Millions of U.S. government employees and contractors have been issued a secure smart ID card that allows physical access to controlled buildings and spaces, and provides access to government computer systems and networks with the security level suitable for card holder. But many government employees aren’t provided with an approved card reader device that allows them to use these cards at home or remotely, so they turn to low-cost readers they find online. What can go wrong? Here is an example.
KrebsOnSecurity recently heard from a reader, we’ll call him “Mark” because he wasn’t authorized to speak to the press, who works in IT for a major government defense contractor and received a personal identity verification (PIV) government smart card. designed for civilian employees. Since he didn’t have a smart card reader at home and lacked obvious guidance from his co-workers on how to get one, Mark opted to buy a $15 reader from Amazon that said it was made to handle US government smart cards. USA
The USB-based device Mark chose is the first result that currently appears when searching Amazon.com for “PIV card reader.” The card reader that Mark bought was sold by a company called saicoowhose Amazon sponsored listing advertises a “DOD Military USB Common Access Card (CAC) Reader” and has over 11,700 mostly positive ratings.
The common access card (CAC) is the standard ID for active duty uniformed service personnel, selected reserve, Department of Defense civilian employees, and eligible contract personnel. It is the primary card used to allow physical access to controlled buildings and spaces, and provides access to Department of Defense computer systems and networks.
Mark said that when he received the reader and connected it to his Windows 10 PC, the operating system complained that the hardware drivers for the device were not working properly. Windows suggested checking the vendor’s website for newer drivers.
So Mark went to the website mentioned in the Saicoo package and found a ZIP file containing drivers for Linux, Mac OS and Windows:
As a precaution, Mark sent the Saicoo driver file to virustotal.com, which simultaneously scans any file shared with more than five dozen antivirus and security products. Virustotal reported that some 43 different security tools detected the Saicoo drivers as malicious. The consensus seems to be that the ZIP file currently harbors a malware threat known as twiga fairly common but dangerous Trojan horse that spreads by attaching itself to other files.
Ramnit is a known and older threat, first appearing over a decade ago, but has evolved over the years and is still used in more sophisticated data exfiltration attacks. Amazon said in a written statement that it was investigating the reports.
“It seems like a potentially significant national security risk, considering that many end users may have elevated levels of authorization using PIV cards for secure access,” said Mark.
Mark said he contacted Saicoo because their website offered malware and received a response saying the company’s newer hardware didn’t require additional drivers. He said Saicoo did not address his concern that the driver package on his website was bundled with malware.
In response to KrebsOnSecurity’s request for comment, Saicoo sent a somewhat less reassuring response.
“From the details you provided, it is likely that your computer’s security defense system is causing the problem, as it appears that it did not recognize our rarely used driver and detected it as malicious or a virus,” he wrote. Saicoo support team in an email.
“Actually, it doesn’t have any virus, you can trust us, if you have our reader at hand, just ignore it and continue with the installation steps,” the message continued. “When the driver is installed, this message will disappear from view. Don’t worry.”
The problem with apparently infected Saicoo drivers may be little more than a case of a tech company having their site hacked and not responding well. dormannvulnerability analyst at CERT/CC, wrote on Twitter that the executable (.exe) files in the Saicoo drivers ZIP file were not altered by the Ramnit malware, only the included HTML files.
Dormann said it’s bad enough that searching for device drivers online is one of the riskiest activities one can do online.
“Doing a web search for drivers is a VERY dangerous search (in terms of legitimate/malicious hit rate), based on the results of every time I’ve tried to do it,” Dormann aggregate. “Combine that with the apparent vendor due diligence described here, and well, it’s not a pretty picture.”
But by all accounts, the potential attack surface here is huge, as many federal employees will clearly purchase these readers from a myriad of online vendors when the need arises. Saicoo’s product lists, for example, are full of comments from customers who claim they work for a federal agency (and several who reported problems installing drivers).
AN thread about Mark’s experience on Twitter generated a strong response from some of my followers, many of whom apparently work for the US government in some capacity and have government-issued CAC or PIV cards.
Two things clearly emerged from that conversation. The first was the general confusion about whether the US government has any kind of list of approved providers. it does. The General Services Administration (GSA), the agency that handles procurement for federal civilian agencies, maintains a list of approved card reader vendors at idmanagement.gov (Saicoo is not on that list.) [Thanks to @MetaBiometrics and @shugenja for the link!]
The other topic that ran through the discussion on Twitter was the reality that many people find buying off-the-shelf readers more convenient than going through the official GSA acquisition process, either because they were never delivered one or because the reader that they were using just didn’t work anymore or was lost and they needed another one quickly.
“Almost all officers and NCOs [non-commissioned officer] I know in the Reserve Component there is a CAC reader that they bought because they had to access their Department of Defense email at home and they were never given a laptop or a CAC reader,” saying david dixon, an Army veteran and author living in Northern Virginia. “When your boss tells you to check your mail at home and you’re in the National Guard and live 2 hours from the nearest [non-classified military network installation]What do you think is going to happen?”
Interestingly, anyone who asks on Twitter about navigating buying the right smart card reader and getting everything to work properly is invariably directed to militarcac.com. The website is maintained by Michael Danberry, a decorated retired Army veteran who launched the site in 2008 (its text- and link-heavy design takes one back to that age of the Internet and web pages in general). The site of him has even been officially recommended by the army (PDF). Flag shared emails that show that Saicoo himself recommends militarycac.com.
“The Army Reserve began using CAC login in May 2006,” Danberry wrote in his About Page. “I [once again] He became the ‘Go To Guy’ for my Army Reserve Center and Minnesota. I thought why stop there? I could use my website and my CAC knowledge and share it with you.”
Danberry did not respond to interview requests, no doubt because he is busy providing technical support to the federal government. Danberry’s friendly voicemail message instructs support callers to leave detailed information about a CAC/PIV card reader issue.
Dixon said that Danberry has “done more to keep the Army running and connected than all the G6s. [Army Chief Information Officers] put together.”
In many ways, Mr. Danberry is the equivalent of that little-known software developer whose small open source code project ends up being widely adopted and eventually integrated into the fabric of the Internet. I wonder if he ever imagined 15 years ago that his website would one day become “critical infrastructure” for Uncle Sam.