the more I I learn about electronics the more I understand why most IT experience people tend to use as least amount of technology in their personal lives
Important things like this should be provided directly and ideally manufactured in the country using them. It’s silly to think our government and their contractors do stuff like this to save time and money when they could just hire a few more people to audit things as well as work with a local manufacturer
They actually do verify the equipment they use on a grander scale. A lot of office equipment like these are, as others have mentioned, built in & provided where you work. At home on your own system(s) can be a different story.
Quite common in Brazil. They swap the reader thing, usually from a gas station, with a hacked one. Then wait for the harvest. Got mine stolen once. 3 purchases at 1am. I was awake at the time, my bank sms me all purchases made over R$50, so I knew immediatelly, called my bank, cancelled the transactions and cancelled the card in like 20 minutes.
speaking of malware, youtube has been serving ads of "free games" websites, witch serves malicious fake installers, double packed MSI installer with a small c++ program (and some accompanying 7z archive with a password i couldn't find any ware) that fucks with your DNS config and bricks your internet connection, reminiscent of most of the malware you'd find on TPB back in the day
A company I worked for just gave everyone a laptop with a smartcard reader built in. Much finer control for them. We also used RSA keys and a password. I don't think you can get more security for online identification than RSA keys
I cannot believe an IT person who works for a big IT company did not know about file signatures. When I download things like drivers from any vendor, I check the digital signature of the EXE and DLL's before executing the installer. In fact, I check this before buying a piece of hardware that requires driver installation. I visit their websites and download the driver file before buying the hardware, and check if the EXE is signed. If it is not, then I buy from a different company. I also did not expect so-called "smartcards" are just a mere password card, that if someone else read it, it gets compromised. I thought it would send some sort of calculated result so that only the device that has a previously agreed data can verify its authentisitity, like a bank OTP device. If it is just sending the same data whoever the reader is, why is it called "smart" card? It's a dumb card.
Actually government laptops are specced out to have CAC readers in the laptop, so not external reader is required. We also have cac readers within our keyboards, so a government employee should never have to buy a reader.
Thats the CAC (common access card), something that pretty much every US military personal will use, along with everyone who works for the DOD. One thing I find weird here is the "drivers" you need are actually DoD certificates, otherwise CAC enabled sites won't load. (Though I'm pretty sure this is just so your local FBI or NSA agent can watch your activity easier) The one positive thing is the DOD has been issuing out laptops that now use VPNs, and already contain a CAC reader built with the certificates you need, and are continuing to improve their OPSEC mostly due to the fact that having people work from home during COVID instead of a secure office has forced them too.
The drivers he’s talking about is of the cac reader itself so it knows how to function. Cac readers do nothing but read the card and send it’s data to your computer. Dod certs are pretty much just for dod website identification, which you can use without downloading the certs, but you would have to accept that the website is using the cert every time because it’s not standard. Downloading it makes it standard to your computer. As far as I know you can’t directly load malware on a cert, but unchecked drivers can cause havoc.
You can access DoD websites just fine without importing the root certs, but your browser will throw a certificate error for every page. This is because the DoD is it's own root certificate authority.
You need dod root certificates to access CAC enabled sites, but the drivers for the CAC itself are different. Both of them are a pain in the ass to obtain if you don't have can access set up on a computer already
This reminds me of the Despicable Me meme: "First, identify smart card reader used by military. Second, get access to vendor's website where drivers are hosted. Third, infect it with well-known malware that's being detected by most antivirus software."
Yeah talk about getting a shot at fuckin Smaug's scale gap, and announcing it to him. Thats what he just did. Its patched now. What a waste of a good vulnerability. The dude should have waited, got some dudes together, some funding to make it a very professional stealth rat, or even an evolving botnet. But with stealth. Something that is well worth it considering its a military grade backdoor. But instead they give it a script off the streets and just completely waste it. ...just classless.
@@The_Bird_Bird_Harder Taking note that a door is left unlocked, but not going through it, is not breaking and entering. It is merely being observant. Doing nothing with this piece of information you just gained, because you might need that information later, is similarly not "Conspiracy to commit." You just know about an unlocked door, and you've got no intention to tell anyone. You can't call it negligence either, it isn't the observer's reasonable responsibility.
I've been in the military for nearly four years now. I'm happy to see that I've never seen any of these kinds of cac readers for sale, especially at the physical stores and gas stations.
Saicoo Card readers, proceed to place a Yuan symbol on the online payments sign and encourage employees from the DoD to use it. It is obviously a Chinese spy tool, lol.
I work for a publicly run employer in the uk that's one of the largest employers in the country (work it out). Our smart cards for accessing the country wide databases uses an active x control in IE . The config file for this still states " do not change any settings as all settings are the same for windows 95 and NT " , smart cards are not secure !
I thought Native bridge + Edge took over from this now. Wouldn't be surprised if it was still common elsewhere in the industry as IE is still used for some legacy applications
@@whynotandy it does , native bridge however is also getting replaced with credential manager , but you have to do a lot of fucking about with IE and group policy for that , go with native bridge and the latest hscic. Native bridge is still supported as of May 22
@Winnie the Flu The balance gets stored in the card instead of an ID linked with a DB, so you buy a card reader/writer and change it. I was gonna do the same for games place(Magic planet in middle east) but noticed u can charge it from their website so it wont work
I used to work for a DOD contractor. We where super strict on card readers and lucky we never had this issue. All of our external readers where provided by a trusted vendor.
