Malware-Infested Smart Card Reader

Brian Krebs has an interesting story of a smart ID card reader with a malware-infested Windows driver, and US government employees who inadvertently buy and use them.

But by all accounts, the potential attack surface here is enormous, as many federal employees clearly will purchase these readers from a myriad of online vendors when the need arises. Saicoo’s product listings, for example, are replete with comments from customers who self-state that they work at a federal agency (and several who reported problems installing drivers).

Tags: malware, smart cards

Posted on May 26, 2022 at 6:55 AM • 23 Comments

Comments

John • May 26, 2022 8:27 AM

hmm….

Computer product does what it was programmed to do.

John

Tim • May 26, 2022 8:54 AM

This is less of an issue with a random bit of hardware offered on Amazon and more of an issue of an employer not providing the right tools for the job and setting poor expectations on what is required of them off duty.

Clive Robinson • May 26, 2022 10:07 AM

@ ALL,

Consider

1,If the card is properly secure, then it should not be harmed or it’s contents changed/delrated by putting it in a device with malware infested drivers.

2, If the card is properly secure, then it should not leak any information about the user when being used online.

3, Though the reader may leak information about the reader location and time of use, that is true of any security device connected to a commercial system connected to the Internet.

Which means that if that level of information leakage, or any further leeks of information from software running on the end users commercial computer system infested with malware effect “security”, then the military should not be alowing the use of their systems in this way…

Ted • May 26, 2022 10:17 AM

Good lord. This a quite an exposure. Why wouldn’t employees receive a link to the approved card readers at the time their card was issued? Not to mention that there doesn’t seem to be any kind of technical monitoring or enforcement for approved card readers.

Saicoo’s response is hilarious: “Actually, it’s not carrying any virus as you can trust us, if you have our reader on hand, please just ignore it and continue the installation steps…

Of course that’s not what Virustotal said – whether the driver ZIP file had been infected unwittingly or not.

Q • May 26, 2022 11:09 AM

It’s just a $15 card reader. You can’t expect to get good support, or indeed any support. I’m surprised he got a response at all.

The response was, of course, useless, so I suppose it could be considered that same as no response.

You get what you pay for. So the WTF here is expecting stellar service for $15.

JonKnowsNothing • May 26, 2022 7:43 PM

@Ted, @All

re: Why wouldn’t people receive a link to the approved card readers

I cannot say exactly in this case but consider the following..

RL anecdote tl;dr

Some 6 months ago the Great State of Texas changed their social services computer systems. It is now a mirror of the Compliantly Hostile Environment in the UK which has propagated to many countries.

For the last decades I’ve logged into the old system every 6 months to update the information for my Mum (who will be 100yo in June) and had no problems in complying with any requirements.

After the computer change, which included many new requirements and a huge number of “non correctable errors” in her file, her food stamp allocation was ended in Jan 2022.

There have been endless rounds of applications, reapplications, calls, attempts to resolve issues, correct the data without any success, although some of the clerks and LCSWs have been clearly shaken that 100yo would be denied food stamps but as Compliantly Hostile Environments are designed to be have impossible resolutions, the staff have had their discretion curtailed. (aka Value for Money)

Recently, the family received several calls from Higher Ups on the food chain, to get her the food stamps.

* They reinstated her benefit “temporarily” because the underlying issues are still there.

* They cut her allowance by 50%, stating the allowance is based on “conditions”; since those conditions haven’t changed in several decades, there was no explanation of why she gets 50% less now than previously.

* There is no payment for the months in arrears that she was denied, because the 100yo lady did not comply with the required documents and any failures to comply is the fault of the applicant. (see hostile environment policies)

* They let it be known there is a “device” that would have allowed us to complete all the documentation and this device is available “free” from the Great State of Texas, except no one told us about this device, nor how to get one.

When we asked could we please be sent such a device the answer was:

* Well we don’t have the device in our department
* You have to apply to get one
* There is a special phone number you call to get The Application

Can we have the phone number to call and we will apply for this device?

* NO
* We are not allowed to give out that number.

on an aside:

Part of the Hostile Environment processes is to require technology or apps or features (printers, faxes) and other impediments that are not within the financial reach of many applicants.

Up until Sept 2021, I was able to finesse my way through the computer systems and requirements. After the new alterations in the program, including non-fixable input errors that even the department cannot fix, we came to a technical halt.

It is very dangerous in the USA (and other countries) to submit documentation that is “incorrect”. It doesn’t matter HOW the incorrect entry got there, if you click SUBMIT you are attesting under PERJURY that the information is true. Therefore, not only can you not do the SUBMIT, you have to wait for that round of bits, to hit the bucket before you can attempt again. If you run into the same issues (yes…) you had better NOT DO SUBMIT.

