Malware on Card Readers Exposes Dangers with BYOD (Bring Your Own Device) Policies


Government Personal Identity Verification (PIV) is intended to provide multi-factor authentication to federal computing resources and facilities. These cards, which are based on Federal Information Processing Standard 201 (FIPS 201), have proven effective in preventing unauthorized persons from gaining access to a building or controlled space, as well as a government computer network.

Millions of US government employees and contractors receive these cards, which can also grant access to a device such as a computer. As individuals were forced to work remotely, some opted to purchase low-cost readers online that could connect to a laptop or other device.

This caused problems.

Card Reader Driver and Malware

According to a report published last month by cybersecurity researcher Brian Krebs of KrebsOnSecurity, some drivers for these card readers could install malware on an otherwise secure device. Krebs warned that a government employee identified only as “Mark” had received the government PIV smart card designed for civilian employees, and since a reader was needed to access his work computer remotely, the employee purchased a $15 product from retail giant

It was reportedly sold by a company called Saicoo and advertised as a “DOD Military USB Common Access Card (CAD) Reader”. With over 11,700 mostly possible reviews, Mark thought it was a safe bet.

This was not the case.

Although described as a universal plug-and-play device that only required a USB port, Mark found that the card reader didn’t work and Windows 10 suggested downloading newer drivers from the vendor’s website . You don’t have to be a cyber sleuth to see where this leads.

It is never advisable to download and install drivers on a working computer without the help of the IT department, as this is still one of the main ways in which computers are often infected with malware.

Fortunately, Mark posted the Saicoo drivers on, a website capable of simultaneously scanning all files shared with over five dozen anti-virus and security products. The drivers contained malware, according to some 43 different security tools employed by Among the most nefarious threats was “Ramnit,” a Trojan horse that can spread through a network by adding itself to other files, Krebs noted.

“It really highlights the issues with BYOD (bring your own device),” said John Gunn, CEO and chief evangelist of cybersecurity research firm Token.

“Organizations need to essentially lock down and own all of their endpoints and all aspects of user access,” Gunn told ClearanceJobs. “When people use their own devices, a myriad of vulnerabilities are introduced and the number of vulnerabilities increases rapidly.”

Safe products, bad conductors

For its part, Saicoo claimed that its drivers were malware-free, and as Krebs wrote, it’s likely that the ZIP files weren’t modified, but the HTML files to complete the download were infected. This shows that even a company with a reliable product could create an unnecessary security hole.

Cybersecurity researchers have long warned that downloading drivers, even from seemingly reputable vendors, can be a dangerous business. It’s also a reminder that human error can often be the weakest link in the cybersecurity chain. In this case, many people can buy such a readily available but secure card reader, and not think about which drivers they can download.

Instead of keeping laptop data safe, a standard card reader could become a gateway for hackers.

“There is no attack vector unhijacked by hackers. The monetary and political gain is too great for them to do otherwise,” warned Garret Grajek, CEO of cybersecurity research firm YouAttest.

“SolarWinds taught us how the software supply chain is affected and potentially compromised,” Grajek told ClearanceJobs. “With the prevalence of shareware in most software components, an attack like this is simply not surprising. Users of technologies like Bluetooth are constantly warned about this type of attack. The only sensible plan is to assume that a component of the business will be compromised and that a zero trust and identity governance strategy is imperative.


Comments are closed.