Slashdot Mirror

← Back to Stories (view on slashdot.org)

Security App For the New German Personal ID Hacked

Posted by samzenpus on from the why-can't-I-be-you dept.

prefec2 writes "On Nov. 1st Germany started to issue new personal ID cards which include a security chip. In combination with a reading device and an application on a PC at home, secure transactions can be made. However, the required application can be compromised using DNS spoofing and a wrong SSL certificate (article in German)."

15 of 93 comments (clear)

  1. What is the appropriate system, then? by BadAnalogyGuy · · Score: 2, Interesting

    If you have need for such an identification card and trackable number within the government database to allow you access to government services such as healthcare, what is the best identification system in that case?

    1. Re:What is the appropriate system, then? by wvmarle · · Score: 4, Informative

      You probably didn't/couldn't read the article (it's in German after all, not everyone can read that). I did, hereby summary/translation of what's going on. Hoping I understand all correctly, so other posters please correct me when I'm wrong!

      It's got nothing to do with the ID card itself, or identification to the government with it.

      Basically the vulnerability is in the update function of the AusweisApp software. It starts with hijacking the DNS query for the update server, and redirect the app to a (malicious) server, which pretends to be the real deal. Then when the fake update server presents the software with a valid SSL certificate, AusweissApp accepts this without checking whether the certificate has been issued in the correct name (I hope I translate this well - anyway the SSL certificate is not checked properly, the core of the vulnerability), and will happily download a .zip file which is supposed to be the update for itself. Updates are distributed as .zip files.

      So this is vulnerability part 1: you can have it download the wrong file.

      But now it's part 2: the software will unpack the zip file before asking authorisation, and using relative path names for files in the zip archive malicious software can be placed on the user's hard disk. This of course is also an issue, it should unpack the zip in one location and disregard path names if any.

      So there you have it: a glaring vulnerability that allows for remote installation of software.

      The article notes they contacted the issuer of the software, who at first answered "we will look into this issue and if there really is a vulnerability issue an update", later they pulled the current version of the app from their download site without giving further explanation on why it's not available anymore.

    2. Re:What is the appropriate system, then? by timbo234 · · Score: 2, Informative

      The ID cards for the health system are a completely different thing in Germany. Since it's run on the basis of insurance companies* (Krankenkassen) you get a normal chip-and-PIN card from your insurance company that you then give to the doctor or hospital staff when it comes time do sort out the paperwork.

      These ID cards on the other hand are only for German citizens and are issued by the federal government and have a much more general usage. Foreigners like me who live here can't get a German ID card and everybody will still have to have a health insurance card.

      * Organised through insurance companies but not like the US - it's universal healthcare and still majority taxpayer-funded

      --
      Pre-canned Evolution Links for all those Slashdot holy wars.
  2. Well now. by Black+Parrot · · Score: 2, Funny

    (article in German)

    Most of us will have an excuse not to read TFA this time.

    (As if lack of an excuse ever made much difference.)

    --
    Sheesh, evil *and* a jerk. -- Jade
    1. Re:Well now. by rolfwind · · Score: 2, Insightful

      We no longer live in the days of Babelfish being the only game in town. Google Translate does a passable (but far from perfect) job:

      http://translate.google.com/translate?js=n&prev=_t&hl=en&ie=UTF-8&layout=2&eotf=1&sl=auto&tl=en&u=http%3A%2F%2Fwww.heise.de%2Fnewsticker%2Fmeldung%2FNeuer-Personalausweis-AusweisApp-mit-Luecken-2-Update-1133376.html

  3. I can guess the word most Germans said... by beefnog · · Score: 2, Funny

    Scheisse!

    1. Re:I can guess the word most Germans said... by maxwell+demon · · Score: 3, Informative

      Depends on if you are Swiss :-)
      In Germany it's Scheiße, in Switzerland it's Scheisse.

      --
      The Tao of math: The numbers you can count are not the real numbers.
  4. Not quite by Anonymous Coward · · Score: 2, Informative

    "The best-laid schemes o' mice an' men, gang aft agley,"

    And for one, Shakespeare wasn't Scottish...

  5. The new ID sounds good - really! by bradley13 · · Score: 5, Interesting

    First, to TFA: there is no problem with the ID itself, just with the security of the special PC software than can work with them. As most /.ers know, there is quite a hacker community in Germany, and these problems are really not too bad. In order to compromise the software you first have to do a DNS hack, then fake a certificate, then... In a nutshel, yes, there are problems, but they aren't too bad and will be relatively easy to fix.

    The ID itself is really cool. Among other things, it supports secured anonymous transactions. How many governments are there that willingly support anonymity for their citizens?

    --
    Enjoy life! This is not a dress rehearsal.
    1. Re:The new ID sounds good - really! by wvmarle · · Score: 3, Informative

      Any valid SSL certificate will do; it's not checked. That's the main problem.

  6. Re:Can someone explain, bitte? by toetagger · · Score: 2, Interesting

    This is nothing else than a security hole in an piece of software. It can be used to install and potentially execute malicious code on the computer. This could include the normal Zeus bot, or a key logger. In case of a key logger, it could be possible to spy the PIN associated with the ID. So if then you can also steal the ID card somehow, ... you can think of the rest.

  7. You don't know the best things about the ID, yet by koinu · · Score: 4, Informative

    You have to know that our (German) current ID card is being photocopied for many kinds of quick transactions/deals. Someone can give you something without paying in advance and you give him a copy of your ID card, so he can find you, when you forgot to pay or give something back. You can optionally give the ID card directly as security.

    Now... the new ID... it is explicitly forbidden to photocopy it and even leave it unattended somewhere.

    Why? Because there are some critical numbers printed on the new German ID cards that no one should know. Isn't it great? Imagine that someone printed your social security number on your new "great and modern ID card"!

    And here comes the first loop hole: banks always have needed and still will need your ID card photocopied to open an account. Guess what happens? They will get a special permit to do this (it has been already decided to keep the current account registration system working).

  8. Very bad PR, but nothing extraordinary by joh · · Score: 2, Interesting

    This is very bad PR for the new ID, but neither the ID card nor the software has been hacked yet. This is just another way to install some malware on a computer.

    I have no doubt though that worse things will happen. The mistakes made here are so glaringly obvious that it's hard to believe that there aren't other holes to be found.

  9. Re:Bundestrojaner by maxwell+demon · · Score: 2, Insightful

    But for that, they would not need to add that security hole. They could just install it from the regular update server of the app. Or redirect DNS, but use the original certificate.

    --
    The Tao of math: The numbers you can count are not the real numbers.
  10. Re:You don't know the best things about the ID, ye by ArsenneLupin · · Score: 2, Informative

    Do you ever eat at nice restaurants?

    That was ten years ago, when the waiter had to take your card backstage to get the imprimt.

    Nowadays, they do have those small portable readers which they bring right to your table. The card no longer leaves your sight...

    ...not that it would matter though, because there is no way to tell whether this is a legitimate reader or just some skimming device... especially since there are hundreds of different makes and looks of these readers.