The purpose of Hostile Environment is not to “protect and validate” it is to deny and keep denying until either people give up or die.

Ismar • May 26, 2022 8:08 PM

Hmmm,
The way I see this is that most of the blame would be with the user for trying to connect an unauthorised piece of hardware to their company computer, even more so knowing that any reputable company would have policies in place to forbid this explicitly and also have tools in place to monitor this type of activity (I would imagine this was how the issue was was first detected and not how it is mentioned in the Kerb’s article)
If this is not the case then they deserve being infected.

Ted • May 26, 2022 9:39 PM

@JonKnowsNothing

re: Compliantly Hostile Environment

First of all, congrats to your Mum for making it to 100 in June. That’s incredible. Second, I am so, so sorry you both have to deal with this. It sounds grotesquely Kafkaesque.

With the loosey-goosey PIV/CAC card readers, at least people are able to get access to employer resources from home – even though it’s creating some dodgy situations.

Is your Mum at least able to get food to eat?

JonKnowsNothing • May 27, 2022 12:01 AM

@Ted

re: getting food to eat?

By now, pretty much anyone who isn’t an Oligarch has found some aspect of their financial status to be in Disarray.

Food in the USA is more expensive and fuel costs are rising quickly. Energy costs for cooling (summer heat waves) are so high that locally the “Cooling Centers” are already opening. (1)

My family is eating but when the costs goes UP and the income goes DOWN, you don’t get the variety of food types or the quality of food.

When you are 100yo you need Good Quality Food to keep your health.

So, someone doesn’t get the extra slice of bread or the bigger piece of chicken and buying Take Out is not even a special event option.

After the death of my spouse, I faced some grim facts. It’s similar to when a partner loses a job. The income drops by the value of the job. If both have similar incomes, the drop is 50%.

The challenge is: how to pay housing, fuel, utilities, bills AND eat on 50% less income.

With much encouragement from friends, I’ve become a regular at the Food Pantry. The ones I go to are not interested in Value for Money (Means Testing), they are interested in making sure No One Goes Hungry.

I go to 2 different ones. One pantry is weekly and they give you a pre-loaded bag of food by trunk drop. In and Out. The other is monthly and you go inside and pick items from the selection of the month. Similar to a small market. At each “aisle” they tell you how much you can take from that section. It’s 3-4 bags of groceries. Between them I get enough to eat for the month. I never know what is going to be available so I have to be Creative with the Ingredients. I also have to be mindful of the Energy Costs for cooking. (2)

I have also discovered a number of neighbors that are struggling to make ends meet. They don’t have the fuel to drive to the pickup spots. The Weekly Pantry lets me “pick up for them” when I get mine.

2 weeks back I delivered 2 full bags of groceries and bread to a family of 7 (3 retired 2 working 2 teens)
Last week I delivered 1 full bag of groceries and bread to a neighbor (retired) who had no money for fuel to go themselves.

All the foods at the pantry are Expiry Items but are Still Good. This is food the markets cannot sell and The Day Old bakery has now gone Two Days Old. The left overs are slated for the landfill. Eating it keeps folks alive.

It’s been eye opening and view altering experience. I am most grateful for the food but I am more grateful to have been of help to my friends and neighbors and learned that there is No Shame In Taking The Food.

As a wise friend said:

You worked all your life to help others, and now it’s your turn to receive the help.

An often side bar of the tech discussions, is review of how the Western Economies ended up in this fix. Some answers are just Not Wanted. A 100yo is not going out to buy a $1300 smartphone to load a Great State of Texas App to upload documents, nor can they just trundle downtown to the COVID-19 Closed Offices by walker. It’s equally short sighted to expect and assume that EVERYONE has a $1300 smartphone in their back pocket.

It gives some insight into what Value for Money is really about.

===

1) Cooling Centers are places that have A/C and maybe open to the public in some fashion. People can go to avoid heat stroke and heat related deaths. Some places are Bring Your Own Sleeping Bag and they let you kip on the linoleum walkways in the malls. Others have a closing hour (temperature drops to 100F 37.7C).

You need 2 (Or more things)

Transportation To and From
Be ambulatory enough to walk in and walk out of the center

There are a lot of people who will die this summer from heat. They have no fuel to drive to the center. They may not be able to drive themselves. They may not be able to walk a long hallway or from a distant parking spot-drop off spot (city bus stop).

