Beta
×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

Security App For the New German Personal ID Hacked

samzenpus posted more than 3 years ago | from the why-can't-I-be-you dept.

Security 93

prefec2 writes "On Nov. 1st Germany started to issue new personal ID cards which include a security chip. In combination with a reading device and an application on a PC at home, secure transactions can be made. However, the required application can be compromised using DNS spoofing and a wrong SSL certificate (article in German)."

cancel ×

93 comments

Sorry! There are no comments related to the filter you selected.

heh (1)

Le Marteau (206396) | more than 3 years ago | (#34193768)

I think it was that Shakespeare dude who said, "The best laid schemes of mice and men. Go oft awry"

Or, as the philosopher Simpson said, "D'oh!"

Not quite (2, Informative)

Anonymous Coward | more than 3 years ago | (#34193850)

"The best-laid schemes o' mice an' men, gang aft agley,"

And for one, Shakespeare wasn't Scottish...

Re:Not quite (1)

Pax681 (1002592) | more than 3 years ago | (#34194046)

aye it was the National Bard of Scotland Robert Burns

Re:heh (1)

MichaelSmith (789609) | more than 3 years ago | (#34194216)

I don't think the men have got much do to with it.

Re:heh (1)

ScrewMaster (602015) | more than 3 years ago | (#34203686)

I don't think the men have got much do to with it.

Yes. It's obviously a mouse driver problem anyway.

Re:heh (1)

Hognoxious (631665) | more than 3 years ago | (#34204238)

I think it was that Shakespeare dude who said, "The best laid schemes of mice and men. Go oft awry"

I doubt it - he knew better than to split the verb and the subject into two separate sentences.

What is the appropriate system, then? (2, Interesting)

BadAnalogyGuy (945258) | more than 3 years ago | (#34193770)

If you have need for such an identification card and trackable number within the government database to allow you access to government services such as healthcare, what is the best identification system in that case?

Re:What is the appropriate system, then? (0)

Anonymous Coward | more than 3 years ago | (#34193786)

none at all none at all

Re:What is the appropriate system, then? (-1, Troll)

Anonymous Coward | more than 3 years ago | (#34193872)

In that case you've already lost. This is Germany, right? Why don't they just cut to the chase and tattoo numbers on people's arms. Control is control. The purpose is irrelevant. When control is complete, the purposes always converge into the same thing.

Re:What is the appropriate system, then? (4, Informative)

wvmarle (1070040) | more than 3 years ago | (#34194088)

You probably didn't/couldn't read the article (it's in German after all, not everyone can read that). I did, hereby summary/translation of what's going on. Hoping I understand all correctly, so other posters please correct me when I'm wrong!

It's got nothing to do with the ID card itself, or identification to the government with it.

Basically the vulnerability is in the update function of the AusweisApp software. It starts with hijacking the DNS query for the update server, and redirect the app to a (malicious) server, which pretends to be the real deal. Then when the fake update server presents the software with a valid SSL certificate, AusweissApp accepts this without checking whether the certificate has been issued in the correct name (I hope I translate this well - anyway the SSL certificate is not checked properly, the core of the vulnerability), and will happily download a .zip file which is supposed to be the update for itself. Updates are distributed as .zip files.

So this is vulnerability part 1: you can have it download the wrong file.

But now it's part 2: the software will unpack the zip file before asking authorisation, and using relative path names for files in the zip archive malicious software can be placed on the user's hard disk. This of course is also an issue, it should unpack the zip in one location and disregard path names if any.

So there you have it: a glaring vulnerability that allows for remote installation of software.

The article notes they contacted the issuer of the software, who at first answered "we will look into this issue and if there really is a vulnerability issue an update", later they pulled the current version of the app from their download site without giving further explanation on why it's not available anymore.

Re:What is the appropriate system, then? (1)

BadAnalogyGuy (945258) | more than 3 years ago | (#34194192)

Would this be a satisfactory system if this hole were plugged?

The problem is whether there is any satisfactory system given the likelihood of whiny Slashbots complaining about either loss of privacy, insecure maintenance of critical information, and threat to identity security. If the default posture is "it will be hacked" to any proposal for a necessary identification system such as this, how could such a system be designed so that these objections are unwarranted?

As we Americans move towards a national healthcare system, this question will need to be answered soon.

Re:What is the appropriate system, then? (2, Informative)

timbo234 (833667) | more than 3 years ago | (#34194208)

The ID cards for the health system are a completely different thing in Germany. Since it's run on the basis of insurance companies* (Krankenkassen) you get a normal chip-and-PIN card from your insurance company that you then give to the doctor or hospital staff when it comes time do sort out the paperwork.

These ID cards on the other hand are only for German citizens and are issued by the federal government and have a much more general usage. Foreigners like me who live here can't get a German ID card and everybody will still have to have a health insurance card.

* Organised through insurance companies but not like the US - it's universal healthcare and still majority taxpayer-funded

Re:What is the appropriate system, then? (1)

PolygamousRanchKid (1290638) | more than 3 years ago | (#34194574)

Foreigners like me who live here can't get a German ID card and everybody will still have to have a health insurance card.

I'd replace can't with are not required to. I'm happy that I don't have a German ID card; I don't like carrying around government issued cards with chips. German citizens are required to carry their ID card at all times. The police can request to see your ID card at any time for no reason, and can fine you if you do not have it with you. But the police usually only do this to people who are causing trouble. "Papers, please!"

I don't have a health insurance card either, since I an insured through a private health insurance company. Private insurance is a lot cheaper than the state affiliated insurance companies, it has better service, it's more flexible, etc. Gee, something in the private sector is better than what is offered by the government? Go figure.

At any rate, the publicly insured folks' cards get read with every visit to the doctor. Who knows where all this tracking data is stored, and what it is used for? Again, something I don't want.

Re:What is the appropriate system, then? (1, Informative)

Anonymous Coward | more than 3 years ago | (#34194624)

German citizens are required to carry their ID card at all times.

