Ever wondered just how smart a smartcard is, from the security perspective? Obviously there are problems as detailed in a DaniWeb blog posting last month which described how hackers can exploit hardware RFID weaknesses to access credit card account data for example. But now a former member of the team which helped develop security for the Microsoft smartcard program, Dan Griffin, has apparently decided to go ahead and expose how to attack the smartcard middleware plug-in for Vista systems.
According to the Dark Reading security site, Griffin has developed a 'fuzzing' tool which can hack third party vendor plug in software that uses the Microsoft Vista smartcard mini-driver interface. What's more he will give a proof-of-concept demonstration at the CanSecWest conference next week.
Griffin is quoted as saying that smartcards being used for access purposes come complete with Java code which allows for the writing of malicious code right onto the card itself. Using his SCardFuzz tool he can force a heap buffer overflow attack on the vendor's smartcard plug in which would allow an attacker to crash the Vista machine or simply control it via known exploits.
Griffin says "You insert it into a reader on an unattended machine... And you can take out a system process and at best, make it crash, or at worst, take over that process and control it."