Bundled with Malware? The Risk of Buying Low-Cost Smart Card Readers

July 19, 2022

Malware Warning with Exclamation Point According to Eurosmart’s forecasts, smart card markets were slightly below 10 billion units in 2021. In 2022, further growth is expected at least by a few more percentage points. Reportedly, there are roughly 50 to 70 million estimated smart cards in the United States.  Millions of contractors and government employees in the U.S. use a secure smart ID card that allows them to physically access buildings and controlled spaces. It also provides cardholders with access to government computer networks and systems at their appropriate security level.  However, many government employees are not issued an approved card reader device to use these cards at home or remotely. As a result, they turn to low-cost smart card readers they find over the internet.

Using Low-Cost Readers: What Can Go Wrong? 

Most of the low-cost smart card readers purchased online can be a security hazard, putting  data in danger and even posing a national security risk. When you plug these readers into your computer, the operating system notifies you the device’s hardware drivers are not functioning properly, and you are suggested to consult the vendor’s website for newer drivers.  Once you visit the vendor’s website, you will most likely find a ZIP file containing drivers for Linux, Mac OS, and Windows. Often these drivers are malicious and completely unsafe to use. The most common malware threat you may find in these drivers is called Ramnit. It is a dangerous trojan horse that spreads by appending itself to other files. One example of such an incident can be found in this Twitter thread where a user purchased a smart card reader on Amazon and later found its drivers to be severely infected. According to Will Dormann, a vulnerability analyst at CERT/CC, searching for device drivers online is one of the riskiest activities to undertake over the internet. In the case of smart card readers, the potential attack surface is enormous. This is because many U.S. federal employees often need to purchase these readers from a myriad of online vendors. The traditional anti-virus and anti-malware software products you use on your computer are reliable for identifying known vulnerabilities. These tools have a virus signature database. If executions match that signature, the software will stop it immediately before it infects the system. However, malware in the drivers of these low-cost smart card readers is still able to get onto your computer. That is because malware developers are constantly finding new ways to infect. The key is to look out for the zero-day attacks and these new attack types to prevent malicious software from getting onto your system.

How Hardware Drivers Are Infected 

Malicious software can be placed on the hardware drivers you install in your operating system. These drivers sit between the hardware and the operating system itself. They are effectively privileged code that is running and are very much trusted by the operating system. Therefore, the drivers are a great place to embed malicious software. Sometimes this happens accidentally. For example, the audio driver installed on some HP laptops included a feature that could be accurately described as a keylogger. It recorded all the user’s keystrokes and saved the information to a local file, accessible to anyone or any third-party software or malware that knows where to look. As a result, the audio drivers were able to spy on you as you were using your computer.  No matter whether it is audio, video, keyboard, or mouse control, if someone is able to monitor any of your hardware and capture data, they would have a wealth of information to use against you.

The Vulnerability of Software Shims

Operating systems have software-based shims. In Windows, there is a shim built into the operating system that allows you to modify applications to run as if they are on different versions of Windows. That way, you are able to take legacy pieces of software and run them on the latest versions of the operating system. In Windows, this is called Compatibility Mode. Developers refer to this as the Application Compatibility Cache a.k.a. ShimCache. If a malware author writes their own shim to emulate a previous version of Windows, they may be able to get around a number of security requirements. For example, older versions of Windows did not have the user account control feature. If you could pretend that the application was using an older version of Windows, you may be able to circumvent some of those newer security techniques.  This actually happened in January 2015. There was a vulnerability identified in the shim cache where someone could allow elevation of privilege if an attacker logs on to a system and then runs a specially crafted application. An authenticated attacker who successfully exploited this vulnerability could bypass existing permission-checking safeguards in the Windows Application Compatibility cache and execute arbitrary code by using elevated privileges.

Refactoring: Sophistication of Malware on Drivers 

Malware authors often change the way the malware looks every time it is downloaded. This is metamorphic malware. It is a technique called refactoring.  Each time someone downloads malware, it is downloaded as a completely different executable. This means that if you are looking for something to be the same every time, for instance with an anti-virus signature, this now becomes much more difficult to identify. The refactoring adds things like NOPs, which are No Operation methods. They put loops into the application. Code strings are added that have nothing to do with the operation of the malware. They are really just designed to make the malware look different.  This refactoring process is very intelligent. It takes the malware and reorders all the functions. It changes the actual flow of the application. The code is completely reorganized. As a result, it becomes very difficult for a signature-based identification method like anti-virus to be able to now identify the code as something malicious. So how is this problem addressed? Consider using a layered approach. You should still use the anti-virus signatures that you have, but also consider adding on blocking of known malicious URLs, or perhaps making sure you have backups done more often so that, if you do need to restore from backup, you will not lose too much of your data.

Solving the Problem with TAA Compliance

TAA, an acronym for the US Trade Agreements Act (TAA) of 1979, is legislation approving and implementing multiple trade agreements previously enacted and negotiated between the U.S. and other countries under the Trade Act of 1974. TAA compliance is becoming increasingly significant as the high-performance computing industry moves toward cybersecure, made-in-U.S. solutions. A good or service is TAA-compliant if manufactured or substantially transformed in the U.S. or manufactured in a TAA-designated country. A TAA-designated country is a nation with which the U.S. maintains a trade agreement and regards it as a reliable or acceptable procurement source. As of 2022, China and India are not TAA-compliant, whereas Japan and Taiwan are TAA-compliant. At present, TAA compliance is only required for federal procurements. Governmental agencies cannot purchase non-TAA products for contracts above the threshold of $180,000 (the value may change). Practically, each GSA Schedule value exceeds the threshold, so one could say that the TAA applies to all schedules. However, the TAA does not limit foreign trade outside the scope of federal procurements. This means non-TAA-compliant products can be sold on the commercial market freely. When purchasing a smart card reader, TAA compliance should be a requirement and not just a recommendation, regardless of the number of units or how they are being purchased. In other words, the value of the product should be at least 50% coming from the U.S. or designated countries. If manufactured by a third party, it should be ensured that the smart card readers are manufactured in TAA-compliant countries. The origin of all source parts and materials should be confirmed. Plus, each and every component should have proper supply documentation and agreements.

Find TAA-Compliant Smart Card Readers at Identiv

A majority of the RFPs for smart card readers from the Department of Defence (DoD) call out for specific Identiv products or equivalent. This means Identiv’s contact smart card readers are the standard by which others are measured.  SCR3310 v2.0, SCR3500A, SCR3500C Folded Identiv’s ultra-compact SCR3310 v2.0 smart card reader and travel-ready uTrust SmartFold SCR3500A and SCR3500C are TAA-compliant, CAC and PIV-approved, EMV 2011 and GSA FIPS 201-compliant, and easily adapt for government, enterprise, or home use.  Our complete portfolio of convenient contactless smart card readers are also ideal for secure identification and asset control, physical and network access, and NFC transactions and loyalty programs. Our mobile smart card readers are designed to stay on the go with an extra layer of security.  Whether contact, contactless, or mobile, all our smart card readers are manufactured in TAA-compliant nations. Identiv smart card readers have faster throughput as compared to competitive offerings (in some cases, 50% faster).  Get in touch to know more about our smart card readers and how they can help you steer clear of malware and potential security risks. Request Demo ›