I always thought there's a private key in each of them, and therefore you cannot duplicate a smartcard by listening to the traffic. It's just common sense! RSA has been around since the 70s. Guess I was wrong
Different EMV modes - DDA is the only one that works like a true smartcard. SDA and CDA are just complicated badges. I'm unclear why DDA isn't mandatory for chip txns…
I work for a security company where we make security cards. A lot of high security places are moving to cards with an encrypted chip where it stores certifications, your fingerprints, and your photo. Similar to CAC cards. It's fully encrypted and the card is tied to the facility and the readers. The card you showed is a PIV-I card. It's very secure. The government is slowly moving to this. You need a scanner, that isn't just a reader, but one where you insert the card and it reads the chip. It's all tied to the individual. As far as readers go, use an HID reader. Our company has tore apart the drivers and such, and they are secure. For common smart cards and card readers, yeah. It's easy to hack. People are always the issue in security. But there is smarter - smart cards.
In Brazil is very common in sales fairs and at gas stations , they modify they payment machines and insert some msr90 board or something like these on the video , criminals call this type of modified machine as "chupa-cabra" . And they also use jammers for block gps signals from the cars and than steal , they typically call this type of jammer as "capetinha"
I don't know about the authenticity of the web site you presented that had that card reader listed as recommended. In addition, any contractor that allowed average users local admin rights to install random drivers for crap wouldn't have their ATO for long and thus wouldn't be contractors for long I can tell you that much. Furthermore, when I contracted Federal IT I know we couldn't just hand out random garbage even for peripherals. There's actually standards in place that prevent even the purchasing of computer equipment from mainland China. Even the cards themselves are single sourced from one company to meet the HSPD-12 requirements.
Please make a video on how the internet of things will ultimately destroy the human right to privacy and make us subservient to the surveillance state. I do know you briefly touched on it in your Guide to Escaping the Botnet video, but an in depth video would be really awesome and do us a great public service.
@@speedfastman His username is "Spyro 115", he is likely tuned in to the higher consciousness. Nothing wrong with having a conspiratorial worldview in an exponentially conspiring world.
@@1d10tcannotmakeusername That's because 114 Spyro-mongers beat him to it. He is delirious anyways.. "Will ultimately destroy???" he must think he is in 1994 with all that "future tense." wake up and smell the google my little purple dragon. That being said, i have to go now... time for my red pill.
@@maxheadspace6670 1. Spyro is a time-traveling hyperdimensional intelligence 2. Only if you're a city slicker, if you go out innawoods and make sure there's no IoTrash in the house you should be fine
When I worked as IT, we had a lot of people doing work from home stuff. We had protections against this and actually survived the Kaseya Ransomware attack because of a tool... which for the life of me I cannot remember the name of. It essentially worked as a DLL and EXE whitelist - we had a contract with the developers to ensure they updated our whitelist with the file signatures of executable files that came from reputable sources such as Microsoft, Adobe, Chrome, etc, that we'd use on a day to day basis. Everything else would be hard blocked, across all our devices. It would most certainly have protected us against smart card readers with modified drivers. Though, one time, we had a whole day of printer issues because microsoft did a silent patch to Edge, which was responsible for ensuring PDF files print correctly from edge, so we had a day of nonstop printer issues, but it was a small issue :/
I like to think that the hackers have a handful of weird dumps where they have no clue what the card is for, what the data is about or how to use it While in reality, it's stuff like Pokémon print kiosk cards or someone's memory card that holds a script to install the network driver for an industrial computer
They're sold via dark web in large data packages. Then someone else buys a package that may have usable stuff while a ton of it is junk. Same way as how legal companies scrape all our information and then sell bundles of peoples' info to literally a n y o n e.
The problem would have been bigger in that case. People never check if the compiled code is the same as the open source version. I don't think there is a easy way to compare open source code and it's compiled version. Moreover a open source version of driver will be leaked to public which can be easily exploited by hackers.
@@gaming__god Yes, that would very much be the case for open source drivers on Windows. However, open source + a proper package management would pretty much solve the problem. (Or you could compile them yourself - assuming the code you got is legit.)
@@gaming__god You can just compile it yourself instead of getting a compiled version. "Moreover a open source version of driver will be leaked to public which can be easily exploited by hackers." There will also be security researchers that will find those exploits and even upload patches.
I love how the credit card companies decided to update their older cards to a much more VULNERABLE card. It’s like they WANT everyone to get their cards compromised. Plus I betcha they do, because they are most likely directly connected to those “credit monitoring” companies and they get more money from them every time a card is compromised.
I think people should just be more aware of their card activity. Maybe this only applies to credit cards, but I get a notification for every purchase the instant it happens. Even if something I see doesn't make sense, I can just cancel the card and get my money back in less than 24 hours. I don't even cancel the cards I lose because I don't want the hassle of having a new number, I just get "replacement" cards which are meant to be ordered if your card breaks essentially.
