Catch up on stories from the past week (and beyond) at the Slashdot story archive

 



Forgot your password?
typodupeerror
×
Security Privacy

Security App For the New German Personal ID Hacked 93

prefec2 writes "On Nov. 1st Germany started to issue new personal ID cards which include a security chip. In combination with a reading device and an application on a PC at home, secure transactions can be made. However, the required application can be compromised using DNS spoofing and a wrong SSL certificate (article in German)."
This discussion has been archived. No new comments can be posted.

Security App For the New German Personal ID Hacked

Comments Filter:
  • I think it was that Shakespeare dude who said, "The best laid schemes of mice and men. Go oft awry"

    Or, as the philosopher Simpson said, "D'oh!"

    • Not quite (Score:2, Informative)

      by Anonymous Coward

      "The best-laid schemes o' mice an' men, gang aft agley,"

      And for one, Shakespeare wasn't Scottish...

    • I don't think the men have got much do to with it.

    • I think it was that Shakespeare dude who said, "The best laid schemes of mice and men. Go oft awry"

      I doubt it - he knew better than to split the verb and the subject into two separate sentences.

  • If you have need for such an identification card and trackable number within the government database to allow you access to government services such as healthcare, what is the best identification system in that case?

    • by wvmarle ( 1070040 ) on Thursday November 11, 2010 @02:51AM (#34194088)

      You probably didn't/couldn't read the article (it's in German after all, not everyone can read that). I did, hereby summary/translation of what's going on. Hoping I understand all correctly, so other posters please correct me when I'm wrong!

      It's got nothing to do with the ID card itself, or identification to the government with it.

      Basically the vulnerability is in the update function of the AusweisApp software. It starts with hijacking the DNS query for the update server, and redirect the app to a (malicious) server, which pretends to be the real deal. Then when the fake update server presents the software with a valid SSL certificate, AusweissApp accepts this without checking whether the certificate has been issued in the correct name (I hope I translate this well - anyway the SSL certificate is not checked properly, the core of the vulnerability), and will happily download a .zip file which is supposed to be the update for itself. Updates are distributed as .zip files.

      So this is vulnerability part 1: you can have it download the wrong file.

      But now it's part 2: the software will unpack the zip file before asking authorisation, and using relative path names for files in the zip archive malicious software can be placed on the user's hard disk. This of course is also an issue, it should unpack the zip in one location and disregard path names if any.

      So there you have it: a glaring vulnerability that allows for remote installation of software.

      The article notes they contacted the issuer of the software, who at first answered "we will look into this issue and if there really is a vulnerability issue an update", later they pulled the current version of the app from their download site without giving further explanation on why it's not available anymore.

      • Would this be a satisfactory system if this hole were plugged?

        The problem is whether there is any satisfactory system given the likelihood of whiny Slashbots complaining about either loss of privacy, insecure maintenance of critical information, and threat to identity security. If the default posture is "it will be hacked" to any proposal for a necessary identification system such as this, how could such a system be designed so that these objections are unwarranted?

        As we Americans move towards a national he

        • Re: (Score:3, Informative)

          by timbo234 ( 833667 )

          The ID cards for the health system are a completely different thing in Germany. Since it's run on the basis of insurance companies* (Krankenkassen) you get a normal chip-and-PIN card from your insurance company that you then give to the doctor or hospital staff when it comes time do sort out the paperwork.

          These ID cards on the other hand are only for German citizens and are issued by the federal government and have a much more general usage. Foreigners like me who live here can't get a German ID card and ev

          • Foreigners like me who live here can't get a German ID card and everybody will still have to have a health insurance card.

            I'd replace can't with are not required to. I'm happy that I don't have a German ID card; I don't like carrying around government issued cards with chips. German citizens are required to carry their ID card at all times. The police can request to see your ID card at any time for no reason, and can fine you if you do not have it with you. But the police usually only do this to people who are causing trouble. "Papers, please!"

            I don't have a health insurance card either, since I an insured through a priv

            • Re: (Score:1, Informative)

              by Anonymous Coward

              German citizens are required to carry their ID card at all times.

              This is wrong. http://de.wikipedia.org/wiki/Mitf%C3%BChrpflicht [wikipedia.org]

              • Correct, you are required to own one, but there is no law that requires you to keep it on you at all times. Although most Germans do not know this either.
                • Correct, you are required to own one, but there is no law that requires you to keep it on you at all times. Although most Germans do not know this either.