This is wrong. http://de.wikipedia.org/wiki/Mitf%C3%BChrpflicht [wikipedia.org]

Re:What is the appropriate system, then? (1)

freedumb2000 (966222) | more than 3 years ago | (#34195134)

Correct, you are required to own one, but there is no law that requires you to keep it on you at all times. Although most Germans do not know this either.

Re:What is the appropriate system, then? (1)

ScrewMaster (602015) | more than 3 years ago | (#34203726)

Correct, you are required to own one, but there is no law that requires you to keep it on you at all times. Although most Germans do not know this either.

Law or not, the question is: if an officer asks you for it and you don't have it, what, if any, are the consequences? The legality of the matter is often less important than how you are treated by law enforcement. In the U.S., there are laws about what a cop can and cannot demand from you in specific circumstances: but even when they don't have the right, they may still expect you to obey and give you a hard time if you don't. Depends upon where you are, in many cases: I know there are some towns that I simply avoid travelling through because the cops have a bad reputation, or because I've personally had a bad experience. Other places the police are better trained and more respectful, although from what a friend of mine who has lived in Germany for the past ten or fifteen years has told me, the German police tend to be more on the civil side. I'm planning on going there next year: that's one country I've always wanted to visit.

Re:What is the appropriate system, then? (1)

freedumb2000 (966222) | more than 3 years ago | (#34214442)

It really depends on the situation. If they suspect you of wrongdoing , they will take you to the station to verify your identity. If they ask you for it during a traffic stop or similar, they won't do anything else (they already have your drivers license). So you are partly right, it can be more bothersome if you do not have your license on you, but in the end it doesn't really matter. Concerning German police being more civil: After Hitler with Gestapo and SS the government has really tried to make a point of police being civil servant. So they get trained a certain way and it's also why the uniform is grass green and khaki. Although I do think at least the color of the uniform is being made the same in all countries of the EU, a dark blue.

Re:What is the appropriate system, then? (-1, Offtopic)

Anonymous Coward | more than 3 years ago | (#34194668)

Troll harder.

Re:What is the appropriate system, then? (1)

timbo234 (833667) | more than 3 years ago | (#34194806)

German citizens are required to carry their ID card at all times. The police can request to see your ID card at any time for no reason, and can fine you if you do not have it with you. But the police usually only do this to people who are causing trouble. "Papers, please!"

http://de.wikipedia.org/wiki/Personalausweisgesetz [wikipedia.org]
Funnily enough this law applies to foreigners in Germany as well, meaning you have to carry around your passport or some other identification, eg. drivers licence.

Private insurance is a lot cheaper than the state affiliated insurance companies, it has better service, it's more flexible, etc. Gee, something in the private sector is better than what is offered by the government? Go figure.

It's only better depending on your personal circumstances, eg. for young single people it's clearly better. But choosing insurance purely based on some ideological 'private must be better' basis in Germany would probably just end up getting you a bad deal - the system is very complex.

At any rate, the publicly insured folks' cards get read with every visit to the doctor. Who knows where all this tracking data is stored, and what it is used for? Again, something I don't want.

The same 'tracking data', and possibly more, is stored and sent off for a private patient - if it wasn't your private insurance would have nothing to evaluate the claim on and simply wouldn't pay you or the doctor/hospital.

Re:What is the appropriate system, then? (1)

PolygamousRanchKid (1290638) | more than 3 years ago | (#34194946)

Funnily enough this law applies to foreigners in Germany as well, meaning you have to carry around your passport or some other identification, eg. drivers licence.

In 20+ years of living in Germany, only once have the police requested an ID from me. I was walking near an area with bars and nightclubs, where there is often trouble. My drivers license and my accent were enough to convince them that I was not the person they were looking for. The police in Germany are always quite polite . . . and like any German, they really appreciate the fact that you have learned their language.

But choosing insurance purely based on some ideological 'private must be better' basis in Germany would probably just end up getting you a bad deal - the system is very complex.

It's not ideological, rather empirical. My girlfriend (state insured) had an allergy problem, and had to first go to her General Praticioner (Hausartz) to get a referral to an allergy specialist, who did a set of allergy tests. Since they all came up negative, the doctor needed to do another set of tests. Oh, but the state insurance only allows one set of tests per calender quarter. "Sorry, come back in two months." As a private insured patient, the doctor can do whatever is necessary, whenever it is necessary. Recently there was something in the news about how dentists had used up all their allotment for treatments, so they were telling people to come back in January. No, thanks.

The same 'tracking data', and possibly more, is stored and sent off for a private patient - if it wasn't your private insurance would have nothing to evaluate the claim on and simply wouldn't pay you or the doctor/hospital.

My doctor/hospital has no contact whatsoever with my health insurance company. The bills get sent directly to me. I pay the bills myself directly. It is my responsibility to do the paperwork, and submit that to the insurance company. They reimburse me then directly. So to reiterate, no 'tracking data' is sent from my doctor to the health insurance company; they only get what I choose to send them.

Getting back on topic, what is the chip on the new ID card supposed to be good for anyway?

Re:What is the appropriate system, then? (1)

timbo234 (833667) | more than 3 years ago | (#34195132)

In 20+ years of living in Germany, only once have the police requested an ID from me.

Same with me - in over 2 years I've never been asked for ID, doesn't change the fact that the law applies to foreigners like us as well.

It's not ideological, rather empirical. My girlfriend (state insured) had an allergy problem, and had to first go to her General Praticioner (Hausartz) to get a referral to an allergy specialist, who did a set of allergy tests. Since they all came up negative, the doctor needed to do another set of tests. Oh, but the state insurance only allows one set of tests per calender quarter. "Sorry, come back in two months." As a private insured patient, the doctor can do whatever is necessary, whenever it is necessary. Recently there was something in the news about how dentists had used up all their allotment for treatments, so they were telling people to come back in January. No, thanks.

Private insurance has all sorts of exceptions and limitations such as 'will only pay X number of these treatments per year', 'will only pay X% of the cost of this' too. It's better for some people's circumstances (me included) but not automatically better than the public system.