Another good example would be the Hak5 usbs. Think Mrwhosetheboss did a video on those, but all someone would need to do swap out a smart card reader that looks similar enough to whatever actual smart card reader you're using, and then they have access to all your credentials.
had no idea that people could just buy their own hardware like this for security critical tasks. should at least have a list of hardware that you need to purchase from or something.
The company one of my friends works at provides laptops with built in card readers, they also have cell tower service so they don't have to connect to WiFi while they are not at home
so. this video gives me an insight of why my military laptop (Latitude Rugged Extreme 7214) has a reader for those cards, both contactless and slot to insert the card
Military contractor here, these types of CAC readers are used but not sensitive information, at most the hackers would be getting some PII. More sensitive information is still only able to be reached at your base with a different type of CAC :-)
Smart cards are not vulnerable to replay attacks. They use the algorithm of challenge-response. They have another set of vulnerabilities but not that one.
My trusty ACR122U is always packed with my laptop when I'm on vacation :D Most of the card readers are just connected to "psychologically" give a false sense of security, nine out of ten times they aren't even securely wired!
things like these need OSS drivers with signed binary releases. Virustotal is not magic, it is rather easy to write undetected viruses, especially if their only job is to upload the smartcard data to a server. That is not even the definition of a virus, that would just be a modified/hacked driver
Polymorphic viruses aren't that hard to make, you basically write a set of tests that define the behavior and have a script fudge the instructions around till you don't get detected. And you can even use out of the box generators that do the job for you.
As someone who works for a company that installs card readers in high security places, we only install swipe cards and we demand that we use cables rather than wireless transmission. Our system also nullifies cards every 2-3 days, so you have to get a new one at the reception.
I suspect they are doing the same thing with Smart Lamps selling on Amazon that are impossible to beat on price but force you to allow access to your local home network traffic. Might be useful for a researcher to take a look at it, which I can use the time to jump deeper.
Small detail, a large number of Amazon reviews are fake but you’re correct in assuming at least half of those are actual purchases. There’s some sites that will scan listings and tell you the percent of fake reviews
You'd think most companies/governments would have some sorta deal with a tech trusted tech supplier instead of simply paying staff to buy whatever they want.
Good news: turns out the threat actor wasn't the OEM, 'just' a trololol hacker somewhere on the interwebz. Bad news (in the form of a question): how many people did it take, doing a bad/incompetent/negligent job, to allow this to happen? If each of those people were a link in the chain, how many links would that "Chain of fuck-ups" be? There are multiple muppets with their fingers in this pot of "oops." Makes me mad, can't even get a little schadenfreude out of crap like this.
This damn Ramnit.A, or B or C, is a plague. Got infected in 2014 on a USB stick and still found infected files in my computer in 2022. Had to buy a new Hard Drive and start all over, checking every files before copying.
I believe new most Access cards/fobs systems now have 2 steps; meaning not only does the card provide a password to the opener, but the opener also put a signal back to your FOB and if your FOB cannot correctly verify the signal coming from the opener then the gate stays locked even tho the FOB has the correct access code.
Jesus Christ. I bought a similar reader just to mess around with and ran into that "go to this website for driver" crap. Didn't go through with it when it said that the site wasn't even https secured. Fuq dat
I’ve never used a smartcard in the last few years that doesn’t use private key authentication. I’m sure they still exist, maybe Europe has different standards than the US, but once the card uses a private key, there habe to be multiple exchanges between the “reader” and the card for something to unlock, and the traffic is safe from a replay attack AFAIK.
Oof, I was in the Army and never knew about sus drivers... fortunately I bought mine at AAFES and needed no additional drivers but I did need all sorts of security protocols.
The company I worked for had smart cards but they supplied laptops that had the readers already installed. I would have figured the government would have done the same.
Something I leaned is that windows will go out and get drives for some things if the driver is proper signed. My guess is that when they made that drive it was but now it is not and that's why they had to manually install it.
It's just as likely the country of origin made them do this for spying and information gathering purposes, I mean if its being used in military etc it makes sense
They use all the standar protocols to be able to read and validate the info, so they're technicaly right about the reader compatibility with cards from Hospitals, Banks, etc. Those drivers tho'. I imagine an (ex) employe who changed the drivers of the website, which is bad or maybe a hacker who replace the files of the website, which is worse. Until they make a public statement aknowling the problem i woulnd't trust this company with any sensible information.
The worst part is so many military website are flagged as not secure by browsers so many people just click to continue to unsecure website, because that's the only way to access the website. So it wouldn't surprise me if windows defender would have caught this, it would have been ignored.
I feel like if a weird creepy guy with too many bags was pretending to make a phone call next to the card reader I would wait for him to leave or try to make things awkward so that he leaves.
Excellent video 👌🏻🔥 love the demonstration clips you got, I make videos sometimes and getting footage online like that takes a lot of work😂 keep it up man 💪
We are a startup. We mail out all our own hardware in tamper evident packaging, we enroll the TPM2 and FIDO2 creds beforehand... No excuse for this garbage opsec from org with 50x the IT budget.
DoD military here. You can buy one from like a Navy Exchange/Army Exchange (I think they call them a PX?) for like $10 so you can work from your home. You can use your CAC (government ID smart card) to look at your paystub/government email/what have you from your personal computer.