The equation of Benefit v Cost is called Value for Money. If your life has “No Benefit” then there is No Reason to Pay a Nickle to Save It.

2) Currently PGE in California, charges their HIGHEST PRICES from 4pm – 9pm. This is during the hottest part of the day and at time when people are accustomed to having dinner == cooking.

Between 4pm and 9pm I do no cooking and I use as little electricity as possible which means there is short window for minimal A/C during the early afternoon and None after 4pm. Dinner is at 10-11pm.

Ross Anderson • May 27, 2022 4:47 AM

This is being used at scale in the UK to loot bank accounts. Thieves call up vulnerable old people, pretend to be from their bank, then send them a “new” CAP reader with which to calculate an auth code for a bank transaction.

Denton Scratch • May 27, 2022 5:25 AM

@JohnKnowsNothing

if you click SUBMIT you are attesting under PERJURY that the information is true.

Not true; to be eligible for a charge of perjury, you have to testify under oath (or equivalent). A false assertion in a contract isn’t perjury (however you capitalise it).

Clive Robinson • May 27, 2022 6:18 AM

@ JonKnowsNothing,

This is during the hottest part of the day and at time when people are accustomed to having dinner == cooking.

The way we cook is generally very wasteful of energy.

Annoyingly cutting the energy waste whilst technically easy, it’s not that easy for most to do.

Back in the 1950’s for instance you could get “cookers” that had heat insulating covers you could lower down. So you put a pan of vegetables on and brought to the boil. You then turned off the heat and lowered the cover. The food continuined to cook without other energy input for quite a period of time an hour or more being normal. This would cut your energy input down to a third or less in return for taking the “cooking time” from 1/3rd of an hour to about an hour and a half. The food will remain at a hot eating temprature for atleast as long again. So you could start cooking around 3:40pm stop using energy before 4pm and still eat a hot meal some time after 6pm.

The insulating covers idea was not exactly an original idea but was kind of a “high tech” implementation for the 1950’s. However the down side is those covers were made with white asbestos, not exactly something most people would want around especially near food.

The idea however goes back centuries to the use of “hot stone pit” (steam/luau), cauldron, and hay box cooking. You use a “heat storage” element and “insulation”, it’s most efficient if the storage element is what you are cooking, especially if it has a very high water content.

Thus soups, stews and steamed pudings etc. Not everybodies favourites I know but generally healthy and importantly helps you get the most benifit from the food so effectively makes it go 10-20% further.

Put simply if you cook complex cards and proteins long and slow it’s like having a second stomach to assist in digesting. Likewise lipids and minerals that are essential, all become more available for digestion, as for fiber, likewise it makes it more benificial and life more satisfactory.

The modern fancy way is “waterbath cooking” known as “Sous Vide”. The tenprature controled water bath and vacuum sealed bags of food work the same way as a cauldron with a low fire under it and food in pots or cloths hung in the water from the rim. To prevent leakage from the cloths they are first wetted then the inside dusted with fine flour then a heavy suet layer into which the food is sealed. The cloth is then tied up to make a “puding” that then cooks over five to ten hours. See discussions on cooking “steamed pudings” to get the fine details. The “all around heat” effect is also why “Dutch ovens” look like little cauldrons with lids, you make a fire in a sunken harth or pit, and when it is just glowing coals you scrape them aside sufficient to get the “dutchy” in then pile the coals up and over it then “bankup” with earth to keep the heat in.

But rather than go very “old witches school”, “50’s fab-estos” or ultra modern “stainless steel sous vide” is there anything else you can do?

Well yes is the answer, and make your own “hay box” with a large box, two “contracors bags” and an old duvet and pillow.

Basically put the box on the floor and put one contractor bag inside it, which you then line with the duvet and put the second contractor bag inside of that. In essence you are making the equivalent of a hot water tank insulating jacket. Inside of this add a small wooden board or similar you can stand a sauce pan with lid but without long handles on. When the pan is level you fold the inner contractor bag over it put the pillow on-top then pull any excess duvet over that and fold the outer contractor bag over that and put a small light weight on-top to keep it in place. Thus you have your insulated hot water tank for cooking.

The trick to doing hay box cooking is to work out energy curve to cook a particular food stuff. With root vegtables and the like I generally assume equal weight of boiling water and let slow cook down to 50-60C or atleast three hours, but the slower the temprature drop and the longer the time generally the better.

So get your sauspan and put only a small amount of water in the bottom then small chop the vegtables and add to it, put on the lid, and put on a low heat to bring to the point it is just lightly steaming. In a kettle bring to the boil the equivalent weight of water, then add thist to the saucepan put on the lid and put in your hay box and then go and do other things for three hours.