The bills get sent directly to me. I pay the bills myself directly. It is my responsibility to do the paperwork, and submit that to the insurance company. They reimburse me then directly. So to reiterate, no 'tracking data' is sent from my doctor to the health insurance company; they only get what I choose to send them.

The types information that can be stored on a health insurance card are set down by Germany's data protection laws:
http://www.gesetze-im-internet.de/sgb_5/__291a.html [gesetze-im-internet.de]

There's no secret 'tracking data'. Plus with private insurance you have no choice what you can send or not - you have to send exactly what the insurance company requires of you.

Re:What is the appropriate system, then? (1)

PolygamousRanchKid (1290638) | more than 3 years ago | (#34195596)

Plus with private insurance you have no choice what you can send or not - you have to send exactly what the insurance company requires of you.

Be careful there! An insurance company may request information, implying that it is required, that they are not, by law, entitled to. This happened to me. I showed the written request for information to my doctor, and he was angry at the insurance company, and said, "They have no right to that information, and they know it. Just ignore the letter!" So if your insurance company sends you a dubious request for information, ask your doctor before sending anything. For example, if my doctor does a blood test on me, I receive a bill from him stating that he performed a blood test, and a diagnosis (if any). I submit that to the insurance company and they must pay for that. However, if the insurance company requests the full report of all the individual things that were measured . . . they have no right for that.

I only have to submit bills for which I want to be reimbursed. If I had a doctor visit that I don't want the insurance company to know about, I just don't submit it, and sit on the costs myself.

Sure, if you are married with two kids, public insurance is a better deal. But if you are single, you pay the same amount as someone with a wife and two kids. So singles subsidize families. I compared my insurance bill with that of a single colleague who was insured with the TKK. His bill was four times the amount of mine.

I guess we're really straying off topic here, but I find the thread informative and refreshing.

Re:What is the appropriate system, then? (1)

timbo234 (833667) | more than 3 years ago | (#34196956)

Be careful there! An insurance company may request information, implying that it is required, that they are not, by law, entitled to. This happened to me.

Ok but at a minimum they're going to be able to demand the same information as is on the Krankenkasse cards aren't they? I mean demand as in say if you dont give us the info we don't pay you.

If I had a doctor visit that I don't want the insurance company to know about, I just don't submit it, and sit on the costs myself.

You could do the exact same thing as a publicly insured patient - just book the doctor's appointment or whatever and pay for it yourself.

Re:What is the appropriate system, then? (0)

Anonymous Coward | more than 3 years ago | (#34195304)

It's not ideological, rather empirical. My girlfriend (state insured) had an allergy problem, and had to first go to her General Praticioner (Hausartz) to get a referral to an allergy specialist, who did a set of allergy tests. Since they all came up negative, the doctor needed to do another set of tests. Oh, but the state insurance only allows one set of tests per calender quarter. "Sorry, come back in two months." As a private insured patient, the doctor can do whatever is necessary, whenever it is necessary. Recently there was something in the news about how dentists had used up all their allotment for treatments, so they were telling people to come back in January. No, thanks

In Germany private health care insurance is usually less expensive if you are a young, low-risk without kids (I pay about half of what I would have to pay if I where state insured). However, as you grow older, private insurance because more and more expensive (my parents who are approaching 70 pay a lot more than they would have to pay if they where state insured). Also, the private insurance usually does not cover children, which the state insurance does. I would imagine that for low-income people state insurance is also cheaper, since it is based on a percentage of income (capped to some maximum amount), while the private insurance is not - but if you are low-income, you are required by law to be state insured, so the point is moot for them. Also note that once you leave the public system, you can't come back unless your income drops below the legal threshold, so you have to wager if the savings you have while you are young are worth the higher costs you will have after retirement. If you are a foreigner who doesn't plan to spend the rest of his/her life in Germany, you would probably be mad not to be privately insured.

Finally, please note that German dentists are amongst the most money-grubbing parasites the health care system has to offer.

My doctor/hospital has no contact whatsoever with my health insurance company. The bills get sent directly to me. I pay the bills myself directly. It is my responsibility to do the paperwork, and submit that to the insurance company. They reimburse me then directly. So to reiterate, no 'tracking data' is sent from my doctor to the health insurance company; they only get what I choose to send them.

That is because you are privately insured. If you where state insured, you would never even see the bill - that is one of the many things wrong with the German system, because it suggests to patients that health care is free and makes fraud easier for doctors and hospitals. Can you guess which part of the German system is least likely to be reformed ?

Getting back on topic, what is the chip on the new ID card supposed to be good for anyway?

Since this is Germany, I assume it's supposed to be good for the manufacturers of the cards and the equipment needed to read them.

Re:What is the appropriate system, then? (1)

(Score.5, Interestin (865513) | more than 3 years ago | (#34196768)

German citizens are required to carry their ID card at all times.

The law actually only has an Ausweispflicht (requirement to own an ID) but not a Mitführpflicht (requirement to carry ID at all times). Of course how that plays out in practice is another matter...

Re:What is the appropriate system, then? (0)

Anonymous Coward | more than 3 years ago | (#34199484)

German citizens are required to carry their ID card at all times.

Thats wrong (as the wikipedia article explains). You are required to own an ID card starting at the age of 16. You dont have to carry it around, there is now law for that. But if the police wants to identify you, you have to show an ID or eg drive with them to your home to show them your ID card.

Re:What is the appropriate system, then? (0)

Anonymous Coward | more than 3 years ago | (#34194942)

I don't have a health insurance card either, since I an insured through a private health insurance company. Private insurance is a lot cheaper than the state affiliated insurance companies, it has better service, it's more flexible, etc. Gee, something in the private sector is better than what is offered by the government? Go figure.

Private health insurance may be cheaper in *your* particular case, but for the majority (I'd say > 80%) of people in Germany, public is *a lot* cheaper. Private insurance is only cheaper if you're young, healthy, and have a large income.

Re:What is the appropriate system, then? (-1, Flamebait)

Anonymous Coward | more than 3 years ago | (#34195340)

Perhaps private insurance is better then government run insurance. It would be nice if the rest of us had some sort of insurance. Im sure you know how it is. Should I spend my last 40 dollars on groceries or gas. Wait never mind, ill purchase some insurance because I obviously need it more then food or fuel.