@@GoodlyPenguin oh! Thanks for explaining. Its a bit weird that the kind of things arent controlled that well, specially when it can leak some sensetive data
Smart Card readers are ordinary mandatory part of most proper laptops in estonia , and nearly entire population from old to yong have them at least last 10-15 years
Badge cards typically must be used in very specific manners the closer they work with government controlled data, such as PII, PHI, or official data. Though if a company isn't having this enforced on them it's pretty typical that they will use whatever. You'd think banks in particular would take more care to protect their cards for example, but it seems that rfid chips in cards are quite compatible with thief scanners.
“You can sell pretty much anything on Amazon.” *Slowly pulls out my rotting body bag* “Well, almost anything.” *Slowly puts back away my rotting body bag*
Holy kitty cats! This kind of stuff is why I tape over the selfie lens on my phone camera, etc etc.. Dumb question: what would one of those readers do with my debit card? (...and download drivers via dropbox???)
Depending on the circumstances they could potentially make a single purchase within whatever limits your card has but i dont believe they can clone the card because bank cards have different standards im not an expert
Mental Outlaw is the ultimate advocate for the Amish community.
Big doinks
Yes sir.
Haaaa
Amish cybersecurity and opsec is next level
Don't need operational security when you don't have an operation at all
the more I I learn about electronics the more I understand why most IT experience people tend to use as least amount of technology in their personal lives
👆
There are two types of people into technology: those who install smart appliances everywhere, and those who refuse to touch any smart appliances.
@@voidimperial1179 Its all marketing to the general dumbed down masses. Also trendy to the normies.
um, no?
@@stevefan8283 Actually yes. Imagine if someone compromised your smart devices. Guess your thermostat is getting turned way down then.
Important things like this should be provided directly and ideally manufactured in the country using them. It’s silly to think our government and their contractors do stuff like this to save time and money when they could just hire a few more people to audit things as well as work with a local manufacturer
Government laptops already have CAC readers in the laptop.
They actually do verify the equipment they use on a grander scale. A lot of office equipment like these are, as others have mentioned, built in & provided where you work. At home on your own system(s) can be a different story.
@Johnny depp I'm starting to think some of these were authentic accounts at one point
@@silence___ probably people who clicked on the phishing emails
@Johnny depp finally a spam bot is here
Quite common in Brazil. They swap the reader thing, usually from a gas station, with a hacked one. Then wait for the harvest.
Got mine stolen once. 3 purchases at 1am. I was awake at the time, my bank sms me all purchases made over R$50, so I knew immediatelly, called my bank, cancelled the transactions and cancelled the card in like 20 minutes.
👆👆👆.....
@Rare one got DAMN it's finally here no way
I don't think he's talking about the same thing...
Dude.
They're both bot accounts 🤣
@@epicat0r I was replying to OP
It's crazy how well social engineering and just standing around with boxes works
👆👆👆.
@@whats5471 bro why are you trying that scam on a cyber security channel 🗿
@@boobgoogler They really hit this channel harder than usual. I have no idea why.
@@boobgoogler idiot here, what is the scam? lmao
@@oceanbytez847 it's kinda self explanatory
speaking of malware, youtube has been serving ads of "free games" websites, witch serves malicious fake installers, double packed MSI installer with a small c++ program (and some accompanying 7z archive with a password i couldn't find any ware) that fucks with your DNS config and bricks your internet connection, reminiscent of most of the malware you'd find on TPB back in the day
RUclips used to advertise drugs selling onion marketplaces in Russia lol
@@burn_out 👆👆👆..
they are all the same installer just downloaded under a different name
how would you know if you have this?
@@Liamfr34k Your internet wouldn't be working
Ah yes, Amazon special Chinesium smartcard reader for DoD CAC authentication. What could possibly go wrong?
China bad upvotes to the left
@Johnny depp shut up bot
I’m dying 😭🤣
👆👆👆...
@@whats5471 shut up bot
Great timing. Pulled a fake keypad off my local ATM two days ago. Sneaky bastards
👆👆👆.
A company I worked for just gave everyone a laptop with a smartcard reader built in. Much finer control for them. We also used RSA keys and a password. I don't think you can get more security for online identification than RSA keys
Anywher that uses smart cards buys computers with card readers built in
I cannot believe an IT person who works for a big IT company did not know about file signatures. When I download things like drivers from any vendor, I check the digital signature of the EXE and DLL's before executing the installer. In fact, I check this before buying a piece of hardware that requires driver installation. I visit their websites and download the driver file before buying the hardware, and check if the EXE is signed. If it is not, then I buy from a different company.
I also did not expect so-called "smartcards" are just a mere password card, that if someone else read it, it gets compromised. I thought it would send some sort of calculated result so that only the device that has a previously agreed data can verify its authentisitity, like a bank OTP device. If it is just sending the same data whoever the reader is, why is it called "smart" card? It's a dumb card.
@@whats5471 number doesnt work
it only needs to be smarter than the employees, not the malicious party
Hey, I get paid more for being friends with the boss than that
How do you know what the signature was suppose to be if the company didn't tell you?
Could you tell us how you do what you describe in the first paragraph?
Actually government laptops are specced out to have CAC readers in the laptop, so not external reader is required. We also have cac readers within our keyboards, so a government employee should never have to buy a reader.
Not to mention that the ones sold at the exchanges are inspected & verified. Still seems like a possible security issue though.
