Viral Attacks on the DoD Common Access Card (CAC)

Date Added: Jan 2009
Format: PDF

This paper shows that using a DoD CAC on a untrusted workstation can allow a variety of attacks to be performed by malicious software. These attacks range from simple PIN phishing, to more serious attacks such as signatures on unauthorized transactions, authentication of users without consent, unauthorized secure access to SSL enabled web servers as well as remote usage of the DoD CAC by attackers. It also shows the root cause of such problems is the lack of a secure I/O channel between the user and the card and outline steps that can be taken to ensure such a channel is available making the documented attacks not feasible.