                  Law or not, the question is: if an officer asks you for it and you don't have it, what, if any, are the consequences? The legality of the matter is often less important than how you are treated by law enforcement. In the U.S., there are laws about what a cop can and cannot demand from you in specific circumstances: but even when they don't have the right, they may still expect you to obey and give you a hard time if you don't. Depends upon where you are, in many cases: I know there are some towns that I sim

                  • It really depends on the situation. If they suspect you of wrongdoing , they will take you to the station to verify your identity. If they ask you for it during a traffic stop or similar, they won't do anything else (they already have your drivers license). So you are partly right, it can be more bothersome if you do not have your license on you, but in the end it doesn't really matter. Concerning German police being more civil: After Hitler with Gestapo and SS the government has really tried to make a poin
            • German citizens are required to carry their ID card at all times. The police can request to see your ID card at any time for no reason, and can fine you if you do not have it with you. But the police usually only do this to people who are causing trouble. "Papers, please!"

              http://de.wikipedia.org/wiki/Personalausweisgesetz [wikipedia.org]
              Funnily enough this law applies to foreigners in Germany as well, meaning you have to carry around your passport or some other identification, eg. drivers licence.

              Private insurance is a lo

              • Funnily enough this law applies to foreigners in Germany as well, meaning you have to carry around your passport or some other identification, eg. drivers licence.

                In 20+ years of living in Germany, only once have the police requested an ID from me. I was walking near an area with bars and nightclubs, where there is often trouble. My drivers license and my accent were enough to convince them that I was not the person they were looking for. The police in Germany are always quite polite . . . and like any

                • In 20+ years of living in Germany, only once have the police requested an ID from me.

                  Same with me - in over 2 years I've never been asked for ID, doesn't change the fact that the law applies to foreigners like us as well.

                  It's not ideological, rather empirical. My girlfriend (state insured) had an allergy problem, and had to first go to her General Praticioner (Hausartz) to get a referral to an allergy specialist, who did a set of allergy tests. Since they all came up negative, the doctor needed to do anothe

                  • Plus with private insurance you have no choice what you can send or not - you have to send exactly what the insurance company requires of you.

                    Be careful there! An insurance company may request information, implying that it is required, that they are not, by law, entitled to. This happened to me. I showed the written request for information to my doctor, and he was angry at the insurance company, and said, "They have no right to that information, and they know it. Just ignore the letter!" So if your i

                    • Be careful there! An insurance company may request information, implying that it is required, that they are not, by law, entitled to. This happened to me.

                      Ok but at a minimum they're going to be able to demand the same information as is on the Krankenkasse cards aren't they? I mean demand as in say if you dont give us the info we don't pay you.

                      If I had a doctor visit that I don't want the insurance company to know about, I just don't submit it, and sit on the costs myself.

                      You could do the exact same thing a

              • German citizens are required to carry their ID card at all times.

                The law actually only has an Ausweispflicht (requirement to own an ID) but not a Mitführpflicht (requirement to carry ID at all times). Of course how that plays out in practice is another matter...

        • From other posts it seems that most people are quite positive about the card as such, that it even allows for anonymous transactions (how that matches an ID card I don't know - maybe that's explained elsewhere in this discussion; going to read myself again later on). And European countries in general are way more protective of their citizen's privacy than the US is.

          This security hole is a problem of the supporting software, how to get such software 100% secure I don't know. But not doing something as simpl

        • If the default posture is "it will be hacked" to any proposal for a necessary identification system such as this, how could such a system be designed so that these objections are unwarranted?

          It is abundantly clear to anyone willing to look that it can't. Centralization doesn't scale. Creating a single point of failure for an entire nation is stupid.

          As we Americans move towards a national healthcare system, this question will need to be answered soon.

          It won't be. It will be ignored.

      • by data2 ( 1382587 )

        Your summary seems correct. But he defeated another security measure through the zip file.

          Normally, only updates with a specific signature are installed. But as the updates are .msi-files packed in a zip, and the zip is unpacked without verification, one can use the zip with relative paths to install other software in the AusweisApp's context.

    • I'd think the best identification system would simply be based entirely on biometrics and querying a central server which matches the biometric data to an identity. So whatever security that is required is to ensure that the service is connected to the legitimate central server.

      Having a portable ID card does make things a lot more convenient though, not requiring a central server, but security gets a rather more complicated.

      1. You need a way to determine if the bearer of the ID card is the legitimate owner

      • by DrSkwid ( 118965 )

        You say unforgeable is impossible but suggest it is still worth trying. The harder something is to forge, the more faith will be placed in it making it more valuable to forge it, ergo more resources will be placed on trying to forge it.

        • No reason why an ID card can not be mighty hard to forge - I'm thinking encrypt data on the card with some digital signature, the secret key stored in a central database, and one unique key per card. Easy to create, easy to revoke. Optionally add part of the information in unencrypted format too for those situations where security is less strict.

      • by AGMW ( 594303 )

        I'd think the best identification system would simply be based entirely on biometrics ...

