Slashdot Mirror

← Back to Stories (view on slashdot.org)

Security App For the New German Personal ID Hacked

Posted by samzenpus on from the why-can't-I-be-you dept.

prefec2 writes "On Nov. 1st Germany started to issue new personal ID cards which include a security chip. In combination with a reading device and an application on a PC at home, secure transactions can be made. However, the required application can be compromised using DNS spoofing and a wrong SSL certificate (article in German)."

8 of 93 comments (clear)

  1. Not quite by Anonymous Coward · · Score: 2, Informative

    "The best-laid schemes o' mice an' men, gang aft agley,"

    And for one, Shakespeare wasn't Scottish...

  2. You don't know the best things about the ID, yet by koinu · · Score: 4, Informative

    You have to know that our (German) current ID card is being photocopied for many kinds of quick transactions/deals. Someone can give you something without paying in advance and you give him a copy of your ID card, so he can find you, when you forgot to pay or give something back. You can optionally give the ID card directly as security.

    Now... the new ID... it is explicitly forbidden to photocopy it and even leave it unattended somewhere.

    Why? Because there are some critical numbers printed on the new German ID cards that no one should know. Isn't it great? Imagine that someone printed your social security number on your new "great and modern ID card"!

    And here comes the first loop hole: banks always have needed and still will need your ID card photocopied to open an account. Guess what happens? They will get a special permit to do this (it has been already decided to keep the current account registration system working).

  3. Re:What is the appropriate system, then? by wvmarle · · Score: 4, Informative

    You probably didn't/couldn't read the article (it's in German after all, not everyone can read that). I did, hereby summary/translation of what's going on. Hoping I understand all correctly, so other posters please correct me when I'm wrong!

    It's got nothing to do with the ID card itself, or identification to the government with it.

    Basically the vulnerability is in the update function of the AusweisApp software. It starts with hijacking the DNS query for the update server, and redirect the app to a (malicious) server, which pretends to be the real deal. Then when the fake update server presents the software with a valid SSL certificate, AusweissApp accepts this without checking whether the certificate has been issued in the correct name (I hope I translate this well - anyway the SSL certificate is not checked properly, the core of the vulnerability), and will happily download a .zip file which is supposed to be the update for itself. Updates are distributed as .zip files.

    So this is vulnerability part 1: you can have it download the wrong file.

    But now it's part 2: the software will unpack the zip file before asking authorisation, and using relative path names for files in the zip archive malicious software can be placed on the user's hard disk. This of course is also an issue, it should unpack the zip in one location and disregard path names if any.

    So there you have it: a glaring vulnerability that allows for remote installation of software.

    The article notes they contacted the issuer of the software, who at first answered "we will look into this issue and if there really is a vulnerability issue an update", later they pulled the current version of the app from their download site without giving further explanation on why it's not available anymore.

  4. Re:The new ID sounds good - really! by wvmarle · · Score: 3, Informative

    Any valid SSL certificate will do; it's not checked. That's the main problem.

  5. Re:What is the appropriate system, then? by timbo234 · · Score: 2, Informative

    The ID cards for the health system are a completely different thing in Germany. Since it's run on the basis of insurance companies* (Krankenkassen) you get a normal chip-and-PIN card from your insurance company that you then give to the doctor or hospital staff when it comes time do sort out the paperwork.

    These ID cards on the other hand are only for German citizens and are issued by the federal government and have a much more general usage. Foreigners like me who live here can't get a German ID card and everybody will still have to have a health insurance card.

    * Organised through insurance companies but not like the US - it's universal healthcare and still majority taxpayer-funded

    --
    Pre-canned Evolution Links for all those Slashdot holy wars.
  6. Re:I can guess the word most Germans said... by maxwell+demon · · Score: 3, Informative

    Depends on if you are Swiss :-)
    In Germany it's Scheiße, in Switzerland it's Scheisse.

    --
    The Tao of math: The numbers you can count are not the real numbers.
  7. Re:What is the appropriate system, then? by Anonymous Coward · · Score: 1, Informative

    German citizens are required to carry their ID card at all times.

    This is wrong. http://de.wikipedia.org/wiki/Mitf%C3%BChrpflicht

  8. Re:You don't know the best things about the ID, ye by ArsenneLupin · · Score: 2, Informative

    Do you ever eat at nice restaurants?

    That was ten years ago, when the waiter had to take your card backstage to get the imprimt.

    Nowadays, they do have those small portable readers which they bring right to your table. The card no longer leaves your sight...

    ...not that it would matter though, because there is no way to tell whether this is a legitimate reader or just some skimming device... especially since there are hundreds of different makes and looks of these readers.