They do if they want to work from home or use multiple cards in one session.
👆👆👆.
@@ProDCloud can they just multiple keyboards with the card reader? It's not like they have any resale value anyway, nobody would steal that
That’s great at work but if you want to access your pay or anything else from home you have to use a CAC reader
An IT employee for a large government contractor bought a smart card reader. This is what happened to his highly sensitive data.
☝️Presenting to the emergency room!
@@EricGranata Presenting to the emer/g/ency room!
@@doooofus that was really cringy
@@kenshinhimura9387 so was your mom
Thats the CAC (common access card), something that pretty much every US military personal will use, along with everyone who works for the DOD. One thing I find weird here is the "drivers" you need are actually DoD certificates, otherwise CAC enabled sites won't load. (Though I'm pretty sure this is just so your local FBI or NSA agent can watch your activity easier) The one positive thing is the DOD has been issuing out laptops that now use VPNs, and already contain a CAC reader built with the certificates you need, and are continuing to improve their OPSEC mostly due to the fact that having people work from home during COVID instead of a secure office has forced them too.
👆👆👆
I was under the impression that the CAC was already on the way out. Maybe that was bad information.
The drivers he’s talking about is of the cac reader itself so it knows how to function. Cac readers do nothing but read the card and send it’s data to your computer.
Dod certs are pretty much just for dod website identification, which you can use without downloading the certs, but you would have to accept that the website is using the cert every time because it’s not standard. Downloading it makes it standard to your computer.
As far as I know you can’t directly load malware on a cert, but unchecked drivers can cause havoc.
You can access DoD websites just fine without importing the root certs, but your browser will throw a certificate error for every page. This is because the DoD is it's own root certificate authority.
You need dod root certificates to access CAC enabled sites, but the drivers for the CAC itself are different. Both of them are a pain in the ass to obtain if you don't have can access set up on a computer already
This reminds me of the Despicable Me meme:
"First, identify smart card reader used by military.
Second, get access to vendor's website where drivers are hosted.
Third, infect it with well-known malware that's being detected by most antivirus software."
Yeah talk about getting a shot at fuckin Smaug's scale gap, and announcing it to him.
Thats what he just did.
Its patched now.
What a waste of a good vulnerability.
The dude should have waited, got some dudes together, some funding to make it a very professional stealth rat, or even an evolving botnet. But with stealth.
Something that is well worth it considering its a military grade backdoor.
But instead they give it a script off the streets and just completely waste it.
...just classless.
@@fluffypinkpandas I mean, is the point here not to expose the vulnerability? As opposed to like. Become a felon?
@@The_Bird_Bird_Harder from a certain point of view, Anakin
@@The_Bird_Bird_Harder Taking note that a door is left unlocked, but not going through it, is not breaking and entering. It is merely being observant. Doing nothing with this piece of information you just gained, because you might need that information later, is similarly not "Conspiracy to commit." You just know about an unlocked door, and you've got no intention to tell anyone. You can't call it negligence either, it isn't the observer's reasonable responsibility.
@@fluffypinkpandas The thing about that is Mental's not a criminal....
I've been in the military for nearly four years now. I'm happy to see that I've never seen any of these kinds of cac readers for sale, especially at the physical stores and gas stations.
>gas station card reader
Less notorious than gas station dock pils
Saicoo Card readers, proceed to place a Yuan symbol on the online payments sign and encourage employees from the DoD to use it. It is obviously a Chinese spy tool, lol.
"On-Line purchases"
Anyone who speaks English knows it's "online"
Congrats on 300k. Thanks for spreading the information that actually matters!
I work for a publicly run employer in the uk that's one of the largest employers in the country (work it out). Our smart cards for accessing the country wide databases uses an active x control in IE . The config file for this still states " do not change any settings as all settings are the same for windows 95 and NT " , smart cards are not secure !
👆👆👆.
I thought Native bridge + Edge took over from this now. Wouldn't be surprised if it was still common elsewhere in the industry as IE is still used for some legacy applications
@@whynotandy it does , native bridge however is also getting replaced with credential manager , but you have to do a lot of fucking about with IE and group policy for that , go with native bridge and the latest hscic. Native bridge is still supported as of May 22
@@andljoy IE officially retires on the 16th, wonder if everything will be ready in time
You could use a regular Android phone to “copy” and “paste” the balance of a subway card in Moscow. That’s how I got unlimited rides lol.
👆👆👆
@Winnie the Flu The balance gets stored in the card instead of an ID linked with a DB, so you buy a card reader/writer and change it.
I was gonna do the same for games place(Magic planet in middle east) but noticed u can charge it from their website so it wont work
Care explaining how
@@DeeezNuts how to trick
Nice
I used to work for a DOD contractor. We where super strict on card readers and lucky we never had this issue. All of our external readers where provided by a trusted vendor.
I always thought there's a private key in each of them, and therefore you cannot duplicate a smartcard by listening to the traffic. It's just common sense! RSA has been around since the 70s. Guess I was wrong
@@tripplefives1402 Smart cards often do have a CPU and crypto modules on board.
@@tripplefives1402 are you sure? MK says otherwise.
Different EMV modes - DDA is the only one that works like a true smartcard. SDA and CDA are just complicated badges. I'm unclear why DDA isn't mandatory for chip txns…
@@codegeek98 Thanks for the clarification!
