Millions of federal personnel and contractors in the United States have been given a secure smart ID card that allows them physical entry to buildings and protected places, as well as access to federal computer networks and systems based on their security level. However, several government employees are not provided with an authorized card reader device that allows them to use these cards at home or remotely and must rely on low-cost readers purchased online. What could possibly go wrong?
Let’s look at the experience of Mark (name changed), a reader who works in IT for a big government military contractor and was given a Personal Identity Verification (PIV) government smart card designated for civilian personnel. Because he didn’t have a smart card reader at home and had no apparent advice from his coworkers on obtaining one, Mark decided to buy a $15 reader from Amazon that claimed to be designed to operate with US government smart cards.
The card reader Mark purchased was sold by Saicoo, a firm whose sponsored Amazon item offers a “DOD Military USB Common Access Card (CAC) Reader” and has over 11,700 generally positive ratings. Active-duty uniformed service personnel, chosen reserve, DoD civilian workers, and eligible contractor personnel use the Common Access Card (CAC). It’s the primary card for gaining physical entry to buildings and restricted areas, as well as access to DoD computer networks and systems.
When Mark got the reader and inserted it into his Windows 10 computer, the operating system reported that its hardware drivers weren’t working properly. Windows advised looking for the latest drivers on the vendor’s website. So, Mark proceeded to the URL listed on Saicoo’s packing and downloaded a ZIP file including Linux, Mac OS, and Windows drivers.
Mark sent Saicoo’s driver’s file to Virustotal.com, which analyzes any shared files with over five dozen antivirus and security solutions at the same time. According to Virustotal, the Saicoo drivers were discovered as malicious by 43 different security products. The general view is that the ZIP file contains Ramnit, a common yet hazardous trojan horse that spreads by attaching itself to other files.
Ramnit is an older and well-known threat that appeared more than a decade ago, but it has developed over time. It is still used in increasingly complex data exfiltration operations. Amazon said it was looking into the claims in a written statement.
“Seems like a potentially significant national security risk, considering that many end users might have elevated clearance levels who are using PIV cards for secure access,” said Mark. He also approached Saicoo about their website serving malware and was told that the company’s most recent hardware didn’t require any further drivers. He claimed Saicoo ignored his concerns that the driver package on their website included malware.
In response to a media outlet’s request for comment, Saicoo provided a less reassuring reply. “From the details you offered, the issue may probably be caused by your computer security defense system as it seems not recognized our rarely used driver & detected it as malicious or a virus,” Saicoo’s support team wrote. “Actually, it’s not carrying any virus as you can trust us, if you have our reader on hand, please just ignore it and continue the installation steps,” the message continued. “When driver installed, this message will vanish out of sight. Don’t worry.”
The issue with Saicoo’s allegedly infected drivers might be an example of a technology company’s website being hacked and responding slowly. According to a tweet by Will Dormann, a vulnerability analyst at CERT/CC, the executable files (.exe) in the Saicoo drivers ZIP file were not changed by the Ramnit malware – only the bundled HTML files were affected. He said it’s bad enough that looking for drivers online is one of the riskiest things a person can do over the internet.
However, many government employees will acquire these readers from various internet merchants as the need arises, creating a massive potential attack surface. Saicoo’s product listings are replete with comments from customers who self-identify as working for a federal agency (and many who voiced problems installing drivers).
A Twitter thread regarding Mark’s experience drew a considerable response from some of my followers, many of whom appear to work for the US government in some manner and have CAC or PIV cards provided by the government. This conversation revealed two things. The first was a widespread misunderstanding about whether the US government maintains an authorized vendor list. The General Services Administration (GSA), which manages procurement for federal civilian agencies, has a list of approved card reader providers at idmanagement.gov (Saicoo is not on that list).
Another theme in the Twitter conversation was the fact that many consumers prefer buying off-the-shelf readers to going through the GSA’s formal procurement procedure, whether it’s because they were never given one or because the one they had stopped working or was lost, they required a replacement as soon as possible.
“Almost every officer and NCO [non-commissioned officer] I know in the Reserve Component has a CAC reader they bought because they had to get to their DOD email at home and they’ve never been issued a laptop or a CAC reader,” said David Dixon, an Army veteran and author living in Northern Virginia. “When your boss tells you to check your email at home and you’re in the National Guard and you live 2 hours from the nearest [non-classified military network installation], what do you think is going to happen?”
Interestingly, everybody asking on Twitter about how to get a suitable smart card reader and get everything to function properly is always directed to militarycac.com. Michael Danberry, a respected and retired Army soldier who founded the site in 2008, maintains it (Its text-heavy and link-heavy design stem back to the first days of the Internet and websites in general). The Army has even officially approved his site. According to Mark’s emails, militarycac.com is advised by Saicoo.
Danberry did not reply to requests for an interview, presumably because he is too busy helping the federal government with technology. Danberry’s voicemail urges customers who require assistance to offer comprehensive details about their problem with CAC/PIV card readers. “More to keep the Army running and connected than all the G6s [Army Chief Information Officers] put together,” Dixon remarked of Danberry.