The government’s Personal Identity Verification (PIV) is meant to provide multifactor authentication to federal IT resources and facilities. These cards, which rely on the Federal Information Processing Standard 201 (FIPS 201), have proven effective at keeping unauthorized individuals from access to a building or controlled space, as well as to a government computer network.
Millions of U.S. government employees and contractors are issued the cards, which can also provide access to a device such as a computer. As individuals were forced to work remotely, some opted to purchase low-cost readers online that could connect with a laptop or other device.
This has presented problems.
Card Reader Driver and Malware
According to a report last month from cybersecurity researcher Brian Krebs of KrebsOnSecurity, some drivers for these card readers could install malware on an otherwise secure device. Krebs warned that a government employee identified only as “Mark” was issued with the PIV government smart card designed for civilian employees, and as a reader was needed to remotely access his work computer, the employee bought a $15 product from retail giant Amazon.com.
It was reportedly sold by a company called Saicoo, and advertised as “DOD Military USB Common Access Card (CAD) Reader.” With more than 11,700 mostly possible reviews, Mark thought it was a safe bet.
While described as universal plug-and-play device that needed only a USB port, Mark found that the card reader wouldn’t function, and Windows 10 suggested downloading newer drivers from the vendor’s website. It doesn’t take a cyber sleuth to see where this is going.
It is never advisable to download and install drivers on a work computer without assistance from the IT department, as it remains one of the leading ways that computers are often infected with malware.
Fortunately, Mark posted the Saicoo’s drivers on Virustotal.com, a website that can simultaneously scan any shared files with more than five dozen antivirus and security products. The drivers were found to contain malware, according to some 43 different security tools employed by Virustotal.com. Among the most nefarious of the threats was “Ramnit,” a Trojan horse that can spread through a network by appending itself to other files, Krebs noted.
“This really underscores the problems of BYOD (bring your own devices),” said John Gunn, CEO and chief evangelist of cybersecurity research firm Token.
“Organizations must lock down and essentially own all of their endpoints and all aspects of user access,” Gunn told ClearanceJobs. “When people use their own devices, myriad vulnerabilities are introduced and the number of vulnerabilities rises rapidly.”
Safe Products, Bad Drivers
For its part, Saicoo claimed its drivers were free of malware, and as Krebs wrote, it is likely that the ZIP files were not altered, but the HTML files to complete the download were infected. This shows that even a company with a reliable product could create an unnecessary security hole.
Cybersecurity researchers have long warned that downloading drivers, even from seemingly reputable vendors can be a dangerous undertaking. This is also a reminder that human error can often be the weakest link in the cybersecurity chain. In this case, many individuals may purchase such a readily available but secure card reader, and not give a second thought to the drivers they may download.
Instead of keeping the data on a laptop secure, an off-the-shelf card reader could become a gateway for hackers.
“There is no attack vector unturned by the hackers. The gain monetarily and politically is too great for them to do otherwise,” warned Garret Grajek, CEO of cybersecurity research firm YouAttest.
“SolarWinds taught us how affected and potentially compromised the software supply chain is,” Grajek told ClearanceJobs. “With the prevalence of shareware in most software components, an attack like this is simply unsurprising. Users of technologies like Bluetooth are constantly being warned about this type of attack. The only sensible plan is to assume that a component in the enterprise will be compromised, and that a strategy of zero trust and identity governance is imperative.”