Slashdot Mirror

← Back to Stories (view on slashdot.org)

New German Government ID Hacked By CCC

Posted by timothy on from the danke-sehr-fuer-die-papieren dept.

wiedzmin writes "Public broadcaster ARD's show 'Plusminus' teamed up with the known hacker organization 'Chaos Computer Club' (CCC) to find out how secure the controversial new radio-frequency (RFID) chips were. The report shows how they used the basic new home scanners that will go along with the cards (for use with home computers to process the personal data for official government business) to demonstrate that scammers would have few problems extracting personal information. This includes two fingerprint scans and a new six-digit PIN meant to be used as a digital signature for official government business and beyond." That was quick. Earlier this year, CCC hackers demonstrated vulnerabilities in German airport IDs, too.

24 of 86 comments (clear)

  1. OpenPGP by axx · · Score: 5, Insightful

    Sometimes I wonder why it isn't possible to declare/register a PGP public key as official, and use that to authentify oneself. I mean, with that even email can be secure. Oh well, too complicated for the "general public" I guess, I mean keeping a spare of your (digital) key? That's far too complicated!

    --
    No wit here.
    1. Re:OpenPGP by Chris+Mattern · · Score: 4, Insightful

      Oh well, too complicated for the "general public" I guess, I mean keeping a spare of your (digital) key? That's far too complicated!

      Keeping a copy of your private key *securely*. Yes, it's been amply demonstrated that nothing left under the control of the average user can be counted on to stay secure. And once someone else gets access to your private key, you're royally screwed.

    2. Re:OpenPGP by Monkeedude1212 · · Score: 4, Funny

      Yes, it's been amply demonstrated that nothing left under the control of the average user can be counted on to stay secure.

      It's because the "average user" has a girlfriend who can't keep a damn secret.

      Luckily - we don't have that problem.

    3. Re:OpenPGP by Anonymous Coward · · Score: 2, Insightful

      That's not an insurmountable problem, however. Indeed, it's more or less the same problem that any of these sorts of devices/designs (secure IDs) will face. Using asymmetric encryption just provides a better base. Also, the solution is already halfway complete:
      http://en.wikipedia.org/wiki/Smart_Card#Cryptographic_smart_cards

    4. Re:OpenPGP by Anonymous Coward · · Score: 2, Informative

      Private keys have passwords which *should* protect the key if someone gets a hold your private key.

      Ofc, if you're dumb enough to have no password or something that can easily be bruteforced, then it's your problem.

    5. Re:OpenPGP by mea37 · · Score: 2, Insightful

      Right, for the government to expect you to keep a number secure, knowing that if that number were exposed then someone could steal your identity, and to then rely on that number to identify and authenticate someone wishing to do business with them; that would be unthinkable.

    6. Re:OpenPGP by electricprof · · Score: 3, Insightful

      Aren't girlfriends creatures of myth like Santa Claus, the Easter Bunny and Honest Lawyers?

    7. Re:OpenPGP by LordKronos · · Score: 4, Interesting

      And once someone else gets access to your private key, you're royally screwed.

      Royally screwed? I thought that's what key revocation was for. With PGP, you just revoke the old, generate a new key, and you are good to go from there on out. But how exactly do you revoke and reissue fingerprints?

    8. Re:OpenPGP by fluffy99 · · Score: 2, Insightful

      Even smartcards, which never expose the private key are at risk. If you have a compromised computer, someone can remotely use your smartcard whenever its inserted into the machine. Even hardware tokens with changing values are at risk to a keylogger and a script that fires off before the toekn pin changes.

      It all boils down to the fact that if the computer isn't trustworthy, then anything you put in the computer is at risk.

    9. Re:OpenPGP by jjinco33 · · Score: 2, Funny

      Painfully.

      --
      Meh.
  2. Alle Ihre Passe sind gehoren uns by Anonymous Coward · · Score: 3, Funny

    Alle Ihre Pässe sind gehören uns

    Yes, that is what you think it is: A corrupt translation of a corrupt translation.

  3. three courses of action... by gandhi_2 · · Score: 5, Insightful

    1: fix the problems.
    2: abandon the plan.
    3: arrest the people who embarrassed you, suppress any mention of the incidents.

    Hmmm... let's see...

    --
    THL phish sticks
  4. PGP not a panacea by perpenso · · Score: 3, Insightful

    Sometimes I wonder why it isn't possible to declare/register a PGP public key as official, and use that to authentify oneself. I mean, with that even email can be secure.

    An imperfect systems can still be useful. If card/scanner misuse is on the order of handwritten signature misuse then replacing dead trees with some bits might be a good idea in many situations.

    The pgp digital sig proves it was sent by your computer perhaps, but not necessarily sent by you. There is a genuine need for biometrics to be involved. Note that a handwritten signature is a form of biometric ID and like the card/scanner system it can be faked. This is why for more important situations a signature must be witnessed and possible notarized. The card/scanner system can similarly escalate the process for more important situation. For example when someone uses a bank's ATM a swipe and a pin are sufficient. When they walk up to a teller for larger transactions then a swipe and a pin could be augmented with a photo being displayed on the teller's screen. Banks often have such photos for embedding into ATM and credit cards.

    1. Re:PGP not a panacea by malloc · · Score: 2, Informative

      The pgp digital sig proves it was sent by your computer, or any other digital device in the universe that has a copy of your key , but not necessarily sent by you.

      FTFY.

      --
      ___________________ I want to be free()!
  5. Ugh: Identification vs authentication by jwiegley · · Score: 5, Insightful

    When the hell are security "professionals" going to wake up and realize that secure access to something requires three items: identification, authentication and authorization. You CANNOT store the authentication credential with the identification. It is 100% stupid to store the pin on the identification device. Authentication credentials and authorization decisions must be kept by, and made by, the service provider. The only item that should be left with the consumer is an identification badge.

    For instance, a national "ID Card" is actually a good thing IF the only thing it has stored on it or about it is the owners identification, i.e. name and unique ID number. The ONLY thing the card should provide is a way to contact a national database/server which requires two things, the unique, public ID number from the card and a fingerprint (which is NOT stored or printed on the card in any way). The ONLY information the server should return is "Yes" or "No". But see... the fingerprint cannot be stored on the card in way for the same reason that the pin in the post should never be stored on the card. If somebody other than the legitimate owner comes into possession of the card then he possesses both the identification AND the authentication pieces of the puzzle and can do whatever the legitimate owner was authorized to do.

    Security: it's simple. f*cking learn it.

    --
    I will never live for sake of another man, nor ask another man to live for mine.
    1. Re:Ugh: Identification vs authentication by Anonymous Coward · · Score: 2, Informative

      The PIN is not stored on the card. The whole summary is quite misleading.

      - This is not about extracting information from the ID card (be it PINs, finger prints or whatever)
      - it has nothing to do with the RFID chip

      What the CCC demonstrated is that, by typing your PIN on your PC keyboard, it can be logged by a key logger if your PC is infected by such a program.

      The main problem is that the government wants to distribute "starter kits" with a simple card reader making use of the PC keyboard to enter the PIN. More secure (and a bit more expensive) card readers with their own keypad eliminate this problem.

    2. Re:Ugh: Identification vs authentication by wiedzmin · · Score: 4, Insightful

      Now if only security professionals were involved in making top-level (government) decisions, we'd be set. Unfortunately these are made by sales and marketing people - the solution that gets implemented is the one that 'wins the contract', not the one that works the best... unfortunately security professionals and technical people do not make best salesmen. All too often a contract is won because of a good game of golf, or a sexy slide deck.

      --
      Bow before me, for I am root.
    3. Re:Ugh: Identification vs authentication by cdrguru · · Score: 2, Interesting

      Not entirely a bad idea, but the concept behind storing the information on the device itself is so that nobody except the owner has possession of it. And, in theory, every authorized agency has immediate access to the information if they have physical access to the device.

      The alternative is a massive database that virtually every government agency needs to access with everyone's information in it. Data mining that carries substantial risks but is an opportunity that just couldn't be denied. Also, because of the widely disparate agencies that need access what you end up with is something that is so open that everyone can get at it.

      Think of the DMV data in the US. It is centralized by state but the police and DMV agents have access. As well as a few other agencies. Oh, and by the way, just about every private investigator has access. Now in most states because it was so wide open they got trapped into basically selling access subscriptions. So there are a few hundred organizations that pay for access to every state's records.

      This is the scenario they are trying to avoid with having the person possess their own information and not having it in some large virtually uncontrollable database. Too many people need access - probably legitimately - but access for short periods of time for well defined purposes that happen to also include having the person in front of them.

      The big national database might be a good idea, but the control and access problems have already been seen in way too many situations.

  6. Re:Well duh. by lennier1 · · Score: 2, Insightful

    You're talking about the same government whose politicians during the national election thought a mere DNS-based filter could stop the problem of child pornography on the net.

  7. Government's reply: Stick Head in Sand by Posting=!Working · · Score: 2, Interesting

    "Meanwhile on Tuesday the Federal Office for Information Security (BSI) rejected the Plusminus' criticism of the new ID card. The agency's personal identification expert Jens Bender said the card was secure"

    It's not secure. They just hacked it without special equipment, they used the scanner that you provide. Saying it's secure in response just means you're

    Your ATM card doesn't have your pin on it. Neither does your credit card, or your student ID, employee ID, etc. unless someone really stupid designed the system. How does this get missed? Why are the fingerprint scans on there? Did more than one person look at the plan before they went ahead with it?

    This is one of the largest mind-blowingly stupid decisions I've heard lately.

    --
    This sentence no verb.
    1. Re:Government's reply: Stick Head in Sand by Peeteriz · · Score: 3, Informative

      It's far safer than magnetic cards; I've heard no fraud cases where the PIN has been successfully extracted from the chip or the chip data cloned - reading the chip's contents would generally be far more expensive than the maximum money limits on the card. Mag-stripe cards can be cloned by a cafe waiter or a tiny 10$ device hidden on an ATM and then your money used in any place that "verifies" only signatures.

      Also for the ID card - if it has some way to send the fingerprint data or encryption key outwards, then that is a design fuckup; but if it is only able to verify pin and sign message packets with the key if the pin is valid, and permanently erase the key if pin is entered wrongly a few times, then the security is quite adequate.

  8. Re:Phone/Notebook Fingerprint Scanners? by Archangel+Michael · · Score: 2, Informative

    According to Mythbusters (whatever you think of the show), getting a fingerprint is easy, and the scanners aren't that great at telling fakes from the real. You should watch that episode, it is quite revealing. The expensive scanner was worse than the one build into the laptop.

    So, I wouldn't count on that to secure your Laptop/Phone.

    --
    Agent K: A *person* is smart. People are dumb, stupid, panicky animals, and you know it.
  9. Re:Why haven't gubbermints... by jgtg32a · · Score: 2, Informative

    DNA scans take a long time

  10. Actually ... by garry_g · · Score: 2, Informative

    ... it's not the ID card itself they managed to hack, but a basic reader ...
    Germany planed on handing out free readers (something like 1 million of them) for the ID cards, enabling people to sign electronic messages and the likes ... Now, while the idea might sound good, they decided on giving out the cheapest kind of readers, which are basically JUST readers. They rely on the PC to enter the code for the card. This is where the attack was targeted - using some PC software, they managed to record the information sent to and from the reader. Once you have the code, you could then steal the ID and use it to fake your identity. More expensive readers have displays and keypads that keep all unlocking away from the actual PC, so keyloggers or similar won't be able to steal the code ...