I found a paper from the "Hackito Ergo Sum" 2011 security conference called:
" Man In Remote,
Remotely using the Spanish National Electronic ID,
by Gabriel Gonzalez Garcia "
The paper describes a man in the middle attack by adding a network redirection at the PKCS#11 API level.
Gabriel talked about his paper on his blog Man In Remote and the source code is available online at github.