Malware prototype exposes smartcard security flaws

News 20 Nov, 2012

Proof-of-concept trojan gives cybercriminals access to sensitive data with just an internet connection

A research team from IT security consultancy itrust have created a proof-of-concept malware that lets attackers gain access to smartcard readers attached to infected Windows PCs via the internet.

The attack happens when a smartcard reader is connected to the affected computer via USB.

The malware installs a driver onto the USB device that allows the attacker to access information on the victim’s smartcard as if it were attached to their own PC.

The researchers, led by IT security consultant Paul Rascagneres, used the Belgian eID national electronic identity card and a selection of smartcards used by Belgian banks to test drive the malware prototype.

As with the British Chip and PIN credit and debit cards, most smartcards use a PIN or password as a secondary authentication method to enhance security.

However, the malware developed by the itrust team also contains a keylogger that can steal these credentials as unwitting users type them on their keyboard.

Victims are unlikely to be unaware they have been attacked until they suffer some kind of identity or financial fraud.

Rascagneres claims the attack is completely transparent to the user as they will not be prevented from using their card reader in the usual way.

Marcin Kleczynski, CEO of Malwarebytes told IT Pro: "The research is another clear indicator of the fact that intelligent malware can breach even the most seemingly watertight counter-measure."

"There has been a massive increase in the value of sensitive business data amongst the criminal underground, so breaches such as this, using new attack vectors, will only increase," Kleczynski added.

A full exposition of the development of the prototype and the threat this kind of malware poses will be delivered in a presentation by Rascagneres, entitled Smartcards Reloaded – Remotely! at the upcoming MalCon security conference in New Dehli on 24 November.