Capitol-Hill-Wikipedia

Amongst the millions of employees who work for the US government, there is a potential that smart ID card readers they use at home are leaving a major security hole. According to a report from KrebsOnSecurity, personal home readers are not providing the same level of security as readers in the workplace.

US Government employees have a secure Personal Identity Verification (PIV) smart ID card that provides access to buildings, services, controlled spaces, and computer networks/systems. Each card has a security level attached for the specific employee.

In the workplace, readers for these cards come from officially greenlit vendors chosen by the government. These vendors have been vetted to pass strict security demands. However, employees are also able to use their cards at home for remote access.

Advertisement

It seems the US government is not issuing readers for this use, leaving employees to find their own secure smart ID card readers. Many of them are turning to cheap online products that just do not provide the same level of protection.

The report points to one unnamed source who works IT for a government defence contractor and uses a smart ID card. He purchased a card reader for home use, turning to Amazon for a $15 reader that claimed it was made for US government smart cards. And it was, in as much as it would read them. However, it had not passed the certifications needed for government use.

Malware Threat

Specifically, it was the Saicoo PIV card reader, which is an Amazon sponsored product. Windows 10 instantly disliked the device when it was connected via USB, saying the drivers were not working properly. The employee put the drivers into Virustotal.com, a service that scans shared files across nearly 100 antivirus and security products.

It found that 42 security tools were flagging Saicoo drivers as malicious. Most put this down to a malware threat known as Ramnit, which is a well-known trojan. In other words, it seems the reader could be carrying a malware threat. Not ideal for a product that will actively read DoD ID cards and provide access.

It is unclear why the US government does not issue employees and contractors with a reader from its approved list. Until that happens, employees will look for cheap online readers which could potentially be causing a massive security risk.

Tip of the day: Need to create an ad-hoc network from your PC? In our tutorial we show you how to easily create a shareable wireless internet connection in Windows as a free WIFI hotspot.

Advertisement