Malware.lu researchers have developed proof-of-concept malware designed to take control of USB smart card readers. They’re planning to demonstrate the malware at the MalCon conference in New Delhi on November 24.
“The malware installs a driver onto the USB device that allows the attacker to access information on the victim’s smartcard as if it were attached to their own PC,” writes IT PRO’s Jane McCallion. “The researchers, led by IT security consultant Paul Rascagneres, used the Belgian eID national electronic identity card and a selection of smartcards used by Belgian banks to test drive the malware prototype.”
“Smart cards are normally used in tandem with PIN codes or passwords for two factor authentication (secure login using something you have — the token, and something you know, a PIN),” writes The Register’s John Leyden. “The prototype malware comes bundled with a key-logging component capable of stealing such login credentials, providing they are entered into an infected PC attached to a smart card reader.”
“The attack is almost completely transparent to the user, since it won’t prevent them from using their smart card as usual, Rascagneres said,” writes PCWorld’s Lucian Constantin. “The only giveaway might be the blinking activity led on the smart card reader when the card is accessed by the attacker, he said.”