        OK, now what if someone is able to clone your biometrics to impersonate you (see German magazine that got a fingerprint of some German Gov official and distributed it on some suitable sticky film with their mag so anyone could leave that official's fingerprints all over the place).
        So now what if someone can hack the central server to change your biometric info to their biometric info? They are now, to all intents and purposes, you.

        If someone discovers your password or pin you can change it, if someone c

  • Well now. (Score:3, Funny)

    by Black Parrot ( 19622 ) on Thursday November 11, 2010 @01:18AM (#34193802)

    (article in German)

    Most of us will have an excuse not to read TFA this time.

    (As if lack of an excuse ever made much difference.)

  • How does it matter? Does it let you get the secret key from a card, or somehow pretend to have a different ID?
    I though the point of using a smartcard is that PCs cannot be trusted.
    Is this about a MiTM attack without physical access to the PC?

    • Re: (Score:2, Interesting)

      by toetagger ( 642315 )
      This is nothing else than a security hole in an piece of software. It can be used to install and potentially execute malicious code on the computer. This could include the normal Zeus bot, or a key logger. In case of a key logger, it could be possible to spy the PIN associated with the ID. So if then you can also steal the ID card somehow, ... you can think of the rest.
  • by bradley13 ( 1118935 ) on Thursday November 11, 2010 @01:43AM (#34193886) Homepage

    First, to TFA: there is no problem with the ID itself, just with the security of the special PC software than can work with them. As most /.ers know, there is quite a hacker community in Germany, and these problems are really not too bad. In order to compromise the software you first have to do a DNS hack, then fake a certificate, then... In a nutshel, yes, there are problems, but they aren't too bad and will be relatively easy to fix.

    The ID itself is really cool. Among other things, it supports secured anonymous transactions. How many governments are there that willingly support anonymity for their citizens?

    • by wvmarle ( 1070040 ) on Thursday November 11, 2010 @02:53AM (#34194098)

      Any valid SSL certificate will do; it's not checked. That's the main problem.

    • "As most /.ers know, there is quite a hacker community in Germany, and these problems are really not too bad. In order to compromise the software you first have to do a DNS hack, then fake a certificate, then... In a nutshel, yes, there are problems, but they aren't too bad and will be relatively easy to fix. "

      So you are saying there are lots of hackers in Germany, but there is little to worry about, since people who don't know how to hack won't be able to hack it, and only the large number of people who do

    • How can an ID card specifically facilitate anonymous transactions? Isn't that an exact contradiction?

  • by koinu ( 472851 ) on Thursday November 11, 2010 @02:03AM (#34193932)

    You have to know that our (German) current ID card is being photocopied for many kinds of quick transactions/deals. Someone can give you something without paying in advance and you give him a copy of your ID card, so he can find you, when you forgot to pay or give something back. You can optionally give the ID card directly as security.

    Now... the new ID... it is explicitly forbidden to photocopy it and even leave it unattended somewhere.

    Why? Because there are some critical numbers printed on the new German ID cards that no one should know. Isn't it great? Imagine that someone printed your social security number on your new "great and modern ID card"!

    And here comes the first loop hole: banks always have needed and still will need your ID card photocopied to open an account. Guess what happens? They will get a special permit to do this (it has been already decided to keep the current account registration system working).

    • by Kosi ( 589267 )

      I like this rule that forbids to give the card out of your hands. Hopefully it will put some common sense in some heads and I can stop shaking my head over all those idiots who willingly give their credit cards out of their hands and let people do stuff they can't see with it, but then wonder about their crazy bills.

      And banks don't "need" an ID card or copies of an ID card to open an account. Any method which can prove that you are the guy who opened the account would do it.

      • Do you ever eat at nice restaurants?

        • by Kosi ( 589267 )

          Yes. But that doesn't mean that I'd ever let anyone except closest friends take my credit card out of my sight.

          I'm from Germany, and the usage of credit cards is not so widespread here as in the USA. If it's not a business related dinner, or some kind of bigger event, most people here usually pay cash in restaurants. And as I know how much the CC companies charge those poor shop owners, I tend to use a credit card only when paying in cash or with the bank card (don't know if there's something similar in the

        • Re: (Score:2, Informative)

          Do you ever eat at nice restaurants?

          That was ten years ago, when the waiter had to take your card backstage to get the imprimt.

          Nowadays, they do have those small portable readers which they bring right to your table. The card no longer leaves your sight...

          ...not that it would matter though, because there is no way to tell whether this is a legitimate reader or just some skimming device... especially since there are hundreds of different makes and looks of these readers.

        • Most restaurants I've eaten in either bring a wireless card processing handset to your table, or they have a point that you can go to to make a payment, or both. Very few seem to want to take the card away from the table by default, now - probably because people are a lot more cautious about letting them do so.
      • Banks generally do need to go above and beyond 'have a photo ID' to protect your money - they store the copy of your official ID to compare against the ID you (or "you") show next time, and to compare signatures, and to have a photo of the bad guy and solid evidence that it wasn't you if a forgery was presented the first time.

