Digital deception
November 10, 2010Jan Schejbal, a German computer security researcher living in Sweden, on Tuesday described a way to hack the new electronic German ID card software. The federal office responsible for the program stopped allowing the software to be downloaded on Wednesday.
The new cards, which became available November 1 and will gradually replace current German cards, contain an RFID wireless chip - the same kind found in many contactless security or payment keycards. The chip stores digital versions of the card holder's photo, name, address, date of birth, height, eye and hair color and location of issuance.
The Interior Ministry and the Federal Office for Information Security (BSI) have claimed the cards will help the government provide easy-to-use digital signatures and other government services, as well as protection against online scams and phishing attacks. Germans can also use the IDs in place of a passport when traveling within the European Union.
Spoofing the server
But to be useful to individuals, the digital information on the cards needs to be accessed with a card reader. It's the AusweisApp ("ID App") software that runs the card reader which is flawed, according to Schejbal.
After downloading the first version of AusweisApp from a German government website, he noticed a major flaw when the program checks for updates. The software does not verify the origin of a digital security (SSL) certificate, which leaves the program open to a spoof attack that conceivably could lead to the download of malicious software.
"The electronic ID itself may have quite a high security level," said Schejbal in an e-mail to Deutsche Welle. "However, this security becomes worthless if the framework which is used to access this secure core is insecure and allows compromising overall security."
Had the new electronic ID card already been widely used, the security flaw in updating would have been significant, according to Karsten Nohl, an independent security expert based in Berlin.
"Fortunately, that is not the case and the bug can be fixed swiftly," he told Deutsche Welle. "This vulnerability is another reminder of the complexity of the ID card security system, not all of which has been tested rigorously."
In a statement to the German tech news website Heise.de, the BSI said it was looking into the update issue. It also removed the software from its website to prevent more people from downloading the flawed program.
"The media has been made aware of a perceived vulnerability in the software AusweisApp necessary for the eID feature of the new ID card," it wrote. BSI did not reply to Deutsche Welle's request for comment. "If a vulnerability exists in the software, the BSI will provide a new version of the software without delay and will inform the public accordingly."
Digital ID cards expanding across Europe
Digital IDs have been spreading across the continent in recent years. Estonia has had one for nearly a decade, with a slew of electronic government services, and legally binding digital signatures to go along with it. Belgium, Sweden, Spain, Portugal all currently have electronic ID cards, and there are plans in place to release such cards in Luxembourg and the Czech Republic.
While Schejbal added that he is not opposed to the concept of an electronic ID, he advised Germans to avoid the cards for as long as possible.
"It is not secure, and it will put the user at risk," he wrote. "If the electronic identity is abused, the user will have a hard time proving that he did not authorize a transaction."
Previous flaws have been discovered
Schejbal's discovery isn't the first time security flaws were found in the new electronic ID cards. In September, the German hacker collective the Chaos Computer Club (CCC) demonstrated how the card reader's security measures could be circumvented.
After obtaining an ID card's PIN number by using a program that records individual keystrokes, the hackers were able to rewrite all the information on the ID. Card readers come in a variety of models, and the CCC circumvented the most basic model.
Security researchers have doubts
Manuel Bach, the electronic ID project manager at the BSI, responded by saying that Germans must take responsibility for their own computer security and ensure their computers remain free of the malicious software needed to steal PINs and other personal data.
"The Germany ID card can't protect you from Trojan horses, it's just a piece of plastic with a microchip inside," he told Deutsche Welle in an interview last month. "You as a citizen or computer user have a responsibility to secure your system. If you do that you're very safe, even with a basic card reader."
But Constanze Kurz, a CCC spokeswoman, said the government shouldn't expect all Germans to be tech whizzes.
"If you pretend that all your citizens are really good with computers, and that they can manage their own IT security on their systems, then you are definitely wrong," she said in an interview with Deutsche Welle. "The hackers will always attack the weakest point and the weakest point is the user."
Author: Cyrus Farivar
Editor: Sean Sinico