If all has gone right, the saucepan will still be above 60C and the vegtables will be softly cooked.

A simple chunky vegtable soup can be made by putting an inch of chopped carrot as the bottom layer, two inches of chopped potatoes and an inch of thin choped onions on that and add a stock cube to the steaming water.

Experiment with vegtables you can eat raw untill you get the hang of it that way you don’t waste anything if it’s under cooked.

Most “slow cooker” recipies will work.

One thing to remember, if you hay box cook but it gets two cool/cold to eat if you lift the cooked food out of the liquid with a slotted spoon you can heat it in just a few seconds in the microwave and heat just enough of the stock in a glass jug and add fresh choped light herbs to add extra flavour, and a little plain flour, corn flour, or arrow root to lightly thicken which helps hold it in your stomach for longer making it feel like you have eaten more.

Abother trick worth remembering is batter is water, fat, flour, and eggs in various ratios. Anything that is nearly all eggs is scrambled eggs, or if smooth a custard as you thin it out with more fluid it becomes batter for things like “toad in the hole” thinner yet Yorkshire pudding mixture, through pan cake mixture through to creep mixture.

Whole milk is basically water with fat in it. If you add flour or preferably a rue (butter with fkour heated to a high temprature) you can thiken it to a quite thick sauce. If you beat in an egg the heat from the sauce cooks it… Using a microwave you can add eggs one by one and by letting the outside cook through till solid cut it in when you add the next egg. The result is you can make what looks and tastes like soft cooked scrambled eggs with half or less the number of eggs per person.

But when I was effectively bed ridden some time ago due to one of the more anoying maladies I suffer from from time to time. I discovered an interesting thing… I have a very large thermos flask with pump dispenser like you see on tables at conferencez and a smaller thermos jug. If I used the very large thermos as a “tea pot” I could use just one tea bag to make four pints of tea that stayed hot for the day with just one boiling of the kettle in the morning and the small thermos to hold a pint of cold milk. Thus keeping them by the bed kept me hydrated.

Oh and there is a “dirty secret” I was told by someone I know in the catering industry when I was chatting one day and I told them about it the energy saving and it needing just one tea bag. They said “don’t wash it out for the week”… It’s well known in “greasy spoons” / “Dinners and dives” that the practical reality is, it turns out that things “don’t go off” or ferment, if you fill with boiling water once a day. So like those famed tea urns in Russia that are never washed out it just “builds the flavour”…

Also if you use “instant coffee” boil a large kettle of water once a day and pour the boiling water into a large thermos just add enough hot water to disolve the powder and add some cold water to top up to make it a warm drinking temprature.

But it turns out amongst certain older “out doors men” there is an old trick. You have a large flask –non vacuum will do– and last thing at night you fill it with boiling coffee and wrap it in a large cloth or towel. You take this into your sleeping roll as a “hot water bottle” in the morning you have a cup of warm drinkable coffee ready, so you can “get going” immediately then with lighting the fire and starting cooking breakfast etc, you can also warm it through by the fire once lit and drink it till the new coffee is made.

And yes before you ask I’ve tried it with black tea and yes it works OK as well.

Anonymous • May 27, 2022 10:03 AM

@Clive it’s a driver. It has access to basically anything the computer is doing.

JonKnowsNothing • May 27, 2022 10:03 AM

@ Denton Scratch, @All

re:Perjury or Not Perjury: to be eligible for a charge of perjury, you have to testify under oath (or equivalent). A false assertion in a contract isn’t perjury.

I think there is a difference between a “contract” and what The Great State of Texas requires on their applications.

A contract normally has some form of exchange plus something given as “consideration” to validate the exchange. Peppercorns. Buy, Sell, Trade.

A sample from The Great State of Texas application:

If you withhold any information or give false information … you will owe us the value of any benefits…. You maybe barred from benefits for one year to permanently and be fined $250,000 and imprisoned for 20 years or both.

I am not hitting submit on a form that has errors introduced by The Great State of Texas Compliantly Hostile Computer System. (1)

IANAL, I will let you give it a go against The Great State of Texas.

===

1) see UK Postmasters Fujitsu Mainframe Criminal Proceedings

ht tps://en.wikipedia.org /wiki/British_Post_Office_scandal
(url lightly fractured)

EvilKiru • May 27, 2022 10:43 AM

@Ismar: This isn’t about connecting an unapproved device to your WORK computer. It’s about being REQUIRED to connect FROM HOME even when you are NOT provided with a laptop to take home with you AND neither are you are provided with a card reader to take home with you, yet you MUST have a card reader in order to access your work from home.

