A Luxembourg-based group of researchers has generated a proof-of-concept that could give attackers the ability to remotely seize control of USB smart cards through Windows machines infected with a piece of malware they developed, according to a PCWorld report.
The team behind the attack operates a malware analysis Website called Malware.lu and will present their findings in a technical briefing at the Malcon security conference in New Delhi later this week.
In a synopsis of his planned presentation at Malcon, Malware.lu’s Paul Rascagneres writes that the malware they developed uses a self-made driver that transfers data from a USB device in raw form over TCP/IP to a command and control server, giving potential attackers the ability to use a smartcard as if it were directly connected to his or her machine.
Rascagneres said his team only tested the proof-of-concept against Belgian national electronic identity cards and smart cards used by some banks in that county, but he says that, in theory, the exploit should work against almost any model smart card.
Many smart cards work in concert with passwords, so the team’s malware also includes a keylogger functionality in order to intercept smart card device PINs. Rascagneres said the attack would not work against smart cards with built-in, physical keypads.
Malware that exploits smartcards is reportedly not new, but Rascagneres’ exploit is unique, according to the report, because it works remotely over the Internet, whereas previous attacks exploited a specific manufacturer’s application programming interfaces on local machines.