Essentially you got yours so the rest of us can screw off?

Take your ass back to your fundamentalist mormon family you PoS.

Re:What is the appropriate system, then? (1)

wvmarle (1070040) | more than 3 years ago | (#34194472)

From other posts it seems that most people are quite positive about the card as such, that it even allows for anonymous transactions (how that matches an ID card I don't know - maybe that's explained elsewhere in this discussion; going to read myself again later on). And European countries in general are way more protective of their citizen's privacy than the US is.

This security hole is a problem of the supporting software, how to get such software 100% secure I don't know. But not doing something as simple as checking that the SSL certificate is issued to who it should be issued to, is not exactly promising for the rest of this piece of software.

And indeed many people will try to hack it; I do think they should open source the whole thing. Give out the actual protocols how the communication with this smart card is done. How the communication with the government works. Publish it all. Including the full sources of all the software that works with these cards. Yes it helps hackers, and that's a good thing, thinking of open-sourced OpenSSL. Then you could even have multiple competing software packages to deal with these cards, for various OSes, alternative platforms, etc. Though setting up something like an "app store" for vetted software would be a good idea in such a scenario.

Re:What is the appropriate system, then? (1)

John Hasler (414242) | more than 3 years ago | (#34195488)

If the default posture is "it will be hacked" to any proposal for a necessary identification system such as this, how could such a system be designed so that these objections are unwarranted?

It is abundantly clear to anyone willing to look that it can't. Centralization doesn't scale. Creating a single point of failure for an entire nation is stupid.

As we Americans move towards a national healthcare system, this question will need to be answered soon.

It won't be. It will be ignored.

Re:What is the appropriate system, then? (1)

data2 (1382587) | more than 3 years ago | (#34194832)

Your summary seems correct. But he defeated another security measure through the zip file.

  Normally, only updates with a specific signature are installed. But as the updates are .msi-files packed in a zip, and the zip is unpacked without verification, one can use the zip with relative paths to install other software in the AusweisApp's context.

Use a HOSTS file w/ a IP-hostname combo (0)

Anonymous Coward | more than 3 years ago | (#34199458)

"It starts with hijacking the DNS query for the update server, and redirect the app to a (malicious) server, which pretends to be the real deal." - by wvmarle (1070040) on Thursday November 11, @02:51AM (#34194088)

Per my subject-line above, a CUSTOM HOSTS FILE is one way to bypass this as being a threat!

(On a PC or anything with a BSD based IP stack, which is pretty much everything nowadays that uses the internet afaik)

You'd be "proof" to this, via using a custom HOSTS file, albeit one that uses "hardcoded" IP Address - TO - domainnames/hostnames. This makes your own system be its own "DNS server" (minus the CPU cycles, RAM, & other forms of I/O necessary if you run a DNS server yourself, since the HOSTS file is really just a filter for the IP stack which you yourself have COMPLETE control over no less).

Now - There's also alternate DNS servers folks MIGHT use, such as OpenDNS or ScrubIT DNS!

However, iirc?

Those aren't anymore "proof" vs. Dan Kaminsky's findings (iirc, the explanation I am giving next, though simplified, is how it works) on how to "spoof" a domain/host name resolution to a specific IP address anymore than your std. ones from your ISP/BSP really!

(Which the "Kaminsky DNS flaw" works, iirc/afaik, by sending droves of false equations of this nature to a certain DNS server OR its "upstream" ones it references, before a true & valid one can get to said DNS server).

A nice "side benefit" of this is that if your DNS you use IS thus hijacked, or even if it "goes down" (Crashes)? You'll still be able to reach sites you need to.

APK

P.S.=> Also/lastly: Secure DNS anyone? Now, iirc, didn't the US Gov't. switch its servers over to this, and not too long ago?? At least SOMEONE did, and I find it sort of surprising others have not... apk

Re:What is the appropriate system, then? (1)

tangent3 (449222) | more than 3 years ago | (#34194326)

I'd think the best identification system would simply be based entirely on biometrics and querying a central server which matches the biometric data to an identity. So whatever security that is required is to ensure that the service is connected to the legitimate central server.

Having a portable ID card does make things a lot more convenient though, not requiring a central server, but security gets a rather more complicated.

1. You need a way to determine if the bearer of the ID card is the legitimate owner of the card. This is usually done having biometric data of the owner stored on the card. Traditionally, this is done using a 'recent' photograph, but we know how useless that is.
2. You need to make sure that the ID card is not forgeable... well, it's definitely not possible, but there are ways to make it harder for forgers, it's just a matter of how much you want to spend protect the system and how much you want the forgers to spend to break the system.
3. You may want a system to revoke ID cards that are stolen, lost, or out of date. This will probably require querying a central server.

The thing about an ID card is the level of security required can be chosen by the service. For purchases of alcohol or entry to adult theaters, for example, they may simply do a quick look at the photograph to match the owner. For something like trying to withdraw a large sum of money from a bank, the teller may want to do a full biometric check.

Re:What is the appropriate system, then? (1)

DrSkwid (118965) | more than 3 years ago | (#34194776)

You say unforgeable is impossible but suggest it is still worth trying. The harder something is to forge, the more faith will be placed in it making it more valuable to forge it, ergo more resources will be placed on trying to forge it.

Re:What is the appropriate system, then? (1)

wvmarle (1070040) | more than 3 years ago | (#34195712)

No reason why an ID card can not be mighty hard to forge - I'm thinking encrypt data on the card with some digital signature, the secret key stored in a central database, and one unique key per card. Easy to create, easy to revoke. Optionally add part of the information in unencrypted format too for those situations where security is less strict.

Re:What is the appropriate system, then? (1)

AGMW (594303) | more than 3 years ago | (#34194798)

I'd think the best identification system would simply be based entirely on biometrics ...

