The Future of the CAC is Bright
Web magazine Fedscoop reported on 7 February 2019 that the DOD is working with a Brooklyn-based artificial intelligence startup to replace the military CAC and build better identity, credentialing, and access management (ICAM) through “deep-learning-based” AI. (source)
owever, DOD Chief Information Officer Dana Deasy said in September 2018 that the CAC card is still a key component of the DOD security and will remain the “principal authenticator for the foreseeable future.”
DOD also said the National Institute of Standards and Technology’s new SP 800-63 digital identity guidelines are central to normalizing identity management.
In a recent interview (January 2021), DoD’s Defense Manpower Data Center wants to include iPhone and Android devices and create a digital identity for its 8 million clients shortly.
The CAC is not the “end all, be all”, there are some issues with the CAC. Including the physical cards themselves, where the ICC tends to wear quickly and can cause the ICC to no longer be readable (A problem I actually have with my administrator token and I have been waiting a month for a replacement to arrive). The cards can de-laminate due to repeated insertion and removal from the readers (the same cause for the ICC wear). The RFID responder antenna tends to break causing the RFID function of the card to no longer work.
There are also some now mitigated vulnerabilities in the middleware used for the cards. And at least one now mitigated vulnerability in the driver software used for the card readers.
Here is a link to a whitepaper talking about “Viral attacks on the DoD Common Access Card (CAC)
The CAC is not the “end all, be all”, there are some issues with the CAC. Including the physical cards themselves, where the ICC tends to wear quickly and can cause the ICC to no longer be readable (A problem I actually have with my administrator token and I have been waiting a month for a replacement to arrive). The cards can de-laminate due to repeated insertion and removal from the readers (the same cause for the ICC wear). The RFID responder antenna tends to break causing the RFID function of the card to no longer work.
There are also some now mitigated vulnerabilities in the middleware used for the cards. And at least one now mitigated vulnerability in the driver software used for the card readers.
Here is a link to a whitepaper talking about “Viral attacks on the DoD Common Access Card (CAC)”.
CAC Scan App
In late May 2016, the U.S. Department of Defense (DoD) released an advisory to their armed services and civilian workforce warning about an Android app called “CAC Scan,” which was found publicly available on the Google Play market.
Basically, the app had the ability to scan the barcode that was on the front of the CAC. This bar code contains Personally Identifiable Information (PII) such as the name, social security number, rank, and DoD ID number of the CAC cardholder. The concern was that all the data you may have scanned and decoded was being uploaded to an unknown server, stored, or made publicly available.
According to IT security company Lookout, Inc., when they decompiled the app, it wasn’t doing anything deceptive at all, but the threat was out there. And there isn’t anything stopping someone who has the app installed from taking a snapshot of your CAC and decoding your information. And with today’s high-resolution cell phone cameras, they wouldn’t have to be all that close either.
On July 31, 2020, the Next Generation Uniformed Services ID Card which is a more secure, next-generation USID card.
