PoC malware for remote hijacking of USB smart readers

Researchers from malware.lu, a Luxembourg-based malware analysis and incident response team, have created proof-of-concept malware that allows attackers to gain access to and remotely control users’ USB smart card readers.

Smart cards (chip cards) are used for various purposes, among which are also user identification and authentication.

Spanish and Belgian citizens already have an eID card that is used for identification, authentication and for digital signing. Banks issue smart cards to customers who have opted for 2-factor authentication when accessing their online banking service, and many companies give them out to employees in order for them to be able to authenticate themselves when accessing the corporate network from a remote location.

The malware works by installing on the victims’ computer a special driver that shares the USB reader over TCP/IP, and another driver on the attacker’s computer is able to translate that signal and make it look like the device is physically attached to his computer, Computerworld reports.

The researchers have tested the malware with smart cards issued by a number of Belgian banks and with the eID card issued by the Belgian government, and it works like a charm, so the researchers expect it to work with other smart cards and other readers just as well.

The malware also has a keylogger component, making it possible for attackers to harvest any of the PINs or passwords that are used with the cards – but only if the reader does not have its own keypad.

Another current limitation of the malware is that the driver is not digitally signed and some OS won’t accept unsigned software. Still, that shouldn’t be a problem for attackers who know how to steal digital certificates and use them to sign the software.

Don't miss