White hat hacker reveals vulnerability in Germany’s digital ID
Germany’s digital ID may come under threat from malicious attackers, according to an analysis from a digital security expert.
A white hat hacker recently demonstrated how a cybercriminal could perform a Man-in-the-Middle attack on the online version of the German National Identity Card, known as eID. The vulnerability could potentially pose a danger to the approximately 10 million people currently using the system.
“I was surprised at how easy it was to compromise the system,” the hacker told news outlet Der Spiegel.
The anonymous digital researcher, who goes under the name CtrlAlt, built an application that could record the six-digit PIN users type in to log in to the eID on their smartphones. To aid the process, he used the official eID app code, which is available online as open-source software.
The malware could potentially be installed on the user’s smartphone through sophisticated Trojan software that gives access to the entire smartphone, similar to the ones used by certain governments to target dissidents and journalists. Alternatively, cybercriminals could also place the malware by tricking a user into downloading a fraudulent app from an app store.
Once they gain access to the digital ID, malicious actors could log the user into a fake eID app account as well as intercept data used to log into other eID services, including government services, eHealth platforms and banking systems, according to the hacker who published an analysis of the attack last Friday.
CtrlAlt says he informed Germany’s Federal Office for Information Security (BSI) in December last year and that the agency has acknowledged the vulnerability. In a response to Der Spiegel, BSI said there is no evidence of specific attacks carried out and that it sees no reason for a change in risk assessment for using the eID.
“From the BSI’s point of view, this is not an attack on the eID system, but on the users’ end devices,” it says.
CtrlAlt, however, says that this places undue responsibility on users for maintaining client device security. And with plans for expanding Germany’s digital ID system, the problem could linger on. Since 2017, the country has been automatically enrolling citizens into the eID program while issuing new ID cards. Fifty-six million people in Germany now have the eID.
Article Topics
cybersecurity | data protection | digital ID | Germany | malware | mobile app
Comments