Smarter ERP System Selection

Tags securityprivacymalwareAccess control and authenticationIdentity fraud / theftItrust Consulting

Keep up with the latest tech news, reviews and previews by subscribing to the Good Gear Guide newsletter.

Lucian Constantin

IDG News Service
Show Comments

Cool Tech

SanDisk MicroSDXC™ for Nintendo® Switch™

Learn more >

Breitling Superocean Heritage Chronographe 44

Learn more >

Toys for Boys

Family Friendly

Panasonic 4K UHD Blu-Ray Player and Full HD Recorder with Netflix - UBT1GL-K

Learn more >

Stocking Stuffer

Razer DeathAdder Expert Ergonomic Gaming Mouse

Learn more >

Christmas Gift Guide

Click for more ›

Most Popular Reviews

Latest Articles

Resources

PCW Evaluation Team

Edwina Hargreaves

WD My Cloud Home

I would recommend this device for families and small businesses who want one safe place to store all their important digital content and a way to easily share it with friends, family, business partners, or customers.

Walid Mikhael

Brother QL-820NWB Professional Label Printer

It’s easy to set up, it’s compact and quiet when printing and to top if off, the print quality is excellent. This is hands down the best printer I’ve used for printing labels.

Ben Ramsden

Sharp PN-40TC1 Huddle Board

Brainstorming, innovation, problem solving, and negotiation have all become much more productive and valuable if people can easily collaborate in real time with minimal friction.

Sarah Ieroianni

Brother QL-820NWB Professional Label Printer

The print quality also does not disappoint, it’s clear, bold, doesn’t smudge and the text is perfectly sized.

Ratchada Dunn

Sharp PN-40TC1 Huddle Board

The Huddle Board’s built in program; Sharp Touch Viewing software allows us to easily manipulate and edit our documents (jpegs and PDFs) all at the same time on the dashboard.

George Khoury

Sharp PN-40TC1 Huddle Board

The biggest perks for me would be that it comes with easy to use and comprehensive programs that make the collaboration process a whole lot more intuitive and organic

Featured Content

Product Launch Showcase

Latest Jobs

Don’t have an account? Sign up here

Don't have an account? Sign up now

Forgot password?