Researcher Seizes Control of Smartcard via Proof-of-Concept Malware

As adoption of smartcards as authentication mechanisms ramps up, so does cyber-crook interest in it. Paul Rascagneres, an IT security consultant at security auditing firm Itrust Consulting, has revealed a proof-of-concept application that can hijack the local, USB-mounted smartcard reader and virtually connect it over the Internet to the attacker`s computer.

Smartcards are primarily used for authentication, as they replace the “sniffable” password with a piece of plastic and a chip. The size and shape of a credit card, smartcards can be used in specialized equipment, but smartcard readers are only shipped in mid-range and top-tier business notebooks, and other interested users have to purchase a reader and attach it via USB.

“I did not test the proof of concept on all providers, but as the malware shares the USB device in raw, we do not target any specific smartcard,” Rascagneres said in a quote for SC Magazine.

Since smartcards are used to keep banking authentication data, to sign documents or even substitute for an ID document (as in Belgium), it is easy to anticipate the interest in seizing control over it. What Rascagneres tried to accomplish was to remotely connect the victim`s USB reader to his computer over the Internet.

Since most smartcards require also a PIN or a password as a secondary authentication factor, the same malware application comes equipped with a keylogger component that logs keystrokes in real time.

The full demonstration of the attack, as well as additional details will be provided on November 24 at the MalCon security conference in New Delhi, India.