I work for a security company where we make security cards. A lot of high security places are moving to cards with an encrypted chip where it stores certifications, your fingerprints, and your photo. Similar to CAC cards. It's fully encrypted and the card is tied to the facility and the readers.
The card you showed is a PIV-I card. It's very secure. The government is slowly moving to this. You need a scanner, that isn't just a reader, but one where you insert the card and it reads the chip. It's all tied to the individual. As far as readers go, use an HID reader. Our company has tore apart the drivers and such, and they are secure.
For common smart cards and card readers, yeah. It's easy to hack. People are always the issue in security. But there is smarter - smart cards.
*CAC
In Brazil is very common in sales fairs and at gas stations , they modify they payment machines and insert some msr90 board or something like these on the video , criminals call this type of modified machine as "chupa-cabra" . And they also use jammers for block gps signals from the cars and than steal , they typically call this type of jammer as "capetinha"
kkkkkkkkkkkkkk still chupa-cabras working nowadays?
What kind of a brain dead govt agency would actually deploy workstations that don't have internal smart card readers?
Oh right, quite a lot of them
👆👆👆.
basically everyone that isn't NSA and MAYBE the FBI
@@marcogenovesi8570 that's just false. Most of DoD specs smart card readers directly into laptops and keyboards.
@@marcogenovesi8570 Source? Litterally? This is just wrong, my parents aren’t nearly that important and they get cac card readers.
"Security products company with unsecure website", yep, sounds about right.
I don't know about the authenticity of the web site you presented that had that card reader listed as recommended. In addition, any contractor that allowed average users local admin rights to install random drivers for crap wouldn't have their ATO for long and thus wouldn't be contractors for long I can tell you that much. Furthermore, when I contracted Federal IT I know we couldn't just hand out random garbage even for peripherals. There's actually standards in place that prevent even the purchasing of computer equipment from mainland China. Even the cards themselves are single sourced from one company to meet the HSPD-12 requirements.
Please make a video on how the internet of things will ultimately destroy the human right to privacy and make us subservient to the surveillance state. I do know you briefly touched on it in your Guide to Escaping the Botnet video, but an in depth video would be really awesome and do us a great public service.
You could've just said "do a video on how problematic IoT devices are" and you wouldn't have sounded so conspiratorial.
@@speedfastman His username is "Spyro 115", he is likely tuned in to the higher consciousness. Nothing wrong with having a conspiratorial worldview in an exponentially conspiring world.
@@1d10tcannotmakeusername That's because 114 Spyro-mongers beat him to it. He is delirious anyways.. "Will ultimately destroy???" he must think he is in 1994 with all that "future tense." wake up and smell the google my little purple dragon. That being said, i have to go now... time for my red pill.
@@maxheadspace6670 1. Spyro is a time-traveling hyperdimensional intelligence
2. Only if you're a city slicker, if you go out innawoods and make sure there's no IoTrash in the house you should be fine
When I worked as IT, we had a lot of people doing work from home stuff. We had protections against this and actually survived the Kaseya Ransomware attack because of a tool... which for the life of me I cannot remember the name of. It essentially worked as a DLL and EXE whitelist - we had a contract with the developers to ensure they updated our whitelist with the file signatures of executable files that came from reputable sources such as Microsoft, Adobe, Chrome, etc, that we'd use on a day to day basis. Everything else would be hard blocked, across all our devices. It would most certainly have protected us against smart card readers with modified drivers. Though, one time, we had a whole day of printer issues because microsoft did a silent patch to Edge, which was responsible for ensuring PDF files print correctly from edge, so we had a day of nonstop printer issues, but it was a small issue :/
Ty for whoever liked this comment first, cause I remember the software. It was called Airlock
You never cease to surprise me with these interesting vids, keep it up!
I like to think that the hackers have a handful of weird dumps where they have no clue what the card is for, what the data is about or how to use it
While in reality, it's stuff like Pokémon print kiosk cards or someone's memory card that holds a script to install the network driver for an industrial computer
Tbh it's probably fairly likely
They're sold via dark web in large data packages. Then someone else buys a package that may have usable stuff while a ton of it is junk. Same way as how legal companies scrape all our information and then sell bundles of peoples' info to literally a n y o n e.
This would not have been a problem if the drivers where open source
The problem would have been bigger in that case. People never check if the compiled code is the same as the open source version.
I don't think there is a easy way to compare open source code and it's compiled version.
Moreover a open source version of driver will be leaked to public which can be easily exploited by hackers.
@@gaming__god Yes, that would very much be the case for open source drivers on Windows. However, open source + a proper package management would pretty much solve the problem.
(Or you could compile them yourself - assuming the code you got is legit.)
@@gaming__god You can just compile it yourself instead of getting a compiled version.
"Moreover a open source version of driver will be leaked to public which can be easily exploited by hackers."
There will also be security researchers that will find those exploits and even upload patches.
@@testacals I think that the exploit comment is not about the lack of patches, but rather people still getting pre-compiled software.
You have to sign the drivers with a certificate to install them on Windows iirc.
I love how the credit card companies decided to update their older cards to a much more VULNERABLE card. It’s like they WANT everyone to get their cards compromised. Plus I betcha they do, because they are most likely directly connected to those “credit monitoring” companies and they get more money from them every time a card is compromised.
