VMWare Virtual CCID reader optimization problem

Problem description

A smart card works correctly when attached directly to a virtual machine, but fails when using the VMware Virtual USB CCID shared smart card reader.

VMware Virtual CCID reader — VMware Virtual USB CCID reader device

Root cause analysis

By examining the APDU traffic with rohitab API Monitor, we found that the APDU sent to the card is not identical between the host and the VM.

SCardDemo on host computer — SCardDemo output — host computer (direct reader)

SCardDemo on virtual machine — SCardDemo output — VM (VMware Virtual CCID)

Closer inspection of the raw APDU using API Monitor reveals the difference:

APDU on host computer — APDU captured on host (complete)

APDU on VM (captured from vmware-vmx.exe) — APDU captured from `vmware-vmx.exe` — last byte stripped

The last byte is stripped by VMware. VMware allocates a 258-byte buffer for APDU responses (256 bytes max payload + 2 bytes for SW1/SW2) and truncates the last byte of the command. Sending the APDU without its last byte from the host produces the same (incorrect) result as the VM.

Security Expertise articles

← Back to Security Expertise