Security App For the New German Personal ID Hacked

prefec2 writes "On Nov. 1st Germany started to issue new personal ID cards which include a security chip. In combination with a reading device and an application on a PC at home, secure transactions can be made. However, the required application can be compromised using DNS spoofing and a wrong SSL certificate (article in German)."

The new ID sounds good - really!

[bradley13]

First, to TFA: there is no problem with the ID itself, just with the security of the special PC software than can work with them. As most /.ers know, there is quite a hacker community in Germany, and these problems are really not too bad. In order to compromise the software you first have to do a DNS hack, then fake a certificate, then... In a nutshel, yes, there are problems, but they aren't too bad and will be relatively easy to fix.

The ID itself is really cool. Among other things, it supports secured anonymous transactions. How many governments are there that willingly support anonymity for their citizens?

You don't know the best things about the ID, yet

[koinu]

You have to know that our (German) current ID card is being photocopied for many kinds of quick transactions/deals. Someone can give you something without paying in advance and you give him a copy of your ID card, so he can find you, when you forgot to pay or give something back. You can optionally give the ID card directly as security.

Now... the new ID... it is explicitly forbidden to photocopy it and even leave it unattended somewhere.

Why? Because there are some critical numbers printed on the new German ID cards that no one should know. Isn't it great? Imagine that someone printed your social security number on your new "great and modern ID card"!

And here comes the first loop hole: banks always have needed and still will need your ID card photocopied to open an account. Guess what happens? They will get a special permit to do this (it has been already decided to keep the current account registration system working).

Re:What is the appropriate system, then?

[wvmarle]

You probably didn't/couldn't read the article (it's in German after all, not everyone can read that). I did, hereby summary/translation of what's going on. Hoping I understand all correctly, so other posters please correct me when I'm wrong!

It's got nothing to do with the ID card itself, or identification to the government with it.

Basically the vulnerability is in the update function of the AusweisApp software. It starts with hijacking the DNS query for the update server, and redirect the app to a (malicious) server, which pretends to be the real deal. Then when the fake update server presents the software with a valid SSL certificate, AusweissApp accepts this without checking whether the certificate has been issued in the correct name (I hope I translate this well - anyway the SSL certificate is not checked properly, the core of the vulnerability), and will happily download a .zip file which is supposed to be the update for itself. Updates are distributed as .zip files.

So this is vulnerability part 1: you can have it download the wrong file.

But now it's part 2: the software will unpack the zip file before asking authorisation, and using relative path names for files in the zip archive malicious software can be placed on the user's hard disk. This of course is also an issue, it should unpack the zip in one location and disregard path names if any.

So there you have it: a glaring vulnerability that allows for remote installation of software.

The article notes they contacted the issuer of the software, who at first answered "we will look into this issue and if there really is a vulnerability issue an update", later they pulled the current version of the app from their download site without giving further explanation on why it's not available anymore.