Slashdot Mirror
Security App For the New German Personal ID Hacked
prefec2 writes "On Nov. 1st Germany started to issue new personal ID cards which include a security chip. In combination with a reading device and an application on a PC at home, secure transactions can be made. However, the required application can be compromised using DNS spoofing and a wrong SSL certificate (article in German)."
I think it was that Shakespeare dude who said, "The best laid schemes of mice and men. Go oft awry"
Or, as the philosopher Simpson said, "D'oh!"
Mod down people who tell people how to mod in their sigs
If you have need for such an identification card and trackable number within the government database to allow you access to government services such as healthcare, what is the best identification system in that case?
(article in German)
Most of us will have an excuse not to read TFA this time.
(As if lack of an excuse ever made much difference.)
Sheesh, evil *and* a jerk. -- Jade
Scheisse!
"The best-laid schemes o' mice an' men, gang aft agley,"
And for one, Shakespeare wasn't Scottish...
How does it matter? Does it let you get the secret key from a card, or somehow pretend to have a different ID?
I though the point of using a smartcard is that PCs cannot be trusted.
Is this about a MiTM attack without physical access to the PC?
First, to TFA: there is no problem with the ID itself, just with the security of the special PC software than can work with them. As most /.ers know, there is quite a hacker community in Germany, and these problems are really not too bad. In order to compromise the software you first have to do a DNS hack, then fake a certificate, then... In a nutshel, yes, there are problems, but they aren't too bad and will be relatively easy to fix.
The ID itself is really cool. Among other things, it supports secured anonymous transactions. How many governments are there that willingly support anonymity for their citizens?
Enjoy life! This is not a dress rehearsal.
You have to know that our (German) current ID card is being photocopied for many kinds of quick transactions/deals. Someone can give you something without paying in advance and you give him a copy of your ID card, so he can find you, when you forgot to pay or give something back. You can optionally give the ID card directly as security.
Now... the new ID... it is explicitly forbidden to photocopy it and even leave it unattended somewhere.
Why? Because there are some critical numbers printed on the new German ID cards that no one should know. Isn't it great? Imagine that someone printed your social security number on your new "great and modern ID card"!
And here comes the first loop hole: banks always have needed and still will need your ID card photocopied to open an account. Guess what happens? They will get a special permit to do this (it has been already decided to keep the current account registration system working).
...But they aren't functional yet. I think it's mostly intended for e-gov, though.
Emotions! In your brain!
I like this rule that forbids to give the card out of your hands. Hopefully it will put some common sense in some heads and I can stop shaking my head over all those idiots who willingly give their credit cards out of their hands and let people do stuff they can't see with it, but then wonder about their crazy bills.
And banks don't "need" an ID card or copies of an ID card to open an account. Any method which can prove that you are the guy who opened the account would do it.
Do you ever eat at nice restaurants?
For those who can't read German here's a basic summary of the article:
There is a vulnerability not in the ID cards but in the desktop software that makes use of them for authentication on the Net. This software's update mechanism is apparently vulnerable to a DNS spoofing attack that would allow a skilled attacker to download and unpack a ZIP file on the user's machine (but not directly execute any code). The article was updated to say that the government agency responsible for this software has stopped downloads of it as of yesterday and there's no a press release on that agency's website saying they're working on a fix:
https://www.bsi.bund.de/sid_9CC745E82FC9ED59215EB75FB9479819/ContentBSI/Presse/Pressemitteilungen/AusweisApp_101110.html (Also in German)
Pre-canned Evolution Links for all those Slashdot holy wars.
Just give them your passport. They will happily accept it. That's what I and most foreigners living in Germany use to authenticate, because we don't have an ID card.
another potential hole here is the social aspect of the deployment: it is only for Germans. And you have a large percent of foreigners living there, who use the same services as Germans. And I don't people from far away countries. I mean even other europeans who happen to live in Germany in accordance to all European rules.
These people use credit cards, do bank transactions, on-line shopping, etc. For these people, of which I belong to, our only means of authenticating is the passport. So in the end every single procedure that does not wish to lock out non-Germans must have a way to not use this ID.
So yes, this new Id might protect some Germans, but if there is a workaround, loop-holes will always be there.
