Mark Diodati

A member of the Gartner Blog Network

Mark Diodati
Research VP
6 years at Gartner
21 years IT industry

Mark Diodati is a Research Vice President with Gartner's IT Professionals research and advisory service. His focus topics include mobility, authentication, cloud idenitity, federation, directory services, provisioning, identity services, Active Directory interoperability, Web access management…Read Full Bio

Coverage Areas:

Déjà Vu – The Sykipot Attack on Smart Cards

by Mark Diodati  |  January 15, 2012  |  2 Comments

Kelly Jackson Higgins at Dark Reading provides an excellent summary of the Sykipot malware variant attack on smart cards. The malware opens the smart card and uses it for private key signing functions. Signing functions are the backbone of public key technology—they enable users to authenticate to mutually authenticated SSL and Microsoft Windows sessions, for example. The initial target—quelle surprise—appears the Department of Defense and its vendor community.

The malware leverages a phishing attack and an Adobe Reader vulnerability for installation on the user’s workstation. If this sounds familiar to you, it is because this technique was used as part of the attack on RSA SecurID system in 2011. The malware includes a keylogger to capture the smart card PIN, which enables it to open the card. The Sykipot attack does not compromise the user’s smart card and it does not steal the credentials stored on smart card. Rather, it sends data down to the card for cryptographic processing for as long as the smart card is in the reader.

The Sykipot attack should not be surprising. I discussed this attack vector as far back as 2006 with my research document Consumer Authentication and the FFIEC Guidance and my technical position on User Authentication (subscription required). I also discuss the attack vector in my 2007 blog Nothing is Bulletproof. Our clients have seen similar attacks in the wild for at least three years.

There are several important lessons that we can derive from the Sykipot attack. First, no authentication method is bulletproof. Smart card authentication is widely held as the gold standard for commercial user authentication. That’s a perspective I share, by the way. But even smart cards can be compromised, regardless of their resistance to hardware tampering. The layering of additional techniques—including anti-malware software, user activity analysis, and network forensics—is required. Second, like the RSA SecurID attack, the Sykipot attack is another example of an advanced persistent threat. U.S. military secrets are under attack like no other time in history; willful and proactive actions are required to protect them.

2 Comments »

Category: Uncategorized     Tags:

2 responses so far ↓

  • 1 Robin Wilton   January 16, 2012 at 12:18 pm

    Good post, Mark… and a salutory reminder that, when it comes down to it, the keystore on most smart cards is only protected by a (usually) 4-digit PIN.

  • 2 Richie B   January 18, 2012 at 8:22 am

    An interesting development that can defeat this attack is smart card readers with an LCD display. The firmware on the card readers will show exactly what you are signing before entering your PIN. One example is: https://www.abnamro.nl/nl/prive/slimbankieren/edentifier2/introductie.html

    Strong, trustworthy authentication from compromised endpoints continues to be quite a challenge though.