My father in law has a bug with his card where it doesn't ask for the code.
I think people should just be more aware of their card activity. Maybe this only applies to credit cards, but I get a notification for every purchase the instant it happens. Even if something I see doesn't make sense, I can just cancel the card and get my money back in less than 24 hours. I don't even cancel the cards I lose because I don't want the hassle of having a new number, I just get "replacement" cards which are meant to be ordered if your card breaks essentially.
The company that doesn't give checked (by the admin/security expert) devices to their employee/contractor, deserves to get pwned.
Another good example would be the Hak5 usbs. Think Mrwhosetheboss did a video on those, but all someone would need to do swap out a smart card reader that looks similar enough to whatever actual smart card reader you're using, and then they have access to all your credentials.
yeah, but if I wanted to break into a building I would rather bribe a janitor to copy their pass vs having my face on camera intercepting their card.
Mental outlaw is either the biggest redhat or straight works for feds lmao
👆👆👆.
When I was attempting to enlist in the army, all their laptops had a card reader built into them.
Also, RFID/NFC/proxy cards are a different technology than smart cards
What is so hard about using pgp smartcards? Nonce in, signature out, access granted, no way to copy anything.
👆👆👆..
I don’t understand your logic
Yeah, I totally believe that a "hacker" compromised their download page. Nudge, nudge, wink, wink. Pull there other one guvnor.
👆👆
had no idea that people could just buy their own hardware like this for security critical tasks. should at least have a list of hardware that you need to purchase from or something.
Problem is this WAS on the DOD suggested list...
@@jakegarrett8109 well thats unfortunate lol
Yeah we’re told to buy our own CAC readers for our personal computers at home. Half the time they tell you which one is the good one…
thanks for the updates as usual outlaw!
👆👆👆....
The company one of my friends works at provides laptops with built in card readers, they also have cell tower service so they don't have to connect to WiFi while they are not at home
Good thing ghost cell towers don't exist...
so. this video gives me an insight of why my military laptop (Latitude Rugged Extreme 7214) has a reader for those cards, both contactless and slot to insert the card
Properitary drivers be like:
hey what the fuck
👆👆👆.
Military contractor here, these types of CAC readers are used but not sensitive information, at most the hackers would be getting some PII. More sensitive information is still only able to be reached at your base with a different type of CAC :-)
Nice modern rogue cameo
👆👆👆
The first part is about RFID/NFC tech
The 2nd part is about Smart-Card tech
Man your content is just awesome! I tell everyone to check out your channel
Modern rogue footage, hell yeah!
Smart cards are not vulnerable to replay attacks.
They use the algorithm of challenge-response.
They have another set of vulnerabilities but not that one.
I used to work in an IT department of a hospital and they used card readers in-house and 2fa when working from home, worked better imo.
My trusty ACR122U is always packed with my laptop when I'm on vacation :D
Most of the card readers are just connected to "psychologically" give a false sense of security, nine out of ten times they aren't even securely wired!
And this is why physical security, with human security, will never be outdated.
things like these need OSS drivers with signed binary releases.
Virustotal is not magic, it is rather easy to write undetected viruses, especially if their only job is to upload the smartcard data to a server. That is not even the definition of a virus, that would just be a modified/hacked driver
Polymorphic viruses aren't that hard to make, you basically write a set of tests that define the behavior and have a script fudge the instructions around till you don't get detected. And you can even use out of the box generators that do the job for you.
Great video. So true. This can be a major attack point, especially in Pubic or private institutions.
As someone who works for a company that installs card readers in high security places, we only install swipe cards and we demand that we use cables rather than wireless transmission.
Our system also nullifies cards every 2-3 days, so you have to get a new one at the reception.
That employee helped their company dodge not just a bullet,but an entire fucking nuke.
This is exactly why we need open source drivers period.
Won't meet a decent cyber security analyst with a "smart home" to run everything.
Congrats on getting that shout-out from Mutahar yesterday!
Wait, what video?
@@BCDeshiG the smartphone hacking video he made a few days ago
I suspect they are doing the same thing with Smart Lamps selling on Amazon that are impossible to beat on price but force you to allow access to your local home network traffic. Might be useful for a researcher to take a look at it, which I can use the time to jump deeper.
This is sooooo dangerous....
So many people need to know about this..
I prefer the battering ram method.
Who needs any fancy electronics when you have a log and pure strength.
👆👆👆.
Small detail, a large number of Amazon reviews are fake but you’re correct in assuming at least half of those are actual purchases. There’s some sites that will scan listings and tell you the percent of fake reviews
The first bag you posted is the good one to protect against rfid. They have larger sleeves too on amazon.
You'd think most companies/governments would have some sorta deal with a tech trusted tech supplier instead of simply paying staff to buy whatever they want.
Good news: turns out the threat actor wasn't the OEM, 'just' a trololol hacker somewhere on the interwebz.
Bad news (in the form of a question): how many people did it take, doing a bad/incompetent/negligent job, to allow this to happen? If each of those people were a link in the chain, how many links would that "Chain of fuck-ups" be?
There are multiple muppets with their fingers in this pot of "oops." Makes me mad, can't even get a little schadenfreude out of crap like this.
