Ever wondered just how smart a smartcard is, from the security perspective? Obviously there are problems as detailed in a DaniWeb blog posting last month which described how hackers can exploit hardware RFID weaknesses to access credit card account data for example. But now a former member of the team which helped develop security for the Microsoft smartcard program, Dan Griffin, has apparently decided to go ahead and expose how to attack the smartcard middleware plug-in for Vista systems.

According to the Dark Reading security site, Griffin has developed a 'fuzzing' tool which can hack third party vendor plug in software that uses the Microsoft Vista smartcard mini-driver interface. What's more he will give a proof-of-concept demonstration at the CanSecWest conference next week.

Griffin is quoted as saying that smartcards being used for access purposes come complete with Java code which allows for the writing of malicious code right onto the card itself. Using his SCardFuzz tool he can force a heap buffer overflow attack on the vendor's smartcard plug in which would allow an attacker to crash the Vista machine or simply control it via known exploits.

Griffin says "You insert it into a reader on an unattended machine... And you can take out a system process and at best, make it crash, or at worst, take over that process and control it."

About the Author

As Editorial Director and Managing Analyst with IT Security Thing I am putting more than two decades of consulting experience into providing opinionated insight regarding the security threat landscape for IT security professionals. As an Editorial Fellow with Dennis Publishing, I bring more than two decades of writing experience across the technology industry into publications such as Alphr, IT Pro and (in good old fashioned print) PC Pro. I also write for SC Magazine UK and Infosecurity, as well as The Times and Sunday Times newspapers. Along the way I have been honoured with a Technology Journalist of the Year award, and three Information Security Journalist of the Year awards. Most humbling, though, was the Enigma Award for 'lifetime contribution to IT security journalism' bestowed on me in 2011.