Malware made which can share a smartcard over the internet Security researchers have developed proof-of-concept malware that allows attackers to obtain remote access to smart card readers attached to compromised Windows PCs. The experimental malware developed by Itrust Consulting allows hackers to share a USB-based smart card reader over the internet. As such the attack goes one step …
Shock - software which runs with administrative rights on an Internet-connected computer could send data collected from peripherals to an external computer without your permission.
Next!
(P.S. how is this different from a keylogger reading your USB keyboard? And USBoIP software has been available for years - I was looking into it on Windows 98, but it was all too expensive and low-compatibility back then.)
> software which runs with administrative rights on an Internet-connected computer could send data collected from peripherals to an external computer without your permission ..
Where does it say you require admin rights to get infected.
> how is this different from a keylogger reading your USB keyboard?
The difference is how the Windows PC gets compromised in the first place.
You have to install an unsigned driver. Game over before you even start, and requires administrative privileges on just about any modern system (or vast warnings which allow the ordinary users the chance to offer administrative privileges to said malware if they click Yes, which is the same thing).
And I think you're confusing hardware keyloggers with just-about-any utility that can sniff the keyboard / USB transactions. This software is really doing nothing different to quite a lot of malware, just that it directly intercepts a specific piece of hardware (that's nothing new in general, all the recent virus stories discuss SCADA hardware attacks and similar, it's just new to this particular piece of hardware).
Are there any banks in Europe which use USB attached card readers? I thought they'd all standardised on the calculator-like ones, or whatever the dongle which HSBC (?) uses.
Connecting an ID device to a computer, where that device is used to authenticate against a remote service, is an obviously silly idea.
What would be the point of that? That's like contacting the vendor of a network card because you can use it to connect to the Internet and hack people, or contacting the vendor of a hard drive because it can be used to store hacking programs.
As someone else said, this is basically using software to simulate a really long USB cable, with software and the Internet replacing the bit in the middle. The vendor of the smartcard reader has no possible defense against this. You can only stop it by the OS requiring signed drivers.
> I'm surprised no one as yet has tried introducing code via an infected smart card
Although smartcards do have something analogous to files and directories, PC/SC smartcard drivers won't allow you to mount the file systems on a PC. More importantly, there is an ornate privilege mechanism which would usually stop you creating or writing to files without provisioning keys specific to that particular smartcard. Also smartcards generally have only a tiny amount of unused storage, of the order of 2-4kB.
4k is a lot of space to someone who knows what they are doing.
I thought it was absurd when I first heard an image file could contain a virus.
Give the reader some data it doesn't expect, which may make it jump to a random point in memory. If you have some data in the right place, it could make your internet connected machine point at a file on the internet and get the payload from there.
Tricky, but not impossible.
The Register 
Biting the hand that feeds IT
Copyright. All rights reserved © 1998–2024