OK, now what if someone is able to clone your biometrics to impersonate you (see German magazine that got a fingerprint of some German Gov official and distributed it on some suitable sticky film with their mag so anyone could leave that official's fingerprints all over the place).
So now what if someone can hack the central server to change your biometric info to their biometric info? They are now, to all intents and purposes, you.

If someone discovers your password or pin you can change it, if someone clones or spoofs your biometrics you're screwed!

Well now. (2, Funny)

Black Parrot (19622) | more than 3 years ago | (#34193802)

(article in German)

Most of us will have an excuse not to read TFA this time.

(As if lack of an excuse ever made much difference.)

Re:Well now. (2, Insightful)

rolfwind (528248) | more than 3 years ago | (#34193884)

We no longer live in the days of Babelfish being the only game in town. Google Translate does a passable (but far from perfect) job:

http://translate.google.com/translate?js=n&prev=_t&hl=en&ie=UTF-8&layout=2&eotf=1&sl=auto&tl=en&u=http%3A%2F%2Fwww.heise.de%2Fnewsticker%2Fmeldung%2FNeuer-Personalausweis-AusweisApp-mit-Luecken-2-Update-1133376.html [google.com]

Translation (0)

Anonymous Coward | more than 3 years ago | (#34195938)

A quick tranlation, please exuse my grammar.

The software for the new identidy cards hasnt made a good start. On Monday evening the AusweisApp (IdentityApp) was published. Today, Tuesday morning, Jan Schejbal, from the Pirate Party Germany, blogged about an exploit, which exploits two design flaws in the Update-Routine. This exploit however, does not attack the ID card itself, instead it allows the installation of software on the PC, where the IdentityApp is running.

The IdentityApp establishes a ssl connection to the server, that delivers the updates. Here is where the first vulernability happens: It checks, if the certificate is valid, however not if the host originates from the regular update server. Due to this a DNS-Spoof succeeds, Attacks on www.ausweisapp.bund.de and download.ausweisapp.bund.de spoof to a desired server with a valid ssl certificate, which attempts the AusweisApp to download its updates from there.

The desired server can now exploit the update function to download a desired zip file, and to extract it. A few of them consist of installation files, however can only be executed when they have the correct signature. But the extraction of the archive is already a security risk, while the vulnerability allows unwanted data to be placed on the ID Card owners PC.

The exploit, that Schejbal as download offers, consists of a expired ssl certificate, which works when the System time on windows is set back. There are two PCs required, a client with the AusweisApp, and a server, which has python 2.6 and nmap installed. Spoof the client to the aforementioned server(by modifying the hosts file) and pass the ip address in the response data, then by the next update of the AusweisApp a file in the Autostart folder of the client. This succeeded in the editorial under Windows XP as well as Windows 7.

Although the security of the ID Card is not directly exploited, these two simple failures (failing ssl certificate validation as well, and extraction of the recievers archive without signature validation) in this BSI tested software is very surprising. We requested from BSI an opinion, but the confirmation of the exploit hasn't yet happened.

Update: Late Tuesday evening, BSI's press deparpment has given the following opinion: "The media is reporting currently a perceived security hole in the AusweisApp, that is for the use of the eID-Function of the new ID Card. BSI is currently checking together with the software developer, if the described exploit is feasible, and what measurements against it are required. Should a vulnerability exist in the software, then BSI will provide, without delay, a new version of the software and inform the public accordingly.

Update 2: Currently (Wednesday afternoon) the download of the AusweisApp is no longer possible. An explanation from BSI over the failure is to stop the download, but a fix is currently not available.

Re:Well now. (1)

ScrewMaster (602015) | more than 3 years ago | (#34203732)

(article in German)

Most of us will have an excuse not to read TFA this time.

(As if lack of an excuse ever made much difference.)

Really. Although, I've been mod-bombed a few times for failing to read the article, so it does bother some people no end if you don't read it.

I can guess the word most Germans said... (2, Funny)

beefnog (718146) | more than 3 years ago | (#34193832)

Scheisse!

Re:I can guess the word most Germans said... (1)

dltaylor (7510) | more than 3 years ago | (#34194324)

Actually, most Germans probably don't give a damn.

BTW, is it scheisse or scheiße?

Re:I can guess the word most Germans said... (3, Informative)

maxwell demon (590494) | more than 3 years ago | (#34194402)

Depends on if you are Swiss :-)
In Germany it's Scheiße, in Switzerland it's Scheisse.

Re:I can guess the word most Germans said... (-1, Offtopic)

Anonymous Coward | more than 3 years ago | (#34194584)

Most Germans are not Swiss.

Re:I can guess the word most Germans said... (-1, Offtopic)

Anonymous Coward | more than 3 years ago | (#34195106)

but they would like to be.

Re:I can guess the word most Germans said... (1)

wvmarle (1070040) | more than 3 years ago | (#34195744)

You sure it's not Swiß?

Re:I can guess the word most Germans said... (0, Offtopic)

leomekenkamp (566309) | more than 3 years ago | (#34194544)

OT, but it depends on where you live [wikipedia.org] .

Can someone explain, bitte? (1)

quenda (644621) | more than 3 years ago | (#34193856)

How does it matter? Does it let you get the secret key from a card, or somehow pretend to have a different ID?
I though the point of using a smartcard is that PCs cannot be trusted.
Is this about a MiTM attack without physical access to the PC?

Re:Can someone explain, bitte? (2, Interesting)

toetagger (642315) | more than 3 years ago | (#34193904)

This is nothing else than a security hole in an piece of software. It can be used to install and potentially execute malicious code on the computer. This could include the normal Zeus bot, or a key logger. In case of a key logger, it could be possible to spy the PIN associated with the ID. So if then you can also steal the ID card somehow, ... you can think of the rest.

Re:Can someone explain, bitte? (0)

Anonymous Coward | more than 3 years ago | (#34197822)

This vulnerability is being downplayed a lot, because it's not a direct attack on the new ID card (nPA, "Neuer PersonalAusweis") but "just" a way of manipulating files on the victim's computer, and the attack even depends on there being an opportunity to MITM attack that computer. No big deal, right?