This damn Ramnit.A, or B or C, is a plague. Got infected in 2014 on a USB stick and still found infected files in my computer in 2022. Had to buy a new Hard Drive and start all over, checking every files before copying.
👆👆👆
i feel like I’m watching a DedSec tutorial video
this is why belgian ID card reading drivers are made by the government
I believe new most Access cards/fobs systems now have 2 steps; meaning not only does the card provide a password to the opener, but the opener also put a signal back to your FOB and if your FOB cannot correctly verify the signal coming from the opener then the gate stays locked even tho the FOB has the correct access code.
Jesus Christ. I bought a similar reader just to mess around with and ran into that "go to this website for driver" crap. Didn't go through with it when it said that the site wasn't even https secured. Fuq dat
Now those cc reader signal blocker sleeves finally have a purpose😆
This is unbelievable... #stoptheoutsourcing
That malicious agent was probably the government of the nation the products are made and developed in
👆👆👆.
we need the government to look at every item sold and look at every single person that buys and sells on Amazon
they are
I’ve never used a smartcard in the last few years that doesn’t use private key authentication. I’m sure they still exist, maybe Europe has different standards than the US, but once the card uses a private key, there habe to be multiple exchanges between the “reader” and the card for something to unlock, and the traffic is safe from a replay attack AFAIK.
This is mostly fearmongering, any secure smartcard solution does not allow private keys to ever leave the smartcard.
Bringing hacking into the mainstream one video at a time
Oof, I was in the Army and never knew about sus drivers... fortunately I bought mine at AAFES and needed no additional drivers but I did need all sorts of security protocols.
a long while ago people used to use coiled copper rods to extend the reach to their sleeve.
i cant help but think that there was no hacker
whoever replied to me, your comment got deleted
The company I worked for had smart cards but they supplied laptops that had the readers already installed. I would have figured the government would have done the same.
also having more than one card helps - cross signal protection
Something I leaned is that windows will go out and get drives for some things if the driver is proper signed. My guess is that when they made that drive it was but now it is not and that's why they had to manually install it.
It's just as likely the country of origin made them do this for spying and information gathering purposes, I mean if its being used in military etc it makes sense
👆👆👆.
They use all the standar protocols to be able to read and validate the info, so they're technicaly right about the reader compatibility with cards from Hospitals, Banks, etc. Those drivers tho'.
I imagine an (ex) employe who changed the drivers of the website, which is bad or maybe a hacker who replace the files of the website, which is worse.
Until they make a public statement aknowling the problem i woulnd't trust this company with any sensible information.
"curbs on security " 😂🤣😂🤣😂🤣😂🤣😂
The worst part is so many military website are flagged as not secure by browsers so many people just click to continue to unsecure website, because that's the only way to access the website. So it wouldn't surprise me if windows defender would have caught this, it would have been ignored.
Probably just unofficial certs
@@P1T4Bot that is the issue but I think it conditions people to just click okay, even if something is flagged
Even easier, just walk behind someone who goes into the office building. They will probably hold the door open for you out of politeness.
In Brazil a guy managed to switch his card reader with gas'tation's card reader and recived 3 days of payments before be catch.
I feel like if a weird creepy guy with too many bags was pretending to make a phone call next to the card reader I would wait for him to leave or try to make things awkward so that he leaves.
Saicoo was pretty aloof about that. It actually seems like they were the ones to put that malicious software on there.
Excellent video 👌🏻🔥 love the demonstration clips you got, I make videos sometimes and getting footage online like that takes a lot of work😂 keep it up man 💪
We are a startup. We mail out all our own hardware in tamper evident packaging, we enroll the TPM2 and FIDO2 creds beforehand... No excuse for this garbage opsec from org with 50x the IT budget.
I didnt understand why you would need a smart cardreader in home? I got a bit lost. Would appreciate if someone could tell,
DoD military here. You can buy one from like a Navy Exchange/Army Exchange (I think they call them a PX?) for like $10 so you can work from your home. You can use your CAC (government ID smart card) to look at your paystub/government email/what have you from your personal computer.
@@GoodlyPenguin oh! Thanks for explaining. Its a bit weird that the kind of things arent controlled that well, specially when it can leak some sensetive data
Smart Card readers are ordinary mandatory part of most proper laptops in estonia , and nearly entire population from old to yong have them at least last 10-15 years
Badge cards typically must be used in very specific manners the closer they work with government controlled data, such as PII, PHI, or official data. Though if a company isn't having this enforced on them it's pretty typical that they will use whatever. You'd think banks in particular would take more care to protect their cards for example, but it seems that rfid chips in cards are quite compatible with thief scanners.
its funny that your average smart ticket card you use to commute is safer than most smart cards against copying lol
“You can sell pretty much anything on Amazon.”
*Slowly pulls out my rotting body bag*
“Well, almost anything.”
*Slowly puts back away my rotting body bag*
Holy kitty cats! This kind of stuff is why I tape over the selfie lens on my phone camera, etc etc..
Dumb question: what would one of those readers do with my debit card? (...and download drivers via dropbox???)
👆👆👆
Depending on the circumstances they could potentially make a single purchase within whatever limits your card has but i dont believe they can clone the card because bank cards have different standards im not an expert