        If you don't do this, then some shmuck with a forged ID can do stuff in your name. Oh - and that's the choice that most USA banks have made, so you suffer from id

        • by maxume ( 22995 )

          If the banks were suffering from their lax fraud controls, they would probably do something about it.

          As it stands, the bank (the victim of the fraud that the bank failed to prevent) just pushes the problem off on some individual. So the laws are terrible there (it should be straightforward for someone to repudiate an account and hear nothing more from the institution that mistakenly opened said account).

        • The scan of your ID card also serves second purpose. In case your wallet is stolen you simply provide your name, address, date of birth and together with a visual confirmation they'll let you withdraw money at the counter until your replacement bank card is mailed to you.

    • Just give them your passport. They will happily accept it. That's what I and most foreigners living in Germany use to authenticate, because we don't have an ID card.

      • by Arimus ( 198136 )

        Suspect they will still require an ID card if you happen to be German citizen... the passport bypass will work fine for non-nationals...

    • Imagine that someone printed your social security number on your new "great and modern ID card"!

      You mean like on my driver's license here in the US up until a few years ago? That's why my new driver's licenses always had an unfortunate encounter with a belt sander soon after issue.

  • ...But they aren't functional yet. I think it's mostly intended for e-gov, though.
  • Quick Summary (Score:1, Redundant)

    by timbo234 ( 833667 )

    For those who can't read German here's a basic summary of the article:

    There is a vulnerability not in the ID cards but in the desktop software that makes use of them for authentication on the Net. This software's update mechanism is apparently vulnerable to a DNS spoofing attack that would allow a skilled attacker to download and unpack a ZIP file on the user's machine (but not directly execute any code). The article was updated to say that the government agency responsible for this software has stopped dow

    • And since the ID card and desktop software know nothing about the operating system they run on there is no way to be sure they will behave as expected.

      • The really safe solution would have been to have a reader with PIN entry required, and have that reader directly communicate with the server (using a secure, encrypted protocol, of course), so for identification purposes, the computer acts only as a router for the secure communication. Of course that still doesn't protect against compromised readers, but I guess those are much more easy to protect than computers (after all, they are single-purpose appliances).

      • Yeah I think this point was brought up in the dw-world article (in English) linked to this story. It's like Internet Banking, if you use it from a computer which isn't secure or which you can't reasonably trust (eg. a computer in an internet cafe) you can't expect your session to be secure. Same with this system.

        I think the idea is to create a system where verified emails and documents can be securely sent, eg. if I want to cancel the contract with my phone company I use my ID+PIN reader gadget to send them

        • I think the attacker is a different person here. If you want your data to be secure you will use a secure system. If you want to defraud the Government then you may create a deliberately insecure system.

  • another potential hole here is the social aspect of the deployment: it is only for Germans. And you have a large percent of foreigners living there, who use the same services as Germans. And I don't people from far away countries. I mean even other europeans who happen to live in Germany in accordance to all European rules.

    These people use credit cards, do bank transactions, on-line shopping, etc. For these people, of which I belong to, our only means of authenticating is the passport. So in the end every s

  • This is not a bug, it's a feature.
    Now they can upload their spying tool to everybody without a warrant. All they need to do is accidentally mixup the new release of the passportapp with the trojan.
    • Re: (Score:2, Insightful)

      But for that, they would not need to add that security hole. They could just install it from the regular update server of the app. Or redirect DNS, but use the original certificate.

      • But for that, they would not need to add that security hole. They could just install it from the regular update server of the app.

        Plausible deniability!

  • The current terms of service (which you accept when you get this thing) are that the program is safe by definition. The user has to keep the pc free of viruses. Zerodays are the users fault as well, what so ever.
    Which basically means, when ever somebody does something bad with your id, the damage is yours.
    They even read, that you should only keep it on the card reader for the few seconds of usage.
    As if those few seconds are not enough for an attack. One thing that already works easily with an exploited
    • The current terms of service (which you accept when you get this thing) are that the program is safe by definition. The user has to keep the pc free of viruses. Zerodays are the users fault as well, what so ever.

      Lemme guess... and the app is only available for windows.

      So basically they tell you "you have to expose your computer to attacks, but you (not we) are responsible when it does get attacked and your id stolen".

  • by joh ( 27088 ) on Thursday November 11, 2010 @04:12AM (#34194388)

    This is very bad PR for the new ID, but neither the ID card nor the software has been hacked yet. This is just another way to install some malware on a computer.

    I have no doubt though that worse things will happen. The mistakes made here are so glaringly obvious that it's hard to believe that there aren't other holes to be found.

The first 90% of a project takes 90% of the time, the last 10% takes the other 90% of the time.

Working...