New app poses security risk for all military employees, contractors

cac scan app screen shot

By Airman 1st Class Dennis Hoffman
21st Space Wing Public Affairs

The Air Force Operations Security support team was advised of a new and threatening Google Play phone application called CAC Scan on May 19, 2016.

“CAC Scan has the power to scan the barcode on the front of a common access card to get the cardholder’s name, rank, social security number and your electronic data interchange personal identifier information,” according to the Google Play app description.

Quick response code scanners and barcode scanners are commonly found in the online app store environments, but what makes this App unlike others is that it specifically targets and reads military CACs. There are very limited scenarios in which anyone would need to access the info on the CAC, said Master Sgt. Darren Snider, 21st Space Wing Space Control Plans and Programs flight chief.

“If anybody is going to be scanning your military ID, it will either be scanned at the gate on base, or it’s going to be used for medical purposes,” said Snider. “That is the only legitimate use for scanning common access cards that I see. This is a vulnerability that we need to get the word out about.”

While the legality of the CAC Scan app is questionable, Air Force Instruction 36-3026 states the rules in regards to photographing, reproducing and or unauthorized possession of ID cards.

“Title 18, U.S.C., Section 701 prohibits photographing, reproducing, or possessing Uniformed Services ID cards in an unauthorized manner under penalty of fine, imprisonment or both,” according to AFI 36-3026. “Unauthorized use would exist if the bearer uses the card in a manner that would enable the bearer to obtain benefits and privileges to which he or she is not entitled.”

Since the creation of smartphones, OPSEC has been on their toes combating security threats and vulnerabilities by apps like CAC Scan, said Victor Duckarmenn, 21st Space Wing Program Management Division quality assurance manager.

“The idea of a CAC reader app is not new,” said Duckarmenn. “The biggest problem is the proliferation of these reader apps and the availability to acquire them with smartphone technology.”

As military service members and Department of Defense contractors, there is a shared responsibility in having positive control over and guarding our personal information at all times.

Pass and ID, located in the mission support building, freely hand out card covers for military CACs and other cards possessing radio-frequency identification, said Duckarmenn. These covers block signals from potential threats that compromise personal information.

With the ever-changing threats to our personal safety and information, Service members need to remain vigilant with a heightened situational awareness in all avenues in which those who wish to exploit information could cause harm.

Based on the vulnerabilities associated with the Google Play “CACScan” Application, take the following information into consideration:

  1. Maintain physical security of your Common Access Card (CAC) at all times. Unattended/Lost/Stolen CAC provides privacy information to malicious user who uses the app to scan the card.
  1. Do not download the application to your device. Advise your family members to avoid the application as well. Your privacy data is contained in the CAC…there is no purpose to scanning information from your CAC to your phone.
  1. Avoid making photocopies of your CAC for any reason. The barcode in a photocopy can be easily scanned by this CACScan app.
  1. If you have any questions, contact your Security Manager or OPSEC Program Manager.