Security researchers have developed proof-of-concept malware that allows attackers to obtain remote access to smart card readers attached to compromised Windows PCs. The experimental malware developed by Itrust Consulting allows hackers to share a USB-based smart card reader over the internet. As such the attack goes one step …
Shock - software which runs with administrative rights on an Internet-connected computer could send data collected from peripherals to an external computer without your permission.
(P.S. how is this different from a keylogger reading your USB keyboard? And USBoIP software has been available for years - I was looking into it on Windows 98, but it was all too expensive and low-compatibility back then.)
Compromised Windows PC
> software which runs with administrative rights on an Internet-connected computer could send data collected from peripherals to an external computer without your permission ..
Where does it say you require admin rights to get infected.
> how is this different from a keylogger reading your USB keyboard?
The difference is how the Windows PC gets compromised in the first place.
Re: Compromised Windows PC
You have to install an unsigned driver. Game over before you even start, and requires administrative privileges on just about any modern system (or vast warnings which allow the ordinary users the chance to offer administrative privileges to said malware if they click Yes, which is the same thing).
And I think you're confusing hardware keyloggers with just-about-any utility that can sniff the keyboard / USB transactions. This software is really doing nothing different to quite a lot of malware, just that it directly intercepts a specific piece of hardware (that's nothing new in general, all the recent virus stories discuss SCADA hardware attacks and similar, it's just new to this particular piece of hardware).
Are there any banks in Europe which use USB attached card readers? I thought they'd all standardised on the calculator-like ones, or whatever the dongle which HSBC (?) uses.
Connecting an ID device to a computer, where that device is used to authenticate against a remote service, is an obviously silly idea.
Can it be used to up your Full English Breakfast quota on the combo network login / door access/ lunch payment cards in certain companies? I mean, gotta get the important things first ;)
My previous bank let you use either the calculator thingy, or you could install their middleware and stuff the card to an USB reader (but you had to get the reader yourself).
Smart Card sharing isn't new.
Satellite pirates have been using it for some time now.
So it's a long USB cable then?
So it's essentially a very long USB cable, but they've replaced the bit in the middle with a network link?
Where does it mention they have contacted the vendors of said devices?
Wouldn't trust them as a security business unless they have done this.
What would be the point of that? That's like contacting the vendor of a network card because you can use it to connect to the Internet and hack people, or contacting the vendor of a hard drive because it can be used to store hacking programs.
As someone else said, this is basically using software to simulate a really long USB cable, with software and the Internet replacing the bit in the middle. The vendor of the smartcard reader has no possible defense against this. You can only stop it by the OS requiring signed drivers.
I'm surprised no one as yet has tried introducing code via an infected smart card
> I'm surprised no one as yet has tried introducing code via an infected smart card
Although smartcards do have something analogous to files and directories, PC/SC smartcard drivers won't allow you to mount the file systems on a PC. More importantly, there is an ornate privilege mechanism which would usually stop you creating or writing to files without provisioning keys specific to that particular smartcard. Also smartcards generally have only a tiny amount of unused storage, of the order of 2-4kB.
4k is a lot of space to someone who knows what they are doing.
I thought it was absurd when I first heard an image file could contain a virus.
Give the reader some data it doesn't expect, which may make it jump to a random point in memory. If you have some data in the right place, it could make your internet connected machine point at a file on the internet and get the payload from there.
Tricky, but not impossible.
Given that any card user could carry an pay loaded card and thousands are used every day........
This sounds familiar...
Isn't this the same type of attack used by Sykipot?
- +Comment 'Private Facebook' Ello: There's a reason we're in beta. SPAMGASM!
- NASA rover Curiosity drills HOLE in MARS 'GOLF COURSE'
- WHY did Sunday Mirror stoop to slurping selfies for smut sting?
- Business is back, baby! Hasta la VISTA, Win 8... Oh, yeah, Windows 9
- Third patch brings more admin Shellshock for the battered and Bashed