Researchers gain access to USB smart card readers over the Internet
Researchers have successfully demonstrated that it is possible for attackers to take remote control of USB smart card readers from an infected computer. As reported by Computerworld, the proof-of-concept malware essentially involves installing a software driver on the victim's computer that proceeds to share USB devices over the Internet with the attacker.
Written by security consultant Paul Rascagneres and his team from malware.lu, this particular attack ups the ante by sharing the raw USB connection over TCP/IP. This means that an attacker can tap into a connected smart card or a USB authentication dongle to gain unauthorized access without having physical control of the device.
To be clear, two factor systems that require the manual input of a generated passcode from a security fob are not affected by this potential vulnerability.
Software that allows users to access USB devices over the network isn't a completely new idea. Vendors of printer servers have long supplied custom applications that allow users to access non-networked printers over the network, as if they were directly connected via USB.
Yet the proof-of-concept is of concern, since some banks have furnished customers with smart cards and readers to authenticate with online banking systems.
Rascagneres and his team were able to successfully test their malware with the national electronic identity card used in Belgium. The use of an additional PIN is not a barrier, since the malware steals that using a keylogger component.
- check out this article at Computerworld