ACER Travelmate 600 and 800 series - Smartcard flawed Implementation

[<Leonard.Ong () nokia com>]

Background
-------------------

Acer Travelmate 600, 800 series notebooks include a smartcard reader, two smartcards and a security application called 
Platinum Secure.  The smart card security system  should prevent access to the console while the smartcard is not 
present or when password has not been entered. However, with a simple test, a limited access is possible to bypass the 
security system.

Vulnerable systems
-------------------------------

All Travelmate notebooks 600, and 800 series that has smartcard security system installed (Platinum Secret). This 
includes the latest notebooks 650XCI/LCI, Centrino-based 800XCI,LCI.  These notebooks are running old Platinum Secret 
version 1.0.84.  It is unknown whether the newest version 2.6.1 (Available from the vendor 360Degreeweb.com) would have 
fixed the issue.  The software is not available for retail, and only sold through OEM or Corporate channel.

Vulnerability
--------------------

1. When smartcard is not present and Platinum Key enabled (prevent access without smartcard), it is possible to access 
the console by :
a. Pressing Control-Escape multiple times, this will give the attacker few seconds of Windows Task Bar. Each time will 
give attacker 1-3 seconds of console display
b. Upon seeing Windows Task Bar, Confidentiality is breached by providing information of frequently accessed 
application, history of find and Run command, Access to Start menu
c. It is possible to click on the frequently accessed application, and run the application

2. If the host can be compromised via network (Windows networking, Trojan, etc) to install a certain application, and 
somehow create a shortcut for that program to be displayed under most frequently used application.  The attacker can 
press Control-Escape and click on that shortcut to run the exploit for further compromise (file server to transfer 
file, etc )

3. This is further possible for lack of security awareness by leaving desktop turned on (even locked with smartcard) 
and leave it connected network or lack of physical security

Vendor Response
---------------------------

Acer Singapore has been advised for at least three weeks, and they can't commit to provide any upgrade or solution for 
this.  Hence the purpose of this advisory to eliminate the sense of false security of Notebook owners by having two 
factor security on the notebook.  It also shows that the vendor is not committed to mitigate the vulnerability.

Disclaimer
The information in this bulletin is provided "AS IS" without warranty of any kind. 
In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss 
of business profits or special damages.