Kelly Jackson Higgins at Dark Reading provides an excellent summary of the Sykipot malware variant attack on smart cards. The malware opens the smart card and uses it for private key signing functions. Signing functions are the backbone of public key technology—they enable users to authenticate to mutually authenticated SSL and Microsoft Windows sessions, for example. The initial target—quelle surprise—appears the Department of Defense and its vendor community.
The malware leverages a phishing attack and an Adobe Reader vulnerability for installation on the user’s workstation. If this sounds familiar to you, it is because this technique was used as part of the attack on RSA SecurID system in 2011. The malware includes a keylogger to capture the smart card PIN, which enables it to open the card. The Sykipot attack does not compromise the user’s smart card and it does not steal the credentials stored on smart card. Rather, it sends data down to the card for cryptographic processing for as long as the smart card is in the reader.
The Sykipot attack should not be surprising. I discussed this attack vector as far back as 2006 with my research document Consumer Authentication and the FFIEC Guidance and my technical position on User Authentication (subscription required). I also discuss the attack vector in my 2007 blog Nothing is Bulletproof. Our clients have seen similar attacks in the wild for at least three years.
There are several important lessons that we can derive from the Sykipot attack. First, no authentication method is bulletproof. Smart card authentication is widely held as the gold standard for commercial user authentication. That’s a perspective I share, by the way. But even smart cards can be compromised, regardless of their resistance to hardware tampering. The layering of additional techniques—including anti-malware software, user activity analysis, and network forensics—is required. Second, like the RSA SecurID attack, the Sykipot attack is another example of an advanced persistent threat. U.S. military secrets are under attack like no other time in history; willful and proactive actions are required to protect them.
Comments or opinions expressed on this blog are those of the individual contributors only, and do not necessarily represent the views of Gartner, Inc. or its management. Readers may copy and redistribute blog postings on other blogs, or otherwise for private, non-commercial or journalistic purposes, with attribution to Gartner. This content may not be used for any other purposes in any other formats or media. The content on this blog is provided on an "as-is" basis. Gartner shall not be liable for any damages whatsoever arising out of the content or use of this blog.