Well, there's a little more to it: First, the software was supposed to have been "Common Criteria EAL4+" certified, yet it doesn't properly check the SSL certificate in the update process.

Secondly, there has been some contention regarding the security of the first batch of card readers for the nPA: The nPA uses near-field communication (a form of RFID) to communicate via a reader attached to host PC. The security of the ID card hinges on a six digit PIN with which the user gives permission to read certain information off the card. The exchange with for example the web shop is cryptographically secured, but what if malware can get the PIN? Then the malware can use the nPA to authorize arbitrary transactions as long as the nPA is in range of the reader.

The only readers which have been certified for use with the nPA so far are readers with neither display nor keypad. Millions of these "basic" readers have been bought with our taxes and will be distributed cheaply or for free in the coming months. The German Chaos Computer Club was quick to explain that the lack of a full terminal on the reader opens the door for malware on the PC to intercept the PIN and use it for transactions other than the user intended. The proponents of the nPA equally quickly responded that that isn't a problem, because the users are supposed to keep their systems secure (keep their anti-virus software up to date, etc.).

Well, now the software that these "no problem" guys distribute is itself an avenue of attack by which malware can get onto the computer of a victim. As a bonus it's selective: Only users who have an nPA and a reader (and are thus interesting targets for an attacker) also have this update vulnerability.

For completeness' sake, the attack vector: An attacker redirects the application's update check to a server under the attacker's control. He could do so by poisoning DNS, ARP spoofing on a LAN, WiFi tricks or any other way of becoming a man-in-the-middle. This first part is a prerequisite to the attack and could not have been prevented by the authors of the application. The problem is that the mitigation measures fail to protect the user: The application uses SSL to contact its update server. If this had been implemented correctly, that would have been the end of the story. Unfortunately the application only checks that the server's SSL certificate is valid, but not that it belongs to the update server. So the attacker can use any valid certificate from a trusted CA (you know, the simple certificates that you can get for free now). So the application will download the attacker's "update" in a ZIP file. The application doesn't blindly trust the contents of the ZIP file: It checks another signature on the contained MSI file. There is currently no known way around this check, but the application only checks the signature AFTER unpacking the ZIP, and it unpacks the ZIP with relative paths, so the attacker can place files anywhere the Ausweis-application can write, which is probably everywhere, since it's supposed to write to the application folder during the update procedure. "No problem, the users should use anti-virus software."

The new ID sounds good - really! (5, Interesting)

bradley13 (1118935) | more than 3 years ago | (#34193886)

First, to TFA: there is no problem with the ID itself, just with the security of the special PC software than can work with them. As most /.ers know, there is quite a hacker community in Germany, and these problems are really not too bad. In order to compromise the software you first have to do a DNS hack, then fake a certificate, then... In a nutshel, yes, there are problems, but they aren't too bad and will be relatively easy to fix.

The ID itself is really cool. Among other things, it supports secured anonymous transactions. How many governments are there that willingly support anonymity for their citizens?

Re:The new ID sounds good - really! (0)

Anonymous Coward | more than 3 years ago | (#34193910)

CIA runs anonymizing proxies?

Re:The new ID sounds good - really! (0)

Anonymous Coward | more than 3 years ago | (#34193922)

You dont need to fake a certificate, any valid certificate is accepted, because the software didnt check if the hostname of the certificate equals the requested hostname (which is the default implementation in java).

Re:The new ID sounds good - really! (3, Informative)

wvmarle (1070040) | more than 3 years ago | (#34194098)

Any valid SSL certificate will do; it's not checked. That's the main problem.

Re:The new ID sounds good - really! (1)

Zero__Kelvin (151819) | more than 3 years ago | (#34194926)

"As most /.ers know, there is quite a hacker community in Germany, and these problems are really not too bad. In order to compromise the software you first have to do a DNS hack, then fake a certificate, then... In a nutshel, yes, there are problems, but they aren't too bad and will be relatively easy to fix. "

So you are saying there are lots of hackers in Germany, but there is little to worry about, since people who don't know how to hack won't be able to hack it, and only the large number of people who do know how to hack can easily hack it?

"Among other things, it supports secured anonymous transactions. How many governments are there that willingly support anonymity for their citizens?"

The last time I checked most governments still have a transaction system called cash.

Re:The new ID sounds good - really! (0)

Anonymous Coward | more than 3 years ago | (#34198192)

There are many "white hat" hackers in Germany. They only point out security issues, but they would never exploit them. We're safe, because evil hacking is verboten.

Re:The new ID sounds good - really! (1)

Zero__Kelvin (151819) | more than 3 years ago | (#34199240)

"There are many "white hat" hackers in Germany. They only point out security issues, but they would never exploit them. We're safe, because evil hacking is verboten."

Wow! It's a damn good thing Germany isn't connected the Internet then!

Re:The new ID sounds good - really! (1)

wvmarle (1070040) | more than 3 years ago | (#34195764)

How can an ID card specifically facilitate anonymous transactions? Isn't that an exact contradiction?

Re:The new ID sounds good - really! (0)

Anonymous Coward | more than 3 years ago | (#34205204)

...secured anonymous transactions...

Why would one want to secure an anonymous transaction?

You don't know the best things about the ID, yet (4, Informative)

koinu (472851) | more than 3 years ago | (#34193932)

You have to know that our (German) current ID card is being photocopied for many kinds of quick transactions/deals. Someone can give you something without paying in advance and you give him a copy of your ID card, so he can find you, when you forgot to pay or give something back. You can optionally give the ID card directly as security.

Now... the new ID... it is explicitly forbidden to photocopy it and even leave it unattended somewhere.

Why? Because there are some critical numbers printed on the new German ID cards that no one should know. Isn't it great? Imagine that someone printed your social security number on your new "great and modern ID card"!

And here comes the first loop hole: banks always have needed and still will need your ID card photocopied to open an account. Guess what happens? They will get a special permit to do this (it has been already decided to keep the current account registration system working).

Re:You don't know the best things about the ID, ye (1)

Kosi (589267) | more than 3 years ago | (#34194166)

I like this rule that forbids to give the card out of your hands. Hopefully it will put some common sense in some heads and I can stop shaking my head over all those idiots who willingly give their credit cards out of their hands and let people do stuff they can't see with it, but then wonder about their crazy bills.