This is not a bug, it's a feature.
Now they can upload their spying tool to everybody without a warrant. All they need to do is accidentally mixup the new release of the passportapp with the trojan.
How do I uncompress my MD5 archive?
The current terms of service (which you accept when you get this thing) are that the program is safe by definition. The user has to keep the pc free of viruses. Zerodays are the users fault as well, what so ever.
Which basically means, when ever somebody does something bad with your id, the damage is yours.
They even read, that you should only keep it on the card reader for the few seconds of usage.
As if those few seconds are not enough for an attack. One thing that already works easily with an exploited pc is remotely changing the useres pin, without him knowing. Well....this already is a damage for the user of a couple euro + time loss because you have to go to the local citizen center. (can anybody thinks of a nice DOS attack on the city centers)
How do I uncompress my MD5 archive?
This is very bad PR for the new ID, but neither the ID card nor the software has been hacked yet. This is just another way to install some malware on a computer.
I have no doubt though that worse things will happen. The mistakes made here are so glaringly obvious that it's hard to believe that there aren't other holes to be found.
Yes. But that doesn't mean that I'd ever let anyone except closest friends take my credit card out of my sight.
I'm from Germany, and the usage of credit cards is not so widespread here as in the USA. If it's not a business related dinner, or some kind of bigger event, most people here usually pay cash in restaurants. And as I know how much the CC companies charge those poor shop owners, I tend to use a credit card only when paying in cash or with the bank card (don't know if there's something similar in the US, you use it to draw money from ATMs or pay in shops, works all over Europe, often even in shops who wouldn't accept Amex or Visa) is not possible.
Nowadays, they bring the (wireless) card reader to your table.
Banks generally do need to go above and beyond 'have a photo ID' to protect your money - they store the copy of your official ID to compare against the ID you (or "you") show next time, and to compare signatures, and to have a photo of the bad guy and solid evidence that it wasn't you if a forgery was presented the first time.
If you don't do this, then some shmuck with a forged ID can do stuff in your name. Oh - and that's the choice that most USA banks have made, so you suffer from identity theft much more than other nations do, as elsewhere just knowing your data is not that harmful to you.
Do you ever eat at nice restaurants?
That was ten years ago, when the waiter had to take your card backstage to get the imprimt.
Nowadays, they do have those small portable readers which they bring right to your table. The card no longer leaves your sight...
Most restaurants I've eaten in either bring a wireless card processing handset to your table, or they have a point that you can go to to make a payment, or both. Very few seem to want to take the card away from the table by default, now - probably because people are a lot more cautious about letting them do so.
If the banks were suffering from their lax fraud controls, they would probably do something about it.
As it stands, the bank (the victim of the fraud that the bank failed to prevent) just pushes the problem off on some individual. So the laws are terrible there (it should be straightforward for someone to repudiate an account and hear nothing more from the institution that mistakenly opened said account).
Nerd rage is the funniest rage.
There is another little problem, namely that in many countries outside Germany, hotels, conference organizers and who else knows will absolutely require you to make a copy of your ID card and sometimes this even seems to be required by law (e.g. hotels in France and Spain really insist on that). Also, take for example Portugal, where I'm living right now. If somebody comes for a conference to our place and wants to get refunded for travel expenses, accommodation, or anything like that, we need to get a copy of his passport or ID card; otherwise we simply cannot refund the speaker, no matter how famous he or her might be. You can, of course, complain about these kinds of practices but that will not help you get your money. The bottomline is that if you're traveling a lot to conferences like I do, there will be dozens to hundreds of copies of your German ID card lying around at all kinds of obscure places and be open for abuse. (Unless you use your passport, which is obviously recommended.)
True, credit cards aren't used that often outside online/mail-order transactions and what's referred to as "EC cards" is a different kind of animal ( http://en.wikipedia.org/wiki/Cheque_guarantee_card ).
The scan of your ID card also serves second purpose. In case your wallet is stolen you simply provide your name, address, date of birth and together with a visual confirmation they'll let you withdraw money at the counter until your replacement bank card is mailed to you.
A quick tranlation, please exuse my grammar.
