Security App For the New German Personal ID Hacked

prefec2 writes "On Nov. 1st Germany started to issue new personal ID cards which include a security chip. In combination with a reading device and an application on a PC at home, secure transactions can be made. However, the required application can be compromised using DNS spoofing and a wrong SSL certificate (article in German)."

Quick Summary

[timbo234]

For those who can't read German here's a basic summary of the article:

There is a vulnerability not in the ID cards but in the desktop software that makes use of them for authentication on the Net. This software's update mechanism is apparently vulnerable to a DNS spoofing attack that would allow a skilled attacker to download and unpack a ZIP file on the user's machine (but not directly execute any code). The article was updated to say that the government agency responsible for this software has stopped downloads of it as of yesterday and there's no a press release on that agency's website saying they're working on a fix:
https://www.bsi.bund.de/sid_9CC745E82FC9ED59215EB75FB9479819/ContentBSI/Presse/Pressemitteilungen/AusweisApp_101110.html (Also in German)