How A Cheap Smart ID Card Reader Sold On Amazon Became A National Security Risk
by
Nathan Wasson
—
Wednesday, May 18, 2022, 04:37 PM EDT
Earlier this month, we reported on a phishing attack that stole $23.5 million from the US Department of Defense (DoD). Thankfully, the DoD caught the cybercriminals and recovered the money, but this incident highlights the need for strong cybersecurity practices at the DoD and among its contractors. The DoD is a high value target with an extensive attack surface due to its size and complexity. A recent discovery demonstrates how cyberattacks can be indirect and come from unexpected sources. A government defense contractor relayed this discovery to Brian Krebs of KrebsOnSecurity, who published the details.
DoD employees and contractors, along with military personal, use ID cards known as Common Access Cards (CAC) to access controlled spaces, as well as computer systems and networks. Cardholders don’t just use these cards onsite. Many employees and contractors need to access their email remotely, which requires CAC authentication. However, approved card readers aren’t standard issue devices for cardholders. As a result, government employees and contractors often turn to the internet to find compatible card readers.
Alarmingly, a contractor found that one such device is a vector for malware. The contractor purchased a $15 card reader sold by Saicoo on Amazon. The device has 4.5/5 stars and 11,700 ratings and appears in the sponsored listing section at the top of the Amazon search results for “PIV (Personal Identity Verification) card reader” or “CAC card reader.” The listing and reviews would suggest that this particular CAC reader is a safe and reputable device. However, when the contractor plugged the device into his computer running Windows 10, he was met with a message saying that the device’s drivers weren’t functioning properly. Windows advised that he find newer drivers on the vendor’s website.
The contractor followed this instruction and found drivers for the device on Saicoo’s website, but didn’t install them right away. He instead uploaded the file to Virustotal, which scanned the file for malware with 63 different antivirus tools. 43 of these tools indicated that the file contained malware, specifically the Ramnit worm. Ramnit has been used in sophisticated data exfiltration attacks and spreads by embedding itself in removable drives and files that may be shared with others. This behavior is particularly alarming, as an infected USB drive could compromise an air-gapped government network.
The contractor told KrebsOnSecurity that the distribution of malware by a company selling CAC readers “Seems like a potentially significant national security risk, considering that many end users might have elevated clearance levels who are using PIV cards for secure access.” Saicoo may have been hacked and is distributing the malware unknowingly, but the company doesn’t seem willing to acknowledge the malware’s presence. The contractor tried informing Saicoo by email that the ZIP file on its website contains malware, but the company ignored this information and simply said that its newest devices don’t require additional drivers.
KrebsOnSecurity also contacted Saicoo by email and received the following reply: “Thanks for your contacting, we noted your issue. From the details you offered, issue may probably cause by your computer security defense system as it seems not recolonized our rarely used driver & detected it as malicuous or a virus, Actually it’s not carrying any virus as you can trust us, if you have our reader on hand, please just ignore it and continue the installation steps. When driver installed, this message will vanish out of sight. Don’t worry. Meanwhile, our reader is not Driver free on Windows 7 or later & Mac OS 10.11.1 or later since we’ve updated our driver chip. Thanks for your kind advise and we look forward to fixing your issue as soon as possible.”
To summarize, 'Don't worry, install our malware and the new version we have coming will have it in firmware!' Um, yay?
Judging by these replies, Saicoo doesn’t seem interested in taking responsibility for the malware being distributed on its website. According to KrebsOnSecurity, Amazon has stated that it is investigating this situation. However, even if Amazon removes the device listing, those who have already purchased the device are at risk of unknowingly downloading malware from Saicoo’s website.