JonKnowsNothing • May 27, 2022 10:53 AM

@Clive, @All

re: Straw Box and reusing tea bags

I had never heard of a straw box until @20 years ago, when I saw, what is now called, a “thermal cooking bag”. I didn’t know this is a high tech version of a straw box at the time.

Later on, a series of mystery stories set in France has a recurring feature that includes a full course dinner recipe set, as part of the stories and there is at least one Straw Box recipe where the box has real straw. (1)

While it might make the Pasta Perfect folks cringe, I turn off the burner after a good boil, put a lid on the pot and let the pasta coast to cook. I no longer care about al Dente, I mostly care about cooking up a batch, splitting it into usable portions, drizzle a bit of olive oil on it and freeze it. That way I can have pasta re-heated, with the sauce of the day, and a side of food pantry veggie for my now late dinners.

It’s interesting about the 1 tea bag too. Seems like good ideas stick around to be rediscovered. I fill an 8 cup pitcher with cold water and add 1/4 cup sugar and 1 tea bag I leave it sit on the counter and a few hours later I have something wet and slightly sweet to drink. It goes in the fridge and when it gets down about half-way, I fill it up again. I have a variety of teas to select from, so when I tire of one “weak tea flavor” I make a new batch with a different selection.

===

1) Bruno, Chief of Police Martin Walker

Clive Robinson • May 27, 2022 11:44 AM

@ Anonymous, ALL,

it’s a driver. It has access to basically anything the computer is doing.

You’ve forgotton about –supposadly[1]– “Secure Enclaves” in most modern IAx86 compatible CPU’s as well as ARM and one or two other CPU architectures. That were all the rage untill fairly recently.

[1] The failing of Secure Enclaves in some CPU architectures is not due to the general design of the enclave, but “further down the computing stack” with hardware that effectively adds “go fasyer stripes” to get the CPU to appear a bit faster on carefully selected instruction sequences. The problem is unentwining the instructions that cause the side channel leakage.

Clive Robinson • May 27, 2022 12:16 PM

@ Anonymous,

Also consider where the “root of trust” is and how it is protected.

In effect a properly implemented Smart Card is a “Security Enclave” in it’s own right we might otherwise call a “Hardware Security Module”(HSM).

There are known protocols to use these with “untrusted hardware” and “untrusted software”.

Whilst effectively slow they can raise the level of the game above that of even most sophisticated attackers.

The real question is of course one of trade offs,

1, Smart Cards are quite inexpensive.
2, Trusted terminals are very expensive[1].

So you can guess why they all have Smart Cards.

Now whilst the general type Smart Card is OK for what I identified in my original post, and some user authentication and authorisation it lacks as I noted the facility to be used for transaction authentication and authorisation with Commercial Off The Shelf systems like home PC’s.

So to do “crypto” of messages would require “an independent token” in the chain to move the security end point and subsequent user display device off of the consumer computer.

Which is why I made the point origanally of,

“then the military should not be alowing the use of their systems in this way…”

Even with low level “restricted” or “confidential” material…

[1] You can build your own “hardware cluster” home super-computer for the price of a secure terminal…

Wannabe techguy • May 27, 2022 1:20 PM

@EvilKiru,etal
That seemed fairly clear from Brian’s post, but I thought maybe I missed something seeing how commenters here are blaming the employees.

lurker • May 27, 2022 4:25 PM

@Clive Robinson
You referred to known protocols, but the filter objected to my question of who knows. Because it seems obvious to you and I that the end users should not have been left in this situation.

Winter • May 28, 2022 3:16 AM

@EvilKuru

AND neither are you are provided with a card reader to take home with you, yet you MUST have a card reader in order to access your work from home.

I do not see why we even discuss this case. Someone was clearly penny wise and (mega)pound foolish. But isn’t this what outsourcing has been shown to be all about, being penny wise and pound foolish?

Anonymous • May 31, 2022 8:55 AM

@Clive I don’t need to compromise your smart card when I’ve already compromised your operating system.

Chris Drake • June 16, 2022 1:13 AM

The same problem applies to almost all hardware that ships with drivers – vastly more often-than-not, the drivers are malware, and I seriously wonder if the ones that don’t detect as malware are simply new strains that aren’t yet documented!

It’s no surprise – almost all software is malicious in one way or another these days, either deliberately or accidentally – software is hard, and there’s not enough smart people to pay attention to all the moving parts involved.

Malware-Infested Smart Card Reader

Comments

Leave a comment Cancel reply