FB pixel

White hat hacker reveals vulnerability in Germany’s digital ID

White hat hacker reveals vulnerability in Germany’s digital ID

Germany’s digital ID may come under threat from malicious attackers, according to an analysis from a digital security expert.

A white hat hacker recently demonstrated how a cybercriminal could perform a Man-in-the-Middle attack on the online version of the German National Identity Card, known as eID. The vulnerability could potentially pose a danger to the approximately 10 million people currently using the system.

“I was surprised at how easy it was to compromise the system,” the hacker told news outlet Der Spiegel.

The anonymous digital researcher, who goes under the name CtrlAlt, built an application that could record the six-digit PIN users type in to log in to the eID on their smartphones. To aid the process, he used the official eID app code, which is available online as open-source software.

The malware could potentially be installed on the user’s smartphone through sophisticated Trojan software that gives access to the entire smartphone, similar to the ones used by certain governments to target dissidents and journalists. Alternatively, cybercriminals could also place the malware by tricking a user into downloading a fraudulent app from an app store.

Once they gain access to the digital ID, malicious actors could log the user into a fake eID app account as well as intercept data used to log into other eID services, including government services, eHealth platforms and banking systems, according to the hacker who published an analysis of the attack last Friday.

CtrlAlt says he informed Germany’s Federal Office for Information Security (BSI) in December last year and that the agency has acknowledged the vulnerability. In a response to Der Spiegel, BSI said there is no evidence of specific attacks carried out and that it sees no reason for a change in risk assessment for using the eID.

“From the BSI’s point of view, this is not an attack on the eID system, but on the users’ end devices,” it says.

CtrlAlt, however, says that this places undue responsibility on users for maintaining client device security. And with plans for expanding Germany’s digital ID system, the problem could linger on. Since 2017, the country has been automatically enrolling citizens into the eID program while issuing new ID cards. Fifty-six million people in Germany now have the eID.

Article Topics

 |   |   |   |   | 

Latest Biometrics News


Call for bids on Dominican Republic biometric passport deal closes today

The Dominican Republic’s General Directorate of Passports (DGP) is seeking digital identity service providers to acquire, install and maintain new…


Who is looking out for your data? Security in an era of wide-spread breaches

By Vince Graziani, CEO, Idex Biometrics While some of the biggest businesses in the world now rely heavily on data, concern…


ITL’s Alerts App expands biometric portfolio to integrated venue management

Businesses from every sector all face access control challenges to ensure the security and safety of their staff and customers….


Best biometrics use cases become clearer as ecosystems mature

Biometrics are for digital identity, socio-economic development, air travel and remote identity verification, but not public surveillance, the most-read news…


UK Biometrics and Surveillance Camera Commissioner role survives as DPDI fails

UK parliament will not pass data protection legislation during the current session, following the announcement of the general election in…


EU watchdog rules airport biometrics must be passenger-controlled to comply with GDPR

The use of facial recognition to streamline air passenger’s travel journeys only complies with Europe’s data protection regulations in certain…


Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.

Most Read This Week

Featured Company

Biometrics Insight, Opinion

Digital ID In-Depth

Biometrics White Papers

Biometrics Events