And banks don't "need" an ID card or copies of an ID card to open an account. Any method which can prove that you are the guy who opened the account would do it.

Re:You don't know the best things about the ID, ye (1)

BadAnalogyGuy (945258) | more than 3 years ago | (#34194200)

Do you ever eat at nice restaurants?

Re:You don't know the best things about the ID, ye (1)

Kosi (589267) | more than 3 years ago | (#34194424)

Yes. But that doesn't mean that I'd ever let anyone except closest friends take my credit card out of my sight.

I'm from Germany, and the usage of credit cards is not so widespread here as in the USA. If it's not a business related dinner, or some kind of bigger event, most people here usually pay cash in restaurants. And as I know how much the CC companies charge those poor shop owners, I tend to use a credit card only when paying in cash or with the bank card (don't know if there's something similar in the US, you use it to draw money from ATMs or pay in shops, works all over Europe, often even in shops who wouldn't accept Amex or Visa) is not possible.

Re:You don't know the best things about the ID, ye (1)

lennier1 (264730) | more than 3 years ago | (#34195288)

True, credit cards aren't used that often outside online/mail-order transactions and what's referred to as "EC cards" is a different kind of animal ( http://en.wikipedia.org/wiki/Cheque_guarantee_card [wikipedia.org] ).

Re:You don't know the best things about the ID, ye (0)

Anonymous Coward | more than 3 years ago | (#34194620)

Nowadays, they bring the (wireless) card reader to your table.

Re:You don't know the best things about the ID, ye (2, Informative)

ArsenneLupin (766289) | more than 3 years ago | (#34195064)

Do you ever eat at nice restaurants?

That was ten years ago, when the waiter had to take your card backstage to get the imprimt.

Nowadays, they do have those small portable readers which they bring right to your table. The card no longer leaves your sight...

...not that it would matter though, because there is no way to tell whether this is a legitimate reader or just some skimming device... especially since there are hundreds of different makes and looks of these readers.

Re:You don't know the best things about the ID, ye (1)

delinear (991444) | more than 3 years ago | (#34195136)

Most restaurants I've eaten in either bring a wireless card processing handset to your table, or they have a point that you can go to to make a payment, or both. Very few seem to want to take the card away from the table by default, now - probably because people are a lot more cautious about letting them do so.

Re:You don't know the best things about the ID, ye (1)

Peeteriz (821290) | more than 3 years ago | (#34195060)

Banks generally do need to go above and beyond 'have a photo ID' to protect your money - they store the copy of your official ID to compare against the ID you (or "you") show next time, and to compare signatures, and to have a photo of the bad guy and solid evidence that it wasn't you if a forgery was presented the first time.

      If you don't do this, then some shmuck with a forged ID can do stuff in your name. Oh - and that's the choice that most USA banks have made, so you suffer from identity theft much more than other nations do, as elsewhere just knowing your data is not that harmful to you.

Re:You don't know the best things about the ID, ye (1)

maxume (22995) | more than 3 years ago | (#34195188)

If the banks were suffering from their lax fraud controls, they would probably do something about it.

As it stands, the bank (the victim of the fraud that the bank failed to prevent) just pushes the problem off on some individual. So the laws are terrible there (it should be straightforward for someone to repudiate an account and hear nothing more from the institution that mistakenly opened said account).

Re:You don't know the best things about the ID, ye (1)

lennier1 (264730) | more than 3 years ago | (#34195330)

The scan of your ID card also serves second purpose. In case your wallet is stolen you simply provide your name, address, date of birth and together with a visual confirmation they'll let you withdraw money at the counter until your replacement bank card is mailed to you.

passport (1)

batistuta (1794636) | more than 3 years ago | (#34194286)

Just give them your passport. They will happily accept it. That's what I and most foreigners living in Germany use to authenticate, because we don't have an ID card.

Re:passport (1)

Arimus (198136) | more than 3 years ago | (#34194570)

Suspect they will still require an ID card if you happen to be German citizen... the passport bypass will work fine for non-nationals...

Re:You don't know the best things about the ID, ye (0)

Anonymous Coward | more than 3 years ago | (#34195278)

There is another little problem, namely that in many countries outside Germany, hotels, conference organizers and who else knows will absolutely require you to make a copy of your ID card and sometimes this even seems to be required by law (e.g. hotels in France and Spain really insist on that). Also, take for example Portugal, where I'm living right now. If somebody comes for a conference to our place and wants to get refunded for travel expenses, accommodation, or anything like that, we need to get a copy of his passport or ID card; otherwise we simply cannot refund the speaker, no matter how famous he or her might be. You can, of course, complain about these kinds of practices but that will not help you get your money. The bottomline is that if you're traveling a lot to conferences like I do, there will be dozens to hundreds of copies of your German ID card lying around at all kinds of obscure places and be open for abuse. (Unless you use your passport, which is obviously recommended.)

Re:You don't know the best things about the ID, ye (1)

Fnord666 (889225) | more than 3 years ago | (#34196422)

Imagine that someone printed your social security number on your new "great and modern ID card"!

You mean like on my driver's license here in the US up until a few years ago? That's why my new driver's licenses always had an unfortunate encounter with a belt sander soon after issue.

Sweden has chips on the national id cards... (1)

Securityemo (1407943) | more than 3 years ago | (#34194136)

...But they aren't functional yet. I think it's mostly intended for e-gov, though.

Quick Summary (0, Redundant)

timbo234 (833667) | more than 3 years ago | (#34194252)

For those who can't read German here's a basic summary of the article:

There is a vulnerability not in the ID cards but in the desktop software that makes use of them for authentication on the Net. This software's update mechanism is apparently vulnerable to a DNS spoofing attack that would allow a skilled attacker to download and unpack a ZIP file on the user's machine (but not directly execute any code). The article was updated to say that the government agency responsible for this software has stopped downloads of it as of yesterday and there's no a press release on that agency's website saying they're working on a fix:
https://www.bsi.bund.de/sid_9CC745E82FC9ED59215EB75FB9479819/ContentBSI/Presse/Pressemitteilungen/AusweisApp_101110.html [bsi.bund.de] (Also in German)

Re:Quick Summary (1)

MichaelSmith (789609) | more than 3 years ago | (#34194260)

And since the ID card and desktop software know nothing about the operating system they run on there is no way to be sure they will behave as expected.

