With the ID Wallet program, citizens should be able to digitally identify themselves to third parties – for example as a replacement for a physical driver’s license. However, there was no protection against access to personal data by an attacker. This emerges from a blog entry by security researcher Lilith Wittmann.
Wittmann writes that there was no verification of the legitimation of a requested position – man-in-the-middle or rather machine-in-the-middle attacks are apparently not prevented. In practice it looks like this: Person A wants to determine the identity of Person B. For this purpose, a trustworthy body C is optionally requested via the Internet. This C asks B whether the request is justified. B agrees, C gives A the OK.
This assumes that A and B know each other and are in contact. In the previous implementation, however, C can be any web server – and that is the problem. In the case of the digital driver’s license, this should be used, for example, in a car rental company: the customer stands at the rental company and he asks whether the driver’s license is valid. This would also be possible with online rentals without checking the physical driver’s license beforehand.
In the specific implementation of the ID wallet, this request to position C was not protected. Since the data should be exchanged via QR codes, it would be laut dem Blog from Wittmann to create a light, falsified QR code, which then refer to the server of an attacker, for example, not to the authority issuing the driver’s license such as the Federal Motor Transport Authority (KBA).
Ideal for criminals
In addition, in the example of on-site rental of a car, the digital identities could also be stored locally, if C is not a trustworthy body, but a man-in-the-middle (MitmM). This is an ideal case for criminals because the data obtained in this way is real – and can be checked at any time by the KBA. A lively trade is carried out with such identities in the Darknet, among other things, the victims often find out too late that online purchases in their name or dubious contracts are signed.
The ID Wallet app and the infrastructure behind it were taken offline again shortly after it was launched on September 23. Previously there was criticism from the German security scene because of other problems and server overloads. In an interview with heise online, Lilith Wittmann does not see a connection with her discoveries and the shutdown of the project, rather she attributes the decision of the authorities to difficulties with the infrastructure.
The discoverers also have a proof of concept for the problems with MitM attacks listed published on Github. It was created in collaboration with a person who describes himself as a hacker who is online under the pseudonym Flüpke appears. Flüpke confirmed the cooperation with heise online.
Disclaimer: This article is generated from the feed and not edited by our team.
Source: on 2021-09-29 13:48:45
Read More At Source Site