The software for the new identidy cards hasnt made a good start. On Monday evening the AusweisApp (IdentityApp) was published. Today, Tuesday morning, Jan Schejbal, from the Pirate Party Germany, blogged about an exploit, which exploits two design flaws in the Update-Routine. This exploit however, does not attack the ID card itself, instead it allows the installation of software on the PC, where the IdentityApp is running.
The IdentityApp establishes a ssl connection to the server, that delivers the updates. Here is where the first vulernability happens: It checks, if the certificate is valid, however not if the host originates from the regular update server. Due to this a DNS-Spoof succeeds, Attacks on www.ausweisapp.bund.de and download.ausweisapp.bund.de spoof to a desired server with a valid ssl certificate, which attempts the AusweisApp to download its updates from there.
The desired server can now exploit the update function to download a desired zip file, and to extract it. A few of them consist of installation files, however can only be executed when they have the correct signature. But the extraction of the archive is already a security risk, while the vulnerability allows unwanted data to be placed on the ID Card owners PC.
The exploit, that Schejbal as download offers, consists of a expired ssl certificate, which works when the System time on windows is set back. There are two PCs required, a client with the AusweisApp, and a server, which has python 2.6 and nmap installed. Spoof the client to the aforementioned server(by modifying the hosts file) and pass the ip address in the response data, then by the next update of the AusweisApp a file in the Autostart folder of the client. This succeeded in the editorial under Windows XP as well as Windows 7.
Although the security of the ID Card is not directly exploited, these two simple failures (failing ssl certificate validation as well, and extraction of the recievers archive without signature validation) in this BSI tested software is very surprising. We requested from BSI an opinion, but the confirmation of the exploit hasn't yet happened.
Update: Late Tuesday evening, BSI's press deparpment has given the following opinion: "The media is reporting currently a perceived security hole in the AusweisApp, that is for the use of the eID-Function of the new ID Card. BSI is currently checking together with the software developer, if the described exploit is feasible, and what measurements against it are required. Should a vulnerability exist in the software, then BSI will provide, without delay, a new version of the software and inform the public accordingly.
Update 2: Currently (Wednesday afternoon) the download of the AusweisApp is no longer possible. An explanation from BSI over the failure is to stop the download, but a fix is currently not available.
You mean like on my driver's license here in the US up until a few years ago? That's why my new driver's licenses always had an unfortunate encounter with a belt sander soon after issue.
'The tyrant will always find pretext for his tyranny.' - Aesop's Fables
"It starts with hijacking the DNS query for the update server, and redirect the app to a (malicious) server, which pretends to be the real deal." - by wvmarle (1070040) on Thursday November 11, @02:51AM (#34194088)
Per my subject-line above, a CUSTOM HOSTS FILE is one way to bypass this as being a threat!
(On a PC or anything with a BSD based IP stack, which is pretty much everything nowadays that uses the internet afaik)
You'd be "proof" to this, via using a custom HOSTS file, albeit one that uses "hardcoded" IP Address - TO - domainnames/hostnames. This makes your own system be its own "DNS server" (minus the CPU cycles, RAM, & other forms of I/O necessary if you run a DNS server yourself, since the HOSTS file is really just a filter for the IP stack which you yourself have COMPLETE control over no less).
Now - There's also alternate DNS servers folks MIGHT use, such as OpenDNS or ScrubIT DNS!
However, iirc?
Those aren't anymore "proof" vs. Dan Kaminsky's findings (iirc, the explanation I am giving next, though simplified, is how it works) on how to "spoof" a domain/host name resolution to a specific IP address anymore than your std. ones from your ISP/BSP really!
(Which the "Kaminsky DNS flaw" works, iirc/afaik, by sending droves of false equations of this nature to a certain DNS server OR its "upstream" ones it references, before a true & valid one can get to said DNS server).
A nice "side benefit" of this is that if your DNS you use IS thus hijacked, or even if it "goes down" (Crashes)? You'll still be able to reach sites you need to.
APK
P.S.=> Also/lastly: Secure DNS anyone? Now, iirc, didn't the US Gov't. switch its servers over to this, and not too long ago?? At least SOMEONE did, and I find it sort of surprising others have not... apk
Come on this was posted months ago: http://yro.slashdot.org/story/10/09/02/1747213/New-German-Government-ID-Hacked-By-CCC