Re:Quick Summary (1)

maxwell demon (590494) | more than 3 years ago | (#34194494)

The really safe solution would have been to have a reader with PIN entry required, and have that reader directly communicate with the server (using a secure, encrypted protocol, of course), so for identification purposes, the computer acts only as a router for the secure communication. Of course that still doesn't protect against compromised readers, but I guess those are much more easy to protect than computers (after all, they are single-purpose appliances).

Re:Quick Summary (1)

timbo234 (833667) | more than 3 years ago | (#34194582)

Yeah I think this point was brought up in the dw-world article (in English) linked to this story. It's like Internet Banking, if you use it from a computer which isn't secure or which you can't reasonably trust (eg. a computer in an internet cafe) you can't expect your session to be secure. Same with this system.

I think the idea is to create a system where verified emails and documents can be securely sent, eg. if I want to cancel the contract with my phone company I use my ID+PIN reader gadget to send them a verified email or document. Instead of the current way of sending a paper letter with my signature on it (which sure as hell is not a secure system). http://de.wikipedia.org/wiki/De-Mail [wikipedia.org] (the en wikipedia article is just a stub)

You wouldn't expect people to use such a system from cracked or internet cafe computers any more than they would use such computers for their internet banking.

Re:Quick Summary (1)

MichaelSmith (789609) | more than 3 years ago | (#34194612)

I think the attacker is a different person here. If you want your data to be secure you will use a secure system. If you want to defraud the Government then you may create a deliberately insecure system.

another potential hole (1)

batistuta (1794636) | more than 3 years ago | (#34194312)

another potential hole here is the social aspect of the deployment: it is only for Germans. And you have a large percent of foreigners living there, who use the same services as Germans. And I don't people from far away countries. I mean even other europeans who happen to live in Germany in accordance to all European rules.

These people use credit cards, do bank transactions, on-line shopping, etc. For these people, of which I belong to, our only means of authenticating is the passport. So in the end every single procedure that does not wish to lock out non-Germans must have a way to not use this ID.

So yes, this new Id might protect some Germans, but if there is a workaround, loop-holes will always be there.

Bundestrojaner (1)

gmthor (1150907) | more than 3 years ago | (#34194322)

This is not a bug, it's a feature.
Now they can upload their spying tool to everybody without a warrant. All they need to do is accidentally mixup the new release of the passportapp with the trojan.

Re:Bundestrojaner (2, Insightful)

maxwell demon (590494) | more than 3 years ago | (#34194434)

But for that, they would not need to add that security hole. They could just install it from the regular update server of the app. Or redirect DNS, but use the original certificate.

Re:Bundestrojaner (1)

ArsenneLupin (766289) | more than 3 years ago | (#34195072)

But for that, they would not need to add that security hole. They could just install it from the regular update server of the app.

Plausible deniability!

Why this tool is crap anyway (1)

gmthor (1150907) | more than 3 years ago | (#34194378)

The current terms of service (which you accept when you get this thing) are that the program is safe by definition. The user has to keep the pc free of viruses. Zerodays are the users fault as well, what so ever.
Which basically means, when ever somebody does something bad with your id, the damage is yours.
They even read, that you should only keep it on the card reader for the few seconds of usage.
As if those few seconds are not enough for an attack. One thing that already works easily with an exploited pc is remotely changing the useres pin, without him knowing. Well....this already is a damage for the user of a couple euro + time loss because you have to go to the local citizen center. (can anybody thinks of a nice DOS attack on the city centers)

Re:Why this tool is crap anyway (1)

ArsenneLupin (766289) | more than 3 years ago | (#34195084)

The current terms of service (which you accept when you get this thing) are that the program is safe by definition. The user has to keep the pc free of viruses. Zerodays are the users fault as well, what so ever.

Lemme guess... and the app is only available for windows.

So basically they tell you "you have to expose your computer to attacks, but you (not we) are responsible when it does get attacked and your id stolen".

Re:Why this tool is crap anyway (1)

gmthor (1150907) | more than 3 years ago | (#34195108)

exactly

Very bad PR, but nothing extraordinary (2, Interesting)

joh (27088) | more than 3 years ago | (#34194388)

This is very bad PR for the new ID, but neither the ID card nor the software has been hacked yet. This is just another way to install some malware on a computer.

I have no doubt though that worse things will happen. The mistakes made here are so glaringly obvious that it's hard to believe that there aren't other holes to be found.

Another nice thing I just found (-1, Troll)

maxwell demon (590494) | more than 3 years ago | (#34194562)

From here: [ausweisapp.bund.de]

Der Windows7-eigene Screenreader fängt beim Vorlesen die Eingaben über die Tastatur direkt ab. Dadurch wird auch die eingegebene PIN im Klartext vorgelesen.

Translation: The Windows7 built in screen reader captures entries directly from the keyboard when reading. Therefore also the entered PIN is read aloud in cleartext.

Which shows two things:
(i) There should be a separate keypad on the card reader. You simply cannot trust the computer.
(ii) Using Windows7 can lead to unexpected security holes even on non-compromised computers (after all, this should apply to anything expecting passwords). But then, it's from Microsoft, so that's somewhat expected :-)

Check for New Comments
Slashdot Login

Need an Account?

Forgot your password?

Submission Text Formatting Tips

We support a small subset of HTML, namely these tags:

  • b
  • i
  • p
  • br
  • a
  • ol
  • ul
  • li
  • dl
  • dt
  • dd
  • em
  • strong
  • tt
  • blockquote
  • div
  • quote
  • ecode

"ecode" can be used for code snippets, for example:

<ecode>    while